WASHINGTON TRUST BANCORP INC - (WASH)

10-K Filing Date: February 26, 2024
ITEM 1C. Cybersecurity.
All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. In addition, as a financial services company, we are subject to extensive regulatory compliance requirements, including those established by the Federal Reserve, FDIC, RI Division of Banking and Connecticut Department of Banking. To mitigate the threat to our business and address regulatory requirements, we take a comprehensive approach to cybersecurity risk management and have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. As described in more detail below, we have established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats. We devote significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our “Risk Factors” in Item 1A include further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.

Risk Management and Strategy
Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our comprehensive ERM program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), Center for Internet Security (“CIS”) and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:

Collaboration
Our cybersecurity risks are identified and addressed through a comprehensive approach led by our Information Assurance team. The Information Assurance team works collaboratively across the organization to develop strategies for preserving the confidentiality, integrity and availability of Corporation and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made to management and the Audit Committee of the Board of Directors ("Audit Committee") in a timely manner.

Risk Assessment
At least annually, we conduct a cybersecurity risk assessment that considers information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations of our environment by third parties and consultants). The results of the assessment are used to develop plans for, and prioritization of, initiatives to enhance our security controls, and to make recommendations to improve processes.


-28-


Technical Safeguards
We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.

Incident Response and Recovery Planning
We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address and guide our employees, management and the Audit Committee on our response to a cybersecurity incident.

Third-Party Risk Management
We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and based on risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.

Education and Awareness
Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. We also provide quarterly training updates for our employees, which include social engineering exercises.

External Assessments
Our cybersecurity policies, standards, processes, and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. For example, we engage with a third-party auditing firm to conduct cyber audits to assess our controls against the NIST Cybersecurity Framework and CIS controls on an annual basis. The results of these assessments are reported to management and Audit Committee. Cybersecurity processes and controls are adjusted based on the information provided from these assessments.

Governance
Board Oversight
Our Board of Directors has overall responsibility for risk oversight, with its committees assisting in performing this function based on their respective areas of expertise. Our Board of Directors has delegated oversight of risks related to cybersecurity to the Audit Committee. The Audit Committee reports the results of their oversight function to the Board of Directors.

The Audit Committee directly oversees our cybersecurity program and receives regular reports from management about the status of our control environment based on the CIS controls, and the prevention, detection, mitigation, and remediation of cybersecurity incidents. This reporting also includes information concerning material security risks and information security vulnerabilities, cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents.

Management’s Role
Our chief information officer (“CIO”), chief information security officer (“CISO”) and chief technology officer (“CTO”) have primary responsibility for assessing and managing material cybersecurity risks. Through the ongoing assessments they perform, including third-party assessments, they make recommendations on enhancing the security controls, and the continued maturity of our information technology and information assurance programs.

Our CIO joined Washington Trust as CISO in 2016 and has more than 35 years of experience in the financial, technology, auditing, and banking industries. He has expertise in technology deployment, information technology risk management and information security policies and programs. Our current CISO has served in that position since 2018 and is a 27-year employee of Washington Trust. He has extensive experience and expertise in information technology risk management and information security policies and programs. He holds a Bachelor of Science in Computer Information Systems and several certifications, including Certified Information Systems Security Professional and Certified Information Security Auditor. Our CTO has served in that position since 2021 and is a 12-year employee of Washington Trust. He has broad technical

-29-


experience and expertise in information technology and holds a Bachelor of Science in Information Science and several certifications, including Cisco Certified Network Associate.