M&T BANK CORP - (MTB)
10-K Filing Date: February 21, 2024
The Company has established polices, processes, controls and systems designed to identify, assess, measure, manage, monitor and report risks related to cybersecurity and help prevent or limit the effect of possible cybersecurity threats and attacks. As cybersecurity threats continue to evolve, the Company expects to continue to expend significant resources to modify or enhance its measures to detect and prevent cybersecurity attacks or to investigate and remediate any information security vulnerabilities
44
that become known. The risks faced by the Company from cybersecurity threats that could materially affect the Company, including its business strategy, results of operations or financial condition, are discussed in Part I, Item 1A, “Risk Factors” as part of this Annual Report on Form 10-K.
Cybersecurity is integrated into the Company’s Risk Framework through which the Company identifies, assesses, monitors, controls, communicates and escalates risks. The Risk Framework, which is reviewed and approved by the Risk Committee of the Board of Directors at least annually, represents the Company’s overall risk management approach, including the policies, processes, controls and systems, through which the Company seeks to manage risk, including cybersecurity risk. It provides a common foundation for all employees and officers as well as directors to understand and communicate the types of risks that the Company faces in pursuit of its business objectives. The Risk Framework includes oversight by management through a multi-tiered committee structure responsible for overseeing proactive risk identification, developing an aggregated view of risks, and providing a consistent governance methodology across the Company. All such committees, including the Operational Risk Committee which has primary authority for oversight of cybersecurity, report up to the Management Risk Committee, which is chaired by the Chief Risk Officer, and serves as the executive level committee responsible for the implementation and oversight of the Risk Framework. The Risk Framework is designed to ensure the Board of Directors and its Risk Committee, which is the primary Board committee that oversees cybersecurity, are provided the information necessary to be effective in its risk management oversight responsibilities.
The Risk Committee of the Board of Directors receives regular reports on cybersecurity from the CISO. The CISO is responsible for the design and execution of the Security Program, which is supported by the governance structure defined within the Risk Framework. The CISO reports as necessary to executive management, the Risk Committee of the Board and the Board of Directors on cyber and information security issues and the effectiveness of the Company’s cyber and information security program. The Risk Committee of the Board and the Board of Directors receive the results of the Company’s annual cybersecurity risk assessment. Aligned with leading industry standards, including the U.S. Department of Commerce’s National Institute of Standards and Technology Cybersecurity Framework, the Security Program is built upon a foundation of policies, standards and procedures, which leverage the National Institute of Standards and Technology standards, to help safeguard customer information and reduce the risk of cyber incidents and breaches. The Security Program features layered controls of network and endpoint intrusion detection and prevention, enterprise malware protection, threat-monitoring and a Security Operations Center that provides full time support and additional operational measures to monitor and respond to data breaches and cyberattacks.
In accordance with the Gramm-Leach-Bliley Act, the Company undertakes periodic assessments to identify and assess risks to customer information and evaluate the effectiveness of security controls. The Company engages third parties in connection with such cybersecurity preparedness efforts. Ongoing audits, including vulnerability and penetration testing of the Company’s computing infrastructure, are performed by independent third parties and by our internal cybersecurity personnel.
The Company has also established processes to oversee and identify cybersecurity risks from third-party service providers. Third-party service providers (including suppliers and business partners) are required to have security policies, standards and procedures that meet or exceed the information security guidelines as specified in the Security Program. The Company has an established third-party due diligence program to ensure vendors meet the Company's expectations as agreed to in their contract. Roles, responsibilities and expectations for service providers and other third parties are communicated and documented through contracts (and other associated agreements) and monitored through oversight as part of the Company’s Third-Party Risk Management Program.
The Company’s Cybersecurity Leadership Team includes the CISO, Mr. Timothy Byrd. Mr. Byrd is responsible for overseeing and reporting on the development and implementation of the Company's
45
information security program. Mr. Byrd has over twenty years of experience in information security for large financial institutions. He also served as chairman for the Bank Policy Institute's Technology Policy Division Information Security Committee and as a board member of Financial Services Information Sharing and Analysis Center. Mr. Byrd currently serves on the Advisory Council for New York University's Graduate School of Engineering, as well as the Advisory Board for University of North Carolina - Charlotte College of Computing and Informatics. The CISO reports to the Company’s Chief Information Officer, Mr. Michael A. Wisler, who has two decades of experience in the financial and technology industries. Prior to joining the Company in 2018, Mr. Wisler served as Chief Technology Officer of North American Credit Cards and Chief Information Officer of Europe at Capital One Financial Corporation. He holds a Masters of Science in Management of Information Technology from the University of Virginia. In addition, the Cybersecurity Leadership Team includes management with expertise in vulnerability management, digital forensics, threat intelligence, software development, cybersecurity operations, and project management. Many individuals on the Cybersecurity Leadership Team hold cybersecurity-relevant certifications.
The Company’s Information Security Awareness Program, a component of the Security Program, is designed to ensure that all employees are aware of relevant cyber-related policies, principles, standards and practices, as well as new and current regulatory requirements related to safeguarding customer and corporate information assets. Cybersecurity awareness initiatives and resources are regularly provided to employees, including through mandatory annual cybersecurity awareness training, ongoing simulated phishing email exercises and communications from the Company's Cybersecurity Division on the Company's internal communication channels.