SYNOVUS FINANCIAL CORP - (SNV)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Cybersecurity is a critical component of Synovus’ business and the advancement of our strategies, including our growth initiatives. As a financial institution, we face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized adversaries that target the financial services industry specifically. Our clients, vendors, and partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these stakeholders could materially adversely affect our operations, performance, and results of operations. As such, we maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to these cybersecurity threats and risks. Our program is fully integrated within the Company’s enterprise risk management system and addresses both the corporate information technology environment and client-facing products and services.
We believe each of Synovus’ employees has a role in the Company’s cybersecurity defenses. Employees at various levels and in various lines of business and support functions participate in training programs on cybersecurity and social engineering to mitigate risk, including required annual training, quarterly training on critical topics, and bimonthly security awareness communications. We conduct exercises to test their effectiveness on a monthly basis.
We employ a formal risk management process for the identification, assessment, monitoring, acceptance, communication, consultation, and review of cyber-related risks which is designed in accordance with industry practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework and International Organization Standard 27005. The Company's information security standards are externally audited on an annual basis against the System and Organizational Controls (SOC) and compliance with Payment Card Industry Data Security Standard (PCI DSS). Our program is reviewed on a periodic basis against the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool and the National Institute of Standards and Technology Cybersecurity Framework in order to measure our cybersecurity preparedness, evaluate whether our cybersecurity preparedness is aligned with risks, determine potential areas of improvement or enhancement for the Company's risk management practices and controls, and inform our risk management strategies.
Our information security program employs a wide variety of technologies that are intended to secure our operations and proprietary information. We have a Business Continuity/Disaster Recovery program in place, which is updated and tested on a regular basis, focused on protecting our networks, systems, data, and facilities from attacks or unauthorized access. We maintain an Incident Response program which describes Synovus' processes, procedures, and responsibilities for responding to cybersecurity incidents. This program is tested regularly through tabletop exercises, including through independent third-party review and assessments at least annually. Each exercise results in lessons learned and subsequent improvements to the Incident Response program. In addition, we have a dedicated Cybersecurity Fusion Center for monitoring and responding to cyber events in real-time.
28


We also continue to invest in developing and enhancing our security processes and controls and in maintaining our technology infrastructure. These programs provide for an intentional and deliberate plan for notifying, informing, consulting, analyzing, and communicating any risks or incidents as necessary and appropriate under the circumstances to various internal stakeholders (such as executive management and the Board) and external stakeholders (such as our regulators, impacted individuals, and the investment community) as necessary and appropriate.
Cyber advisors are a key part of Synovus’ cybersecurity infrastructure, and we partner with leading cybersecurity companies and organizations to leverage third-party technology and expertise as appropriate. We engage and retain independent third-parties to review and assess our information security program on a regular basis and to perform annual penetration tests against our network. We maintain computer forensics, legal, and security firms on retainer in case of a cyber security incident. In addition, we are members of financial sector organizations, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), which facilitates the sharing of cyber and physical threat, vulnerability, and incident information for the good of the membership and for improvement in industry best practices. We also perform comprehensive cybersecurity due diligence and ongoing oversight of third-party relationships, including vendors, and require third-party service providers with access to personal, confidential, or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices.
Synovus’ business depends on the availability, reliability, confidentiality, and security of our information systems, networks, and data. Any disruption, compromise, or breach of our systems or data due to a cybersecurity incident or threat could have a material adverse effect on our business strategy, financial condition, or results of operation. While the Company has experienced, and will continue to experience, cyber incidents in the normal course of business, to date, the Company has not experienced a cybersecurity incident that has materially impacted our business strategy, financial condition, or results of operation. Despite our efforts to continually enhance our cybersecurity program, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, financial condition, or results of operation. See “Part I - Item 1A. Risk Factors – Operational Risk” of this Report.
Cybersecurity Governance
Synovus’ Chief Information Security Officer ("CISO"), reports to Synovus’ Executive Vice President, Technology, Security, and Operations and is the head of Synovus’ cybersecurity team. The CISO is responsible for assessing and managing Synovus’ cyber risk management program and strategy, informing executive management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents, and supervising such enterprise-wide efforts. Synovus’ current CISO has extensive information technology and program management experience with over 25 years of corporate information security experience. The CISO leads a cybersecurity team with decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes and relies on threat intelligence as well as other information obtained from governmental, public, and private sources, including external consultants retained by Synovus.
Our Board is actively engaged in the oversight of Synovus’ information security risk management and cybersecurity programs and has delegated primary oversight of cybersecurity to our Risk Committee. The Risk Committee receives quarterly updates from the Company’s CISO on the Company’s information security and cyber risk strategy, cyber defense initiatives, cyber event preparedness, and cybersecurity risk assessments. As a part of these quarterly updates, the CISO updates the Risk Committee on the development of any new or emerging cyber risks or threats and the appropriate mitigation actions. In addition, the Risk Committee annually approves the Company’s information security program as part of its oversight of information risk, aligning our cyber risk exposure with our strategic objectives.
The CISO also reports to the full Board on the Company’s information security program at least annually, facilitates Board tabletop exercises on cybersecurity, discusses any changes in the Company’s cyber risk profile, and provides Board training on a periodic basis with third-party cybersecurity experts. Moreover, consistent with our Incident Response plan, the Risk Committee and the Board are to be apprised of significant cybersecurity incidents.