WEBSTER FINANCIAL CORP - (WBS)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy. The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats, and is committed to the prevention, detection, and timely response to cybersecurity threats that may impact the confidentiality, integrity, and availability of its information systems and information assets.
The Company has an Information Security Risk Management Program and a Technology Risk Management Program under its Risk Management Framework for the identification, assessment, measurement, mitigation, monitoring, and internal reporting of risks associated with its information systems, information assets, and third parties, including vendors and service providers. The Information Security Risk Management Program and Technology Risk Management Program align with the Company’s Third-Party Risk Management Program in regard to protecting information assets.
The Information Security Risk Management Program and Technology Risk Management Program are managed by the Company’s Corporate Information Security team, led by the Chief Information Security Officer. On average, the Corporate Information Security team members have over a decade of cybersecurity experience and hold over 100 industry-leading certifications in cybersecurity. All information security managers have attained a bachelor’s degree in a related field of study, with several also having a related master’s degree.
“Zero trust principles” drive the Company’s information security architecture, and the Company deploys a “defense in-depth” strategy to protect against cybersecurity threats, layering multiple levels of information security and technology controls within business processes for information assets and relationships with third parties based on the National Institute of Standards and Technology Special Publication 800-53 Framework. The Company’s information systems and risk management are also subject to regulatory requirements and examination by federal banking regulators.
The identification of control weaknesses and vulnerabilities affecting information assets and/or relationships with third parties allows the Company to mitigate risk from, and respond to, cybersecurity threats. Initial risk assessments are performed upon the acquisition, or as part of the development of, information assets in order to evaluate the inherent risk associated with network and host environments and assess the adequacy of implemented technology operation processes and controls. Risk and control self-assessments are conducted on an annual basis to identify gaps resulting from any process changes that occurred during the year, and to evaluate whether the levels of cybersecurity risk remain within the tolerance set in the Company’s Risk Appetite Statement or whether a risk needs to be mitigated.
Due diligence is performed prior to onboarding all third parties with access to the Company’s information assets to ensure such parties maintain security controls contractually required by the Company as part of its Third Party Risk Management Program. The Company provides ongoing monitoring, including cybersecurity maturity assessments, of third parties using a risk-based approach to determine the extent and frequency of periodic assessments. Semi-annual cybersecurity maturity assessments are conducted by the Company’s Corporate Information Security team on its information systems using industry-standard guidelines and tools, including the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool and the Center for Internet Security Critical Security Controls.
Because cybersecurity threats continue to evolve, thereby increasing inherent risk, the Company’s Corporate Information Security team is augmented by contracted external managed security service providers, who collectively work 24/7 to monitor cybersecurity threats through processes such as endpoint and network security, email protection, data loss prevention, vulnerability scanning and mitigation, identity and access management, logging and monitoring, and threat hunting. Independent third parties test the Company’s cyber capabilities and audit its cloud security. The Company regularly tests its systems to discover and address any potential vulnerabilities. Senior and Executive management also participate in cybersecurity industry collaboration and information-sharing forums and utilize the information gained to drive protective and detective cybersecurity strategies and tactics.
The Company requires information security education, training at the time of hire, and annually thereafter, by its employees (including contractors and other third parties for training purposes), designed to mitigate accidental information security incidents. Phishing simulation activities are regularly conducted to assess employees’ competency at identifying potential threats. Employees are assigned incremental training requirements should they fail to identify simulated phishing emails through the initial training.
The Company’s Corporate Information Security team members are also responsible for completing additional mandatory annual training to understand the processes, procedures, and technical requirements for securing information assets across the enterprise. The Company also offers ongoing practice and specialized education for Corporate Information Security team members to stay up to date with emerging trends in cybersecurity threat protection, detection, and response.
The Information Security Management Program sets forth enterprise-wide coordinated responses to identified threats, ensuring timely mitigation and remediation, and facilitating awareness and communication. Tabletop exercises are held regularly at the Senior and Executive management levels, and annually at the Board of Directors level, to validate roles and responsibilities, and response protocols respective to cybersecurity threats.
25


Employees, contractors, and third parties are required to immediately report any suspected cybersecurity threats to the Corporate Information Security team for triaging. Any threat assessed by the Corporate Information Security team that could impact the safety of customers or personnel, cause damage to, or threaten the confidentiality, integrity, or availability of information assets, or bring about significant business interruption, are escalated for further assessment. In the event that the Chief Information Security Officer, in consultation with the Company’s Legal and Compliance teams, determines that a material cybersecurity incident has occurred, a dedicated Crisis Incident Response Team comprised of individuals from various departments across the organization is assigned to coordinate all planned cybersecurity incident-related response activities. The Company will engage third party specialists to assist in any cybersecurity incident investigation, as needed.
Cybersecurity threats that are identified and deemed material are escalated and communicated directly to Senior and Executive Management and the Risk Committee of the Board of Directors. Materiality determinations are made under the Company's Disclosure Controls and Procedures to ensure timely cybersecurity incident disclosure notification in accordance with securities laws and/or regulations.
Material Cybersecurity Threat Risks. The Company has not experienced any material losses relating to cybersecurity threats or incidents for the year ended December 31, 2023. However, it is possible that the Company could suffer such losses in the future. Information regarding risks from material cybersecurity threats can be found under the section captioned "Information Risk" contained in Item 1A. Risk Factors.
Governance. Oversight of information security risk and information technology risk is the operational responsibility of the Information Risk Committee, which is a management committee, with additional oversight from the Enterprise Risk Management Committee, which is also a management committee, and the Risk Committee of the Board of Directors.
Additional information regarding the Company’s risk management framework, including management-level and Board-level committee experience and expertise, oversight responsibilities, and information risk governance, can be found under the section captioned “Risk Management Framework” contained in Item 1. Business.
26