UNITED BANKSHARES INC/WV - (UBSI)

10-K Filing Date: February 29, 2024
Item 1C.

CYBERSECURITY

Risk Management and Strategy

In the ordinary course of business, United relies on electronic communications and information systems to conduct its operations and to store sensitive data. United employs an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. United employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding the strength of its defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date, United and United Bank have not experienced a material compromise, material data loss or any material financial losses related to cybersecurity attacks, United’s systems and those of its customers and third-party service providers are under constant threat and it is possible that United could experience a significant event in the future.

United recognizes the critical importance of cybersecurity in our business operations. Our cybersecurity processes are fully integrated into our overall risk management system and processes. We believe that effective management of cybersecurity risks is integral to the protection of our assets, reputation, and the trust of our stakeholders. Our proactive approach to cybersecurity involves numerous processes including, regular risk assessments, employee training, incident response planning and testing, and continuous improvement in our cybersecurity practices. To ensure the robustness of our cybersecurity processes, we engage qualified assessors, consultants, and auditors on a periodic basis. These experts evaluate the effectiveness of our cybersecurity controls, identify vulnerabilities, and recommend improvements. We maintain ongoing relationships with reputable third-party firms specializing in cybersecurity to assess our systems, conduct penetration testing, and audit our processes for compliance with industry standards and regulations.

United recognizes the inherent cybersecurity risks associated with third-party service providers. To manage these risks, we have implemented processes to oversee and identify material risks from cybersecurity threats linked to our use of third-party service providers. These processes include due diligence assessments, contractual provisions, and ongoing monitoring of our service providers’ cybersecurity practices. We continually assess the cybersecurity measures of our service providers to ensure they align with our own security standards and requirements.

We do not currently believe that any current cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, United, including its business strategy, results of operations or financial condition. However, risks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to be elevated for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by United and its customers. See Item 1A. Risk Factors for a further discussion of risk related to cybersecurity.

Governance

The Board of Directors’ risk management oversight is provided primarily by the Board Risk Committee. The Risk Committee oversees the Company’s Enterprise Risk Management Program and the processes established identify, measure, manage and monitor United’s significant financial and other risk exposures. In particular, the Risk Committee is responsible for oversight of information security, including cybersecurity, vendor management, and business continuity planning. The Risk Committee periodically reviews management’s strategies and policies for assessing and managing risk, including, but not limited to, the approval of the overall risk appetite and review of the risk management structure.

 

30


At the management level, the responsibility for oversight of the risk management function lies with the Chief Risk & Information Officer. The Chief Risk & Information Officer (“CIRO”) is an executive officer of the Company who reports directly to the Chief Executive Officer. The CIRO provides regular risk management reports to the Risk Committee and the full Board of Directors, as well as at meetings of the independent directors.

The management of the Company’s cybersecurity team has over a 100 years of industry experience combined, holds numerous certifications, and is regularly trained through continuing professional education. Information security, and specifically cyber security, is formally discussed quarterly at the Governance Steering Committee (“GSC”). The GSC is comprised of executive management, IT internal audit, digital banking leadership, and United’s Chief Information Security Officer (“CISO”). The activities of the GSC are reported quarterly to the Board Risk Committee.

The CISO is responsible for leading and coordinating our daily cybersecurity efforts, including leading a team of qualified individuals with significant relevant experience and certifications. In addition, United’s CISO has served in various roles in Operations, Physical Security, Fraud Investigations, and Information Security for over 24 years with United. The CISO holds a Bachelor of Science in Criminal Justice and has led the Information Security department since 2014. The Information Security and IT Security teams stay up to date on industry best practices, participate in industry threat intelligence feeds, and maintain multiple professional certifications in the areas of privacy and security.

The Information Security department is integrated with vendor management, business continuity planning, disaster recovery, and incident response. Additionally, we have a formal cybersecurity program based on the NIST CSF (“National Institute of Standards and Technology Cybersecurity Framework”) and the CIS (“Center for Internet Security”) Benchmarks that identifies and assesses cybersecurity risks. We deploy a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity. All employees have a responsibility to report suspected or verified incidents to the Information Security department and/or the CISO, and all employees are trained annually regarding the identification and reporting of incidents. The CISO maintains a centralized record all incidents and reports on these quarterly to the GSC and the Board Risk Committee. The CIRO is also immediately notified of any incident that exceeds pre-defined thresholds.

 

© 2024 Material-Incidents. All rights reserved.