WESBANCO INC - (WSBC)
10-K Filing Date: February 26, 2024
Wesbanco maintains an Information Security and Cybersecurity program that is responsive to statutory and regulatory requirements, which includes policies, standards, rigorous testing by internal and external parties pursuant to those standards and policies and operating procedures. Wesbanco generally approaches cybersecurity threats through a cross-functional, multi-layered approach, with the specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to Wesbanco; (ii) maintaining the confidence of its customers and business partners; and (iii) preserving the confidentiality of its customers’ and employees’ information. Wesbanco’s Information Security and Cybersecurity program is integrated into its overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas. The bank also partners with trusted security vendors to help ensure that the security control infrastructure adequately addresses current and emerging technical threats with appropriate countermeasures. This oftentimes includes the engagement of consultative assistance for each of the three lines of defense to ensure appropriate technical expertise exists in the control area that is being evaluated and to maintain best practices.
22
As detailed in the risks related to the use of technology, third-party technology relationships pose a risk to the organization. As such, third-party risk management processes are aligned with regulatory requirements and are another key focus area within the bank's enterprise risk management framework. Wesbanco employs a third-party risk management program that includes a systematic evaluation of potential risks associated with engaging third-party vendors, suppliers or partners that may have access to Wesbanco’s sensitive information, systems or networks. This process is also intended to provide for the security and integrity of Wesbanco’s data that may be stored on third-party systems. The process identifies and addresses potential security vulnerabilities, safeguarding Wesbanco’s information assets and reducing the overall risk of cyber threats. Third-party providers are evaluated during onboarding and throughout the ongoing relationship based on the level of risk that the service being provided presents to the organization. The evaluation process includes a thorough review of operational practices related to cybersecurity and considers factors that impact the protection of bank and customer data.
Cybersecurity risks continue to evolve with certain risks leading the way. Risks experienced in the last year involved third party service providers, with no material impact to Wesbanco related to these incidents. Wesbanco continues to foster a risk averse focus and leverages various threat intelligence sources to continually evaluate current and future risks to the organization. The bank's cybersecurity strategy and roadmap is frequently evaluated and updated according to multiple inputs including any tangible cybersecurity incidents.
Cybersecurity threats, a security strategy roadmap, and key risk indicators are shared with management and the board of directors through both committee reporting structures and periodic reports of the Chief Security Officer. In addition, management updates our Enterprise Risk Management Committee, as necessary, regarding significant cybersecurity incidents. Our Enterprise Risk Management Committee regularly reports to the full Board of Directors regarding its activities, including those related to cybersecurity. As part of the Enterprise Risk Management Framework, cybersecurity oversight also utilizes the concept of three lines of defense which allows for multiple challenge response processes to continually mature the cybersecurity program. Cybersecurity best practices from the National Institute of Standards and Technology ("NIST") and the Center for Internet Security ("CIS") are used to establish, operate, and validate security controls.
The Enterprise Risk Management Committee is a board-level committee that focuses on enterprise risk which is inclusive of cybersecurity risks. Multiple directors have decades of experience, not only in the banking sector, but also have been responsible for cybersecurity and technology departments at larger organizations. The Chief Security Officer is responsible for providing the Information Security strategy and operational planning for the overall Information Security program. The Chief Security Officer has multiple decades of experience in the industry, advanced education degrees, and holds industry standard technical and security certifications. Several members of the Information Security leadership team also hold multiple security certifications that tie directly to their job responsibilities.
While Wesbanco and its third-party providers have in the past experienced cybersecurity incidents, Wesbanco is not aware of any current incidents or new types of threats which have materially affected or are reasonably likely to materially affect Wesbanco, including its business strategy, results of operations, or financial condition. We face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Item 1A, “Risk Factors – Interruption to Our Information Systems or Breaches in Security Could Adversely Affect Wesbanco’s Operations.”