WINTRUST FINANCIAL CORP - (WTFC)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Like every major financial services institution, Wintrust faces significant and persistent cybersecurity risks. Whether in the form of data theft, ransomware, phishing, denial of service, or third-party vendor incidents, threat actors continue to become more sophisticated and escalate their efforts against financial institutions. At Wintrust, the Board of Directors and executive management are committed to devoting the necessary resources into monitoring, detecting, preventing and mitigating cyber risk. As a regulated financial institution, we are required to comply with various regulations applicable to cybersecurity, as well as guidance issued by our regulators, and our cybersecurity program closely tracks to those requirements. Additionally, Wintrust leverages global cybersecurity standards as general guides, including the National Institute of Standards and Technology Cybersecurity Framework and the International Organization Standardization 27001 Information Security Management System Requirements.
44 |
Cybersecurity oversight begins with the Information Technology & Information Security Committee (“IT/IS Committee”) of the Wintrust Board of Directors. The Wintrust Chief Security Officer (“CSO”) ”) and Deputy Chief Information Security Officer (“Deputy CISO”) oversee the cybersecurity program. The CSO has a dual reporting structure, reporting to both the IT/IS Committee and the Vice Chairman/Chief Operating Officer of Wintrust. The CSO and Deputy CISO, each with extensive industry experience, manage a team of skilled professionals with cybersecurity expertise. This team governs our cybersecurity program that follows seven pillars: strategy; prevention, detection, response, measurement, compliance, and training. Our cybersecurity program employs a wide range of technological, administrative, and physical security measures designed to address the confidentiality, integrity, and availability of the information and data of both Wintrust and our customers. We have established policies, processes and procedures to monitor, report and respond to suspected or actual security events. A critical function of the cybersecurity program is the Security Operations Center, which is constantly monitoring Wintrust systems to detect threats. If any credible threats are detected, the Security Operations Center notifies both the CSO and Deputy CISO, and the appropriate response plan is initiated. The CSO will advise executive management and other relevant stakeholders as necessary. We coordinate with our third parties and vendor partners through assessments and due diligence before sharing or allowing the hosting of data. We also work with our outside partners to investigate security events that may have impacted our confidential and other information, and to leverage lessons learned during those investigations. In addition, we contractually require our third-party service providers that possess or process any Wintrust or customer information to adhere to certain security requirements, controls and responsibilities based on the risk profile of the relationship.
Wintrust also recognizes that individual employees are frequent targets of threat actors. We regularly engage with employees on the importance of protecting the information and data of Wintrust, our customers and employees through monthly newsletters, posters and ad-hoc communications. If specific threats are identified, management may communicate those threats directly to employees for heightened awareness. Our cybersecurity program requires employees to review information security and privacy policies annually, complete multiple cybersecurity training courses throughout the year, and participate in monthly mock phishing campaigns. We also communicate with our customers about their role in enhancing cybersecurity.
Governance
In addition to our dedicated cybersecurity team, Wintrust’s approach to cybersecurity is supported by dedicated risk management and internal audit teams. Our governance program maintains policies and standards, which are validated through risk-based assessments, reviews and testing. The CSO reports at regular intervals to the Wintrust Enterprise Risk Management Committee, the IT/IS Committee, and the Audit Committee of the Wintrust Board of Directors, as well as the full Wintrust Board of Directors, as necessary. The Audit Committee performs an annual review of our cybersecurity program, which includes a discussion of management’s actions to identify and detect threats and incident plans in the event of a response or recovery situation. The Audit Committee receives an annual review that includes review of recent enhancements to the cybersecurity program and management’s progress on its cybersecurity strategic roadmap. In addition, the full Board of Directors receives quarterly cybersecurity reports, which include a review of key performance indicators, test results and related remediation, and an overview of recent threats and how the Company is managing those threats. For more information on the material risks that cybersecurity threats pose to us, please see our risk factor disclosures under Item 1A of this Annual Report on Form 10-K.
Notwithstanding the extensive approach we take to cybersecurity, Wintrust continues to face risks and accompanying threats that could have a material adverse effect on the enterprise. We work to manage these risks and threats on a daily basis. To date, we have not realized any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have, or are reasonably likely to, materially affect us, our business strategy, results of operation or financial condition. We continue to invest in our cybersecurity program, the resiliency of our networks and work to enhance our internal controls.