Atlantic Union Bankshares Corp - (AUB)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY.

Overview

The cybersecurity threat environment is volatile and dynamic, requiring a robust and dynamic framework to reduce and mitigate cybersecurity risk. Cybersecurity risk includes exposure to failures or interruptions of service or security breaches resulting from malicious technological attacks that impact the confidentiality, integrity, or availability of our or third parties’ operations, systems, or data. We seek to mitigate cybersecurity risk and associated reputational and compliance risk by, among other things:

maintaining privacy policies, management oversight, accountability structures, and technology design processes to protect private and personal data;
actively monitoring and mitigating cybersecurity threats and risks with a three lines of defense structure to provide oversight, governance, challenge, and testing;
using a third-party cybersecurity oversight program;
maintaining oversight of our information security program by senior management, our board-level Risk Committee, and our Board of Directors; and
maintaining an incident response program intended to enable us to mitigate the impact of, and recover from, any cyberattacks, and facilitate communication to internal and external stakeholders, as needed.

We had no material cybersecurity incidents in 2023.

Risk Management and Strategy

Our cybersecurity risk management strategy is integrated into our enterprise risk management framework and is embedded in each of our three lines of defense. We use a combination of management expertise and Board oversight, as discussed below, as well as outside consultants to assist us in overseeing our cybersecurity risk management program. We deploy safeguards designed to protect customer information and our own corporate information and technology. We have programs and processes in place designed to mitigate known attacks, and we use both internal and external resources to scan for vulnerabilities in our applications, systems, and platforms. We implement backup and recovery systems and require the same of our third-party service providers.

38

We use independent third-party service providers to perform penetration testing of our infrastructure to help us better understand the effectiveness of our controls, improve our defenses, and conduct assessments of our program for compliance with regulatory requirements and industry guidelines. We also engage with outside risk experts and industry groups, including other peer institutions, as needed, to help us evaluate potential future threats and trends, particularly with respect to emerging information security and fraud risks. In addition, we use a Third-Party Risk Management program to help mitigate risks with our third- and fourth-party providers; however, our ability to monitor our service providers’ cybersecurity practices is limited. We generally have agreements in place with our service providers that include requirements related to cybersecurity and data privacy. We cannot guarantee, however, that such agreements will prevent a cyber incident from impacting our systems or information. Additionally, we may not be able to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. Due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers in relation to any data that we share with them.

While to date, we have not experienced a significant compromise, attack, or loss of data related to cybersecurity attacks, due to the nature of our business, we are under constant threat of an attack and could experience a significant cybersecurity event in the future. Potential risks we could face from a cybersecurity event are discussed in “Risk Factors” above.

Governance

Through established governance structures, including our problem and incident management process and cyber incident response plan, we have processes and procedures to help facilitate appropriate and effective oversight of cybersecurity risk. These processes and procedures enable our three lines of defense and management to review and manage cybersecurity risks, monitor threats, and provide for further escalation to executive management, our management-level Disclosure Committee, our board-level Risk Committee, or to the full Board, as appropriate.

Role of the Board of Directors

Our Board of Directors plays a critical role in the oversight of risk, including risks from cybersecurity threats, and has established a risk oversight structure that seeks to ensure that cybersecurity risks are identified, monitored, assessed, and mitigated appropriately. In that regard, our Board is actively engaged in the oversight of our cyber risk profile, which includes risks from cybersecurity threats, enterprise cyber strategy, and key cyber initiatives. Our Board regularly receives reports on such matters from our Chief Information Officer, Chief Information Security Officer, and other relevant personnel. Our Board also meets with our internal and external auditors, and federal and state regulators to review and discuss reports on risk, examination, and regulatory compliance matters.

Our board-level Risk Committee is responsible for assisting the Board in its oversight of risk, including cybersecurity threats, and for overseeing our enterprise risk management framework. The Risk Committee actively engages with our Chief Risk Officer and other members of management to discuss major risk exposures, establish risk management principles, and determine our risk appetite, and regularly reports on its activities, and makes recommendations to, the full Board. The Risk Committee receives a quarterly summary analysis of cybersecurity risks, threats, and incidents. In addition, the Risk Committee is engaged, as needed, in accordance with our Cybersecurity Incident Response Plan.

Role of Management

Our cybersecurity risk management program is built on three lines of defense, which collectively are designed to assess, identify, assess, and manage our material risks from cybersecurity threats. Our Chief Risk Officer is responsible for implementing our enterprise risk management framework and reports directly to our Chief Executive Officer.

Our Information Security department, which is our first line of defense, operates under our Chief Information Security Officer, who manages preventative and detective controls to protect against cybersecurity risks and responds to cyber incidents and data breaches At least annually, the first line conducts mandatory teammate training on information security and provides ongoing information security education and awareness for teammates, such as online training classes, mock phishing attacks and information security awareness materials. Our cybersecurity risk management program is designed to maintain and challenge our information security defense system, as well as monitor, respond, evaluate, and escalate cyber threats. We also have a business risk manager within our first line of defense whose role is

39

to focus on evaluating, managing, and escalating technology risks. The escalation process includes a weekly escalation report of problem incidents, including cybersecurity threats, which allows for collaborative threat management by the first and second lines of defense.

The second line of defense independently evaluates, monitors, and challenges our risk mitigation efforts to proactively identify cybersecurity risks, including early-stage engagement and risk management with emerging threats. Second line teammates provide effective challenge to the cybersecurity risk management efforts of the first line through ongoing engagement in problem incidents, regular reviews of cybersecurity risk reporting, and inquiries into the sufficiency of risk management activities. Our second line of defense leads our management-level Technology and Operational Risk Committee, which governs our technology and operational risk tolerances, including cybersecurity and third- and fourth party provider risks. This committee includes the Chief Information Security Officer and is co-sponsored by the Chief Information Officer and the Chief Risk Officer. These individuals have relevant financial, technical, and business degrees, hold relevant certifications, and each have over 20 years of experience in their respective areas of expertise, with a minimum of 10 years in leadership roles, including multiple years at financial institutions. The Committee is responsible for escalating key risks to our Management Risk Committee, which includes all members of our Executive Leadership Team, as well as our Head of Business Risk, who operates within our first line of defense.

Internal Audit serves as the third line of defense and provides independent assurance on how effectively we are mitigating, managing, and challenging our cybersecurity risks.