REGIONS FINANCIAL CORP - (RF)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk Identification and Assessment. Regions devotes significant financial and non-financial resources to identify and mitigate threats to the confidentiality, availability and integrity of its information systems. As more fully described below, the Regions IS Program’s controls and risk management practices are designed to prevent and detect cybersecurity threats in order to reduce the likelihood that they materially affect Regions' business strategy, operations, or financial condition.
Regions regularly tests and assesses its environment so it can update and maintain its systems and controls to mitigate the risks from cyber threats and vulnerabilities. These include risk assessments and penetration testing as well as testing against security controls. Layered security controls are designed and maintained to complement each other and enhance risk mitigation efforts. Regions will continue to develop and enhance controls, processes and technology to respond to evolving disruptive technology and to protect its systems from attacks or unauthorized access. In addition, Regions’ TPRM function establishes the risk-based framework that governs all associates, subsidiaries, and affiliates who are engaged in the sourcing, planning, risk assessment, due diligence, contracting, ongoing monitoring, and governance of vendor engagements, including those that present cybersecurity risks for Regions. The TPRM framework includes the initial inherent-risk assessment conducted at onboarding and the applicable due diligence risk assessments, based on the engagement’s risk profile. Upon completion of the applicable due diligence, the contract is constructed and negotiated, with efforts made to ensure appropriate terms are in place to further mitigate the risks presented. Thereafter, each engagement is reassessed on the established cadence associated with the inherent-risk tier, and performance scorecards are competed to ensure optimal delivery and to denote material changes in the engagement.
Risk Management. As a company that deals with large volumes of sensitive customer information and financial transactions, Regions treats cybersecurity risk as a key operational risk within its enterprise-wide risk management framework. As part of this framework, Regions utilizes the "Three Lines of Defense" concept to clearly designate risk management activities within the Company, and this concept is applicable to cybersecurity risk (see the “Risk Management” section of Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Annual Report on Form 10-K). To manage cybersecurity risk, the Company has designed and implemented an IS Program that is led by our Chief Information Security Officer, who has close to two decades of experience in the cybersecurity field, including leadership roles at multiple financial services organizations. The IS Program includes information security policies, procedures, and controls designed to prevent, detect, limit and respond to cyber-attack or other similar incidents which might impact Regions' technologies, systems, and networks. Regions' IS Program is designed and implemented to substantially align with standards promulgated by the NIST. The Information Security Policy establishes technical, administrative, and physical control directives that are implemented to protect informational assets from reasonably foreseeable risks and threats. The IS Program is supplemented by cybersecurity operations that protect the integrity and availability of information systems. As discussed above, Regions' TPRM function also conducts due diligence and ongoing oversight of the Company’s third-party vendors. The Company maintains a Cyber Incident Response Plan, which is part of broader business continuity planning and the Crisis Management Program, to help the Company respond to a possible data breach.
The Company engages with external experts and advisors, as needed, to review, enhance, and support our IS Program. For example, third parties may be used to assist in the event of a breach or to mitigate certain threats to Regions' environment. Internally, the Company regularly provides associates with cybersecurity training and education. To bolster these practices, Regions maintains cybersecurity insurance, which is reviewed annually, to cover potential financial losses from cyber events. In addition, Regions participates in information sharing organizations to gather and share information with peer banks and other financial institutions to better prepare and protect its information systems from attack as well as topics including fraud.
Governance. Regions’ system of internal controls also incorporates an organization-wide protocol for the reporting and escalation of cybersecurity matters, including to management and the Board. The Board also receives updates on the Company’s enterprise services, which includes resilience, information technology, and cybersecurity. The Board considers both business and technical resilience, cybersecurity and technological innovation, and privacy considerations, along with related risk considerations and mitigation efforts, within the Company’s strategic plan. The Board is actively engaged in the oversight of Regions’ continuous efforts to reinforce and enhance its operational resilience and receives education on the cybersecurity landscape. The Board oversees the management of cybersecurity and related risks primarily through its Risk Committee, which is supported at the management level by the ERMC, ORC, and TOROC which fall under the Risk Committee's purview. The Board's Risk Committee annually reviews and approves the Information Security Policy; reviews information and regular reports on the topic from members of management on at least a quarterly basis; and recommends actions and other steps to be taken, as it deems appropriate. Additionally, the Board’s Audit Committee periodically receives reports on the IS Program prepared by the Chief Information Security Officer and the Company's Risk Management and Internal Audit functions. The Board’s Technology Committee is charged with oversight of the overall role of technology in executing Regions’ business strategy and coordinates with the Risk Committee on risk assessment and management associated with technology-related strategic investments, major technology vendor relationships, and risks associated with information technology and security
42
activities. The Board annually reviews the information security program and, through its various committees, is briefed at least quarterly on cybersecurity matters. In addition, our management follows a risk-based escalation process to notify the Audit Committee and Risk Committee outside of the regular reporting cycle when they identify an emerging risk or material issue.
Cybersecurity Incidents. In 2023, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. Despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, see the Technology Risks in Item 1A. "Risk Factors".