WSFS FINANCIAL CORP - (WSFS)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company maintains an Information Security Program to safeguard all WSFS information assets against unauthorized use, disclosure, modification, damage, or loss. Information Security, in conjunction with Operations, Technology, and Executive Leadership, work together to provide and maintain security processes and procedures pursuant to which the Company will:
Ensure the security and confidentiality of customer and bank records covered by law.
Protect against any anticipated threats or hazards to the security of such records.
Protect against the unauthorized access or use of such records or information in ways that could result in substantial harm to the Company, our Customers, and Associates.
Establish guidelines and practices for ensuring Information Technology compliance to external and regulatory requirements.
Ensure proper and effective Business Continuity and Disaster Recovery programs are implemented and tested.
The Company's Chief Information Security Officer (CISO) is designated as the program coordinator responsible for coordinating and overseeing the program.
42


Our Information Security Department performs annual risk assessments to evaluate the effectiveness of the controls as set forth in the Information Security Program to support the requirements under Gramm-Leach Bliley Act (GLBA), and Federal Financial Institutions Examination Council (FFIEC) Guidance on Securing Customer Information. The focus areas include:
technology systems used for information that is collected, processed and stored;
assessing internal and external cybersecurity threats and vulnerabilities;
performing regular penetration and controls testing;
evaluation and assessment of impact should the information or systems become compromised;
evaluation for the effectiveness of the governance structure for Information security risk management.
Internal and external Penetration Testing is performed annually. Tests are conducted or reviewed by independent third parties or qualified Associates independent of those that develop or maintain the security program. Testing is performed annually by third party auditors contracted through the Company's Risk Management Department. Management reviews test results promptly and ensures that appropriate steps are taken to address adverse test results. Remediation efforts are organized and made available to the Risk committee of the Board of Directors (Risk Committee) as well as for review by third party auditors and examiners.
The Company has implemented a Cybersecurity Incident Response Plan (CSIRP), which is integrated into its Master Business Continuity Plan, to identify, assess and respond to cybersecurity threats. The CSIRP provides a well-defined, consistent, and organized approach to information security related incidents and is supplemented by playbooks designed to respond to specific attacks. The CSIRP requires approval by the Executive Leadership Team under the Cybersecurity Committee and is governed by the Continuity of Operations Policy that is approved annually by the Board of Directors.
The Company is not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company's business strategy, results of operations or financial condition.
Governance
Our Information Security Policy and Information Security Program are the standards used to protect the Bank’s confidential information. The Information Security Policy is annually reviewed, updated, and approved by the Risk Committee and the Board of Directors.
The CISO reports security related incidents, findings, changes, etc. to the Risk Committee, on an annual basis or quarterly as needed. This information is communicated through the Company's Risk Department. The CISO has more than 25 years of experience in the information security field, including 20 years at WSFS, and holds several professional certifications and memberships in the Information Security, IT, and financial services fields.
The Board and Senior Management are charged with the ultimate responsibility for understanding the company’s risk environment. A Management Risk Committee, chaired by our Chief Risk Officer (CRO), is responsible to oversee the Company’s risk management program on an enterprise-wide basis.
The Company has dedicated incident management and response teams in place to facilitate response protocols and execute designed strategies necessary to mitigate business risk and support recovery initiatives. The Incident Management Team structure is based on the Incident Command System and follows a flexible, adaptable approach with response team membership designed to support expanding response team needs. An Incident Response Task Force (IRTF) is in place to oversees the assessment of cybersecurity incidents and operational response needs. The CISO and the Head of Regulatory Affairs/Relations co-lead IRTF response.
The CSIRP includes a framework to timely report cybersecurity incidents to our Executive Leadership Team. The severity of an incident is based on perceived impacts that include the severity of damage, compromise, or loss, and probability of further exploitation or escalation. The Chief Information Officer (CIO) and CRO are notified of all incidents that are determined to be significant. based on perceived impacts of the incident or event. The Chief Executive Officer and Board of Directors are notified of these incidents by the CIO and CRO as necessary.
For further information on risks to the Company from cybersecurity threats, see "System failure or cybersecurity breaches of our network security could subject us to increased operating costs as well as litigation and other potential losses" under Item 1A. Risk Factors."
43