FIFTH THIRD BANCORP - (FITB)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
The Bancorp recognizes the importance of maintaining a cybersecurity risk management system designed to reduce the risks that cybersecurity threats pose to financial institutions. As such, the Bancorp has adopted proactive and defensive safeguards intended to better protect the Bancorp’s information assets and supporting infrastructures from technology-related attacks. The Bancorp’s Board of Directors and management oversee its information security and cybersecurity risk management programs. As further discussed below, the Bancorp has established various programs, policies and procedures which are designed to proactively protect information assets. However, not all incidents can be prevented. As a result, the Bancorp has also established various policies and procedures governing how to respond to security incidents, with the objective of minimizing any potential impacts. As of December 31, 2023, the Bancorp is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect Fifth Third, including its business strategies, results of operations or financial condition.
Risk Assessment and Management
The Bancorp maintains a variety of programs and policies to support the management of cybersecurity risk within the organization with a focus on prevention, detection and recovery processes. These programs and policies leverage frameworks and controls from the National Institute of Standards and Technology as well as various other regulatory requirements and industry-specific standards. The Bancorp also participates in the federally recognized Financial Services Information Sharing and Analysis Center and requires its employees and contractors to complete various education and training programs related to information security.
The Bancorp’s Information Technology (IT) and Information Security (IS) teams have the primary responsibility for establishing appropriate policies and procedures that are responsive to cybersecurity threats and other information security risks. The Bancorp’s Information Technology and Cybersecurity Risk Management (IT CSRM) team, as part of the Bancorp’s Risk Management division, provides independent risk management oversight to those IT and IS teams. In addition to the Board oversight discussed below, the Bancorp’s Internal Audit function independently oversees, reviews and validates these activities and reports to the Board of Directors on the effectiveness of governance, risk management and internal controls.
The Bancorp has established an Enterprise Risk Management Framework which informs the Bancorp’s risk management programs. As part of this framework, the IT CSRM team maintains the Bancorp’s IT CSRM Program, which is designed to identify, assess, manage, monitor, and report cybersecurity risks as part of the Bancorp’s independent risk management function. The IT CSRM team is responsible for defining the risk management practices set forth in the IT CSRM Program. Refer to the Risk Management – Overview section of Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) of this Annual Report for additional information on the Bancorp’s Enterprise Risk Management Framework and related risk management processes.
In light of the complexity and evolving nature of the cybersecurity landscape, the Bancorp periodically re-assesses the maturity of its cybersecurity programs, policies and procedures, including in some instances by engaging the assistance of external experts. The Bancorp also conducts exercises to test its incident response plans and threat assessments, some of which also involve assistance from external consultants.
The Bancorp also maintains a Third Party Risk Management Program to perform similar functions related to risks associated with the Bancorp’s relationships with third parties. This assists the Bancorp in its management of its relationships with third parties, which includes considerations for identifying, analyzing and monitoring the cybersecurity risks that third parties may present to Fifth Third. The Bancorp also maintains a third-party incident response program to govern its response in the event of third-party cybersecurity events.
Board of Directors Oversight
The Technology Committee of the Bancorp’s Board of Directors takes primary responsibility for overseeing the Bancorp’s information security programs at the Board level. The Technology Committee’s primary purpose is to assist the Board of Directors in its oversight of plans and operations related to information technology, cybersecurity, data privacy and third-party technology strategy.
The Bancorp’s Risk and Compliance Committee of the Board of Directors oversees the Bancorp’s Enterprise Risk Management Framework and policies, including oversight of risks related to information security. The Risk and Compliance Committee receives periodic reports from the Technology Committee and these committees meet jointly at least once per year to discuss the Company’s programs and risks.
The full Board of Directors receives reports from the Technology Committee and the Risk and Compliance Committee about the Bancorp’s cybersecurity programs as a result of the above-described oversight. In the event of a material cybersecurity incident, the Bancorp’s incident response procedures include notifications to the Technology Committee, Risk and Compliance Committee and full Board of Directors, when appropriate and necessary.
42 Fifth Third Bancorp
Management Oversight
The Bancorp’s Information Security Governance Committee (ISGC) is a management committee that reviews and discusses critical information security risks that impact the Bancorp, identifies solutions to address these risks and has oversight of the Bancorp’s information technology and information security policies. The ISGC provides cybersecurity reports periodically to the Risk and Compliance Committee and is comprised of the Bancorp’s senior information security, information technology and enterprise risk management leaders, including the Chief Information Security Officer (CISO), Chief Information Officer, Chief Technology Officer, Chief Data Officer and Chief Operational Risk Officer.
The Bancorp’s CISO is responsible for information security policies and the coordination of information security efforts across the organization. The CISO has over 35 years of diverse experience in information technology management and cybersecurity leadership at Fifth Third and at other large, complex organizations. This prior experience includes leadership of functions for cybersecurity threat management, intelligence, risk mitigation and incident response. The CISO has a Bachelor of Science degree in Computer and Information Science and is a certified Six Sigma Black Belt. The Bancorp’s CISO reports to the Chief Information Officer. The CISO also reports directly to the Technology Committee and participates in various management councils and committees. The Bancorp’s IT CSRM team monitors that the CISO has appropriate authority to carry out the duties and responsibilities necessary of that position.
The CISO remains informed about developments in cybersecurity, including potential threats and emerging risk management techniques, reporting such information to the Chief Information Officer and Technology Committee periodically. The CISO implements and oversees processes for the regular monitoring of information systems. This includes the deployment of advanced security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan. This plan includes immediate actions designed to mitigate the impact of any incident, and long-term strategies for remediation and prevention of future incidents.