FNB CORP/PA/ - (FNB)
10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
The Information Security Department reports to the Chief Information Security Officer and then directly to the Chief Risk Officer, to ensure the coordinated and consistent implementation of risk management initiatives and strategies on a day-to-day basis. Results of the information and cybersecurity efforts and recommendations are reported to the Risk Management Council no less than quarterly which is then shared with the Board Risk Committee. The Board Risk Committee is primarily responsible for overseeing risk management, including risks associated with cybersecurity and potential threats thereto. Our management is directly involved in assessing and managing cybersecurity risks. As noted, we employ a Chief Risk Officer, along with information security personnel in our Information Security Department. The Chief Risk Officer regularly reports to our Risk Management Council, which is comprised of our senior leadership. See “Risk Management” in section of MD&A for an overview of our risk management framework.
The Information Security Department uses the National Institute of Standards and Technology framework for improving critical infrastructure by measuring and evaluating the effectiveness of information and cybersecurity controls. We have various processes for risk assessment, vulnerability management, threat management, independent penetration testing, security architecture, access management, network security management, security event monitoring and security awareness. Certain processes involve the use of third parties. A summary of each process is below.
Risk Assessment Process. On an annual basis, a risk assessment and maturity analysis is performed for the FNB environment based on the NIST CSF Framework. The risk assessment takes into consideration a combination of risks related to the identification, prevention, detection, response, and recovery from cyber events. The risk assessment considers the inherent risk and controls implemented in the FNB environment and measures the residual risk to ensure it is within the FNB risk tolerance.
Vulnerability Management Process. Regular internal and external vulnerability scanning is conducted at varying intervals to proactively identify configuration weaknesses, missing patches and other vulnerabilities in the FNB information systems environment. Identified vulnerabilities are classified and scored based on their Common Vulnerability Scoring System or CVSS score, known exploitation or malware impacting the vulnerability, and the age in the environment. We prioritize the patching of critical and severe vulnerabilities.
Threat Management Process. In addition to the regular and routine vulnerability scanning, FNB relies on various threat intelligence feeds for the identification and awareness of potential threats that could impact the FNB environment. Using third party vendors to assist, threats are integrated into our monitoring solutions, email filtering, web-browsing controls, malware detection, and perimeter firewalls to proactively prevent, detect and deter threats with the capability to impact the FNB environment.
Independent Penetration Testing. On an annual basis, we engage with an independent third-party provider to perform various penetration tests of the environment. The penetration tests look at our customer facing applications, how we respond to social engineering activities, overall external attack surface and internal vulnerabilities. Issues identified from the penetration tests are tracked and escalated to ensure appropriate remediation occurs before closure.
Security Architecture. To ensure the secure configuration, design, and implementation of our internally hosted and third-party hosted systems, security architecture reviews are conducted. The architecture reviews entail a series of questions. These questions are reviewed with internal IT and third-party vendor contacts to ensure the implementation is meeting policies, is configured with strong security practices, and utilizes appropriate access controls.
Access Management. Utilizing a least privilege, need-to-know access methodology, access is controlled through a centralized user access management function responsible for the provisioning, transfer and deprovisioning of users’ access. Access management also performs routine reviews of application and systems access to ensure access remains appropriate. For third-party hosted environments, access management works with security architecture to ensure single sign-on controls are employed or additional factors are utilized to prevent unauthorized access to these environments.
Network Security Management. The security of the FNB network infrastructure is maintained via
•internal and perimeter firewalls with intrusion detection,
38
•the use of some network segmentation to isolate access to certain applications and systems,
•VLANs or virtual local area networks,
•email filtering to identify spam, malware, and phishing messages in received email messages,
•malware detection,
•data loss prevention controls to prevent the theft, or mass exfiltration of data,
•Virtual Private Networks (VPN) to control remote access to our network,
•intrusion detection capabilities,
•network access controls (NAC) to prevent unauthorized assets from connecting to the network, and
•web filtering.
Security Event Monitoring. A centralized security monitoring team is responsible for the response to alerts generated from a consolidated log collection system. Log collection occurs from various assets and hosted environments. The monitoring tool is third-party provided SIEM, and enables threat identification, detects suspicious activity in the environment using the MITRE Att&ck® framework, performs user behavior analytics, and endpoint detection and response. Alerts are investigated to ascertain whether a cyber incident is occurring or not.
Security Awareness. Annual training is conducted for continuing education for all employees. Routine phishing tests are administered routinely. We also post articles on our intranet of common attack schemes for our employee’s awareness.
We have a Vendor Management department that established policies and procedures to follow when utilizing external third-parties. Third-party vendors are thoroughly vetted, approved and inventoried before partnership begins. Vendor Management ensures key risk components are mitigated based on acceptable Company standards. Any third parties used in any cybersecurity processes are vetted through our vendor management process.
Risks from Cybersecurity threats or previous incidents have not materially affected business strategy, results of operations, or financial condition.
See cybersecurity risk factors in Item 1A. Risk Factors.