FIRST COMMONWEALTH FINANCIAL CORP /PA/ - (FCF)
10-K Filing Date: February 28, 2024
ITEM 1C. Cybersecurity
Cybersecurity, data privacy, and data protection are critical to our business. In the ordinary course of our business, we collect and store certain confidential information such as personal information of depositors and borrowers and information about our employees, contractors, vendors, and suppliers. We rely heavily on the secure processing, storage, and transmission of sensitive and confidential financial, personal, and other information in our computer systems and networks.
Cybersecurity Governance
Our Board is actively engaged in the oversight of our cybersecurity program. Specifically, the Risk Committee is responsible for overseeing our information security program, including management’s actions to identify, assess, mitigate, and remediate material cyber issues and risks. Our Chief Information Security Officer ("CISO") provides quarterly reports to the Risk Committee regarding information security programs, key enterprise cyber initiatives, and significant cybersecurity and privacy incidents.
Our CISO is part of the risk management function, reporting directly to the Chief Risk Officer, who in turn, reports directly to our CEO. Various management committees provide oversight of the information security and technology programs. These committees generally meet quarterly and summaries of key issues discussed and actions taken are provided to the Risk Committee.
Cybersecurity Risk Management and Strategy
We structure our information security program around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. We leverage industry and government associations, third-party benchmarking, audits and threat intelligence feeds to promote program effectiveness. Our CISO, along with key members of their team, regularly collaborate with peer banks, industry groups, and policymakers.
We employ an in-depth, layered, defensive strategy with respect to our products, services and technology. We leverage people, processes and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective
25
tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats.
We have established processes and systems to mitigate cyber risk, including regular education and training, preparedness simulations and tabletop exercises, and recovery and resilience tests. Our processes, systems and controls are reviewed periodically by internal and external auditors, Federal and State bank examiners, and independent external partners to assess design and operating effectiveness. We also maintain information security risk insurance coverage.
We engage third party security experts to supplement our internal Information Security team as well as for assessments, penetration tests and program enhancements, including vulnerability assessments, security framework maturity assessments and identification of areas for continued focus and improvement. In addition, our third-party experts work with us to conduct cybersecurity tabletop exercises and internal phishing awareness campaigns. We use the findings of these exercises to improve our practices, procedures, and technologies. We also engage third party security experts to support our cybersecurity threat and incident response management and maintain information security risk insurance coverage.
We engage with a range of external experts, including cybersecurity assessors, consultants, auditors, and legal counsel in evaluating and testing our risk management systems. This enables us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain current.
In the past three years, we have not experienced any material computer data security breaches as a result of a compromise of our information systems and we are not aware and have not had a significant cybersecurity breach or attack that had a material impact on our business or operating results to date.