ZIONS BANCORPORATION, NATIONAL ASSOCIATION /UT/ - (ZION)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity risk is the risk of adverse impacts to the confidentiality, integrity, and availability of data owned, stored, or processed by the Bank or the accompanying information systems. The number and sophistication of attempts to disrupt or penetrate our systems, and those of our suppliers — sometimes referred to as hacking, cybersecurity fraud, cyberattacks, or other similar names — continues to grow.
Cybersecurity risk is overseen by the Board and the Bank’s multiple lines of defense, including front-line bankers and operations teams, Enterprise Risk Management (“ERM”), and internal audit. Information security risk is managed in accordance with an established ERM framework, which includes elements such as key risk indicators, enterprise standards, controls, and self-assessments that comply with established ERM policies. These elements are regularly assessed, measured, and reported to Board-level and Bank senior management-level risk committees, and those committees review such reports.
As set forth in its charter, the ROC has the responsibility to review reports from management relating to enterprise-wide risk management efforts, including cybersecurity risks. As part of that oversight, the ROC performs an annual review and approval of information security policies and programs, and receives regular updates on key risk indicators, threat trends, risk remediation activities, and operational events. The ROC periodically provides reports regarding this oversight to the Board. Management uses multiple real-time and interval-based monitoring and reporting mechanisms to detect and respond to cybersecurity incidents. Documented escalation procedures are tested regularly as part of tabletop exercises and other activities and include notification to executive management during qualifying cybersecurity incidents.
Management positions directly responsible for assessing, measuring, and managing cybersecurity risks include the Chief Information Security Officer (“CISO”) and the Chief Technology and Operations Officer (“CTOO”). The current CISO has more than 20 years of technology leadership experience, including a significant period directly leading cybersecurity efforts, and holds multiple industry certifications. The CTOO has more than 25 years of audit, risk, operations, and technology leadership experience, including prior assignments as the Bank’s Chief Audit Executive and Director of Bank Operations. The CISO and CTOO regularly report information about cybersecurity risks to the Board or a committee of the Board.
We engage multiple independent third parties or cyber experts to assess information security programs and practices, including, but not limited to, framework maturity assessments, blind penetration testing, technology health checks, cyber skill and staffing assessments, externally facilitated tabletop exercises, external cyber legal counsel briefings, and strategic assessments. Findings from these assessments are regularly reviewed with management and the ROC. Additionally, we participate in various cybersecurity industry forums and have access to law enforcement analysis regarding current threats.
24


ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES
Our supply chain risk management practices include risk assessments of suppliers, including with respect to cybersecurity. We monitor our suppliers using commercially available services that provide real-time security scoring of supplier technology services, threat intelligence, financial intelligence, geopolitical risk intelligence, and other considerations related to cybersecurity. Reviews are also regularly performed to monitor changes in suppliers’ cybersecurity risk posture. Continuous threat intelligence monitoring is also performed to identify potential cybersecurity incidents involving third parties. We strive to negotiate appropriate provisions with respect to cybersecurity in our contracts with suppliers.
When a cybersecurity incident occurs, whether detected internally or from third-party cybersecurity incidents, we evaluate the incident for criticality and potential materiality and disclosure across a range of contributing indicators, including service availability, impact to operations, reputational impact, regulatory and legal considerations, data sensitivity, and direct financial impact. The potential impact of the incident, individually or in aggregate, is evaluated by the CISO continuously across these criteria. We have escalation procedures to notify members of senior and executive management, the Board (or an applicable subset), and regulators in a timely manner based on the criticality and materiality of the cybersecurity incident.
To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. At December 31, 2023, management has assessed known cybersecurity incidents for potential materiality and disclosure using formal documented processes and has determined that there have been no material cybersecurity incidents, individually or in aggregate. We may nevertheless be unsuccessful in the future in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us.
For additional discussion regarding cybersecurity risks, see “Cybersecurity Risk” in Risk Factors on page 19.