PROVIDENT FINANCIAL SERVICES INC - (PFS)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Cybersecurity risk management and strategy

Our risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal risks. This includes cybersecurity, a critical component of our broader enterprise risk management program given the increasing reliance on technology by customers, vendors, agents, and our own employees and the ever-evolving risk of cyber threats. Our Chief Information Security Officer leads the Information Security team that administers the Company's information security program, which covers cybersecurity risk. The Chief Information Security Officer reports to the Chief Digital & Innovation Officer, and works alongside the Chief Risk Officer who provides an effective second line of defense on technological and security risk management. Our cybersecurity program aims to address risks through a cross-functional approach that focuses on confidentiality, security, and availability of information vital to protecting our customers, employees, stakeholders, and the Company as a whole.

Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt, or misuse our critical systems or gain unauthorized access to sensitive information. The structure of our information security program is designed to address applicable laws, regulatory guidance, and industry best practices, including Section 501 (b) of the Gramm-Leach-Bliley Act and its implementing regulations, the Federal Financial Institutions Examination Council (“FFIEC”) Information Technology Examination Handbook, FFIEC Business Continuity Planning Handbook, FFIEC Cybersecurity Assessment Tool, and the Center for Internet Security Critical Security Controls. In addition, we leverage certain industry and government associations, vendors, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Chief Information Security Officer, Chief Digital & Innovation Officer, and our Chief Risk Officer, along with key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends, issues, and emerging risks and identify best practices.

We employ a "defense in depth" methodology, which focuses on protecting information systems, products and services by deploying multiple layers of security controls in order to mitigate risks. We leverage human capital, customer input, responsive processes, and effective technology as part of our efforts to manage and maintain cybersecurity controls, data access standards, risk management standards, and encryption standards. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cybersecurity risk, including an acceptable-use policy and terms of acceptance that all employees must review and abide by, regular and on-going education and training for employees, information notices, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, network architecture, and data repositories, using internal cybersecurity experts and external specialists and vendors. We require critical third-party vendors to establish incident response and reporting to our information security team and to maintain business continuity plans. We also actively monitor our e-mail gateways for malicious phishing email campaigns and monitor remote connections as a significant portion of our workforce has the option to work remotely. Remote workers are required to login to our network through a secure virtual private network with password and multi-factor authentication in order to minimize security risks while working outside the office. The Information Security Department consistently identifies vulnerabilities with our systems, implements protective updates and patches, and monitors the status of remediation efforts. Regular reports on these activities are provided to management committees to ensure transparency and oversight of our cybersecurity practices.

We maintain a Corporate Incident Response Plan (“CIRP”) that provides a documented set of protocols for responding to actual or potential cybersecurity incidents, including timely detection and analysis, containment and elimination, and recovery and improvement following an incident. The CIRP provides for notification of appropriate information breach or cybersecurity incidents and escalation to the Company's appointed Incident Management Team, which would be composed of an Incident Response Lead and team members from information technology, information security, enterprise risk management, corporate security, compliance, and legal teams, among others. The Incident Management Team would leverage the expertise of team members to work together to respond to the incident and take appropriate measures. The Senior Risk Committee would oversee the team and receive quartelry reporting on the incident and any relevant updates. The CIRP is coordinated through Incident Management Teams that involve the Bank’s Incident Management Lead, Chief Digital & Innovation Officer, Chief Information Security Officer, and other key departments.
51


The CIRP facilitates coordination across multiple parts of our organization and is evaluated by the Chief Risk Officer and legal department at least annually.

Board and management governance

Our Chief Information Security Officer is accountable for managing our enterprise information security department and administering our information security program. The responsibilities of this department include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity governance administration, third-party risk management, and business resilience to ensure confidentiality, availability, and integrity of technological assets, as well as maintenance of policies, procedures, and standards. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the Chief Information Security Officer and Chief Risk Officer, provides guidance, oversight, monitoring and challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the Chief Risk Officer. The department as a whole, consists of information security professionals with varying degrees of education and experience. Individuals within the department are generally subject to professional education and certification requirements. Our Chief Information Security Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management.

Our board of directors has approved committees including the Risk Committee, which oversees overall risk management activities and policies including those related to technological and cybersecurity risks, and the Technology Committee, which oversees the Company’s technology strategy and approach to technology-related risks. The Risk and Technology Committees of the board are comprised of independent directors and receive regular reports from management, including the Chief Information Security Officer and Chief Risk Officer, on risk management, cybersecurity risks, actions taken to mitigate them, and technology and risk strategies. The Technology Committee reviews and approves our information security and technology budgets, policies, and strategies quarterly. The Risk Committee reviews our technology and cybersecurity risk profile on a regular basis.

The Company has also formed management committees including the Management Risk Committee, which focuses on multiple aspects of risk management including information technology, and the Technology Steering Committee, which focuses on technology and cybersecurity policy within the Bank. These management committees provide oversight and governance of our technology and information security programs. The management committees are chaired by managers within the information technology and information security departments and include the Chief Risk Officer, Chief Information Security Officer, and Chief Digital & Innovation Officer as well as their direct reports and other key departmental managers from throughout the entire company. The management committees meet at least quarterly to provide oversight of key risk management strategies, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks, especially those related to cybersecurity and technology risks. More frequent meetings occur from time to time in accordance with the CIRP in order to facilitate timely informing, monitoring, and response efforts. The Chief Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the Technology Steering Committee of the board on a monthly basis (or more frequently as may be required by the CIRP).

Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks remains elevated. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not to our knowledge materially affected the Company. For further discussion of risks from cybersecurity threats, see the section captioned “Risks Related to Technology and Security” in Item 1A. Risk Factors.