EAST WEST BANCORP INC - (EWBC)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
The Company maintains an Information Security Program to support the management of cybersecurity risk as an integral component of the Company’s ERM framework. The Information Security Program encompasses the Company’s cybersecurity policies and practices, which focus on prevention, detection, mitigation and recovery from cybersecurity incidents. In addition, as part of the Information Security Program, the Company has a Security Incident Response Policy and Plan to enable a coordinated response to protect the integrity, security and resiliency of the Company’s information systems, to mitigate the risk of cybersecurity incidents and to escalate information regarding certain cybersecurity incidents to the appropriate management personnel and Board members in a timely fashion. The Information Security Program follows established industry frameworks, including the National Institute of Standards and Technology Cybersecurity Framework, and standards set by the relevant legal and regulatory authorities.
The Board’s Risk Oversight Committee has primary oversight responsibility for management’s efforts to mitigate cybersecurity risk and respond to cybersecurity incidents. The Risk Oversight Committee receives quarterly cybersecurity reports, including any reportable incidents, and reviews and approves the Information Security Program at least annually or whenever significant changes to the program are made. The full Board of Directors also receives quarterly cybersecurity reports. These updates include information regarding management’s ongoing efforts to manage cybersecurity risk and the steps management has taken to address and mitigate the evolving cybersecurity threat environment. The Risk Oversight Committee members are independent directors and have expertise in areas relevant to their responsibilities over cybersecurity, including senior leadership experience in financial services and information technology.
At the management level, the Company has designated the Chief Risk Officer as the Chief Privacy Officer, who has oversight for managing cybersecurity risk. The Chief Privacy Officer coordinates with the Chief Information Security Officer to ensure the Company’s cybersecurity risk profile is managed in a manner consistent with its risk appetite. The Chief Privacy Officer also provides periodic reports to the Board’s Risk Oversight Committee, outlining the overall status of the Company’s Information Security Program and its compliance with regulatory guidelines, and coordinating and reporting on incident response. The Chief Information Security Officer is responsible for the day-to-day management of the Information Security Program and Security Incident Response Policy and Plan. The Chief Privacy Officer has held various leadership roles at the bank, including over 13 years previously serving as the Company’s Chief Financial Officer. The Chief Information Security Officer has over 20 years of work experience in cybersecurity at financial institutions.
The Information Security Program is supported by three lines of defense. The Information Security Team is the first line of defense under the Chief Information Security Officer and provides the day-to-day cybersecurity operations including identification and reporting of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, recovery planning, performing vulnerability and third party information security assessments, and employee awareness and training programs. In addition, the Information Security Team works in coordination with the individual business lines that have direct and primary responsibility and accountability for identifying, controlling and monitoring cybersecurity risk embedded in their business activities. The Information Security Team uses reputable industry service providers for security operations, monitoring, investigation and incident response. The internal Information Risk Management team conducts periodic assessments in collaboration with consulting services with expertise in the cybersecurity domains. Furthermore, the Third Party Risk Management Team, in conjunction with the Information Security Team, oversees, identifies, monitors, investigates and addresses material risks from cybersecurity threats associated with the Company’s use of third-party service providers. As the second line of defense, the ERM Team under the Chief Privacy Officer independently monitors cybersecurity risk across the Company, as well as the effectiveness of the Information Security Program, third party vendors’ vulnerability and penetration tests against the Company’s network. The ERM Team reports the status of the annual assessment of the effectiveness of the Information Security Program to the Chief Privacy Officer, who reports to the Board’s Risk Oversight Committee. When applicable, the Company obtains Statement on Standards for Attestation Engagement 18 reports or equivalent reports for vendor products and services hosted by third parties. Internal Audit serves as the third line of defense and provides additional independent assurance and evaluates the effectiveness of cybersecurity risk management.
In addition, the Company uses several internal training methods, through annual mandatory courses on security and privacy for all employees, as well as multiple simulated phishing attacks and regularly providing information security awareness materials throughout the year. The Company also maintains cybersecurity insurance. To date, the Company has not experienced cybersecurity incidents that have materially affected its business strategy, results of operations or financial condition. For additional information regarding cybersecurity threats, please refer to Item 1, Business – Supervision and Regulation – Privacy and Cybersecurity and Item 1A, Risk Factors – Risks Related to Our Operations.
32