PNC FINANCIAL SERVICES GROUP, INC. - (PNC)

10-K Filing Date: February 21, 2024
ITEM 1C – CYBERSECURITY
We manage our cybersecurity risk as an integral part of our enterprise risk management programs. Accordingly, you should review the disclosure in this Item 1C in conjunction with the disclosure in the Risk Management section of this Report.


The PNC Financial Services Group, Inc. – 2023 Form 10-K 31


Information Security Program

PNC’s approach to cyber risk management, oversight, and reporting is based on a well-structured information security program. The program is responsible for protecting information assets to achieve business objectives in a secure manner and designed to keep customers’ information and their funds safe and available. Program capabilities are built against industry guidance and a security framework to identify risks to sensitive information, protect that information and maintain an appropriate response and recovery capability to help ensure resilience against information security incidents.

PNC’s information security program is designed to ensure that PNC follows industry guidance and security frameworks for data protection, system development security, identity and access management, incident management, threat and vulnerability management, security operations management and third- and fourth-party security. Our program is continuously enhanced by threat intelligence, new regulations, industry guidance and disruptive new technologies. The program includes, among other things, annual security and privacy training for all PNC employees, phishing exercises, and informative articles and communications to raise employee awareness.

PNC actively monitors and responds to the overall cybersecurity threat landscape via active capabilities to share information and leverage intelligence, monitoring, and response capabilities across the security industry, which include cybersecurity threats, physical threats and fraud. PNC’s intelligence and analysis capabilities collaborate to analyze events and trends for possible response.

We have not experienced any material cybersecurity threats that have impacted PNC’s business strategy, results of operations, or financial condition to date. Notwithstanding our well-established approach regarding cybersecurity, we may not be successful in preventing or mitigating the impact of a cybersecurity incident that could have a material impact on our business, results of operations or financial condition. See Item 1A Risk Factors of this Report for a discussion of cybersecurity risks.

Board Governance and Risk Oversight
PNC’s Board of Directors maintains governance and oversight of the risks posed by cybersecurity threats through the Board-level Technology and Risk Committees.

The Technology Committee meets no less than quarterly, and its purpose is to (i) assist the Board with the oversight of technology strategy and significant technology initiatives and programs, including those that can position the use of technology to drive strategic advantages and (ii) fulfill oversight responsibilities with respect to technology risk, information management, and security risks (including cyber security, cyber fraud, and physical security risks), and the adequacy of PNC’s business recovery, resiliency and contingency plans and test results.

The Technology Committee is informed of cyber threats and risks through multiple mechanisms. PNC’s Chief Information Security Officer presents quarterly to the Technology Committee on such topics as threat intelligence and assessment reports, incident and event reporting from other institutions, governance and regulatory exam statuses, and the status of other key program deliverables, among other content.

The Risk Committee meets no less than quarterly and provides oversight of PNC’s ERM framework. Cybersecurity risk is integrated into PNC’s overall ERM framework, and is represented as the Information Security domain, alongside seven other operational risk domains. See the Risk Management section of this Report for more details on our ERM framework.

PNC’s inherent information security risks, the maturity and completeness of the control environment, and measurements against our risk appetite are presented quarterly to the Technology Committee by the firm’s Chief Technology Risk Officer. Overall risks across the Enterprise Risk Framework are then reported quarterly to the Risk Committee by the Chief Risk Officer.

Communication to the Board occurs more frequently than quarterly, when dictated by incident and event management policies and procedures based on the criticality and urgency of the communication.

Role of Management

Management is directly involved in assessing and managing PNC’s risks from cybersecurity threats. PNC uses a three-lines-of-defense model where cybersecurity risk is managed and assessed by the first line of defense, led by the Chief Information Security Officer and the Director of Technology and Security Risk Management, and the second line of defense which is led by the Chief Technology Risk Officer, who reports to the Chief Risk Officer. The first and second lines of defense are examined internally by our third line of defense, Internal Audit. The lines of defense model ensures appropriate oversight within the management structure. See the Risk Governance and Oversight section of Risk Management for more details on each of our lines of defense. In addition to the three lines of internal defense, PNC engages external consultants to assess and inform the program, as needed.
The Chief Information Security Officer’s organization includes managers who have led cybersecurity programs in other industries such as robotics and artificial intelligence, consulting, telecommunications, healthcare, and manufacturing, which brings together a multi-faceted approach to managing cybersecurity threats and risks. The Information Security department leadership and personnel hold degrees in Information Security, Management Information Systems, Computer Science, Engineering Management and other professional majors. They also hold multiple professional certifications inclusive of vendor-issued security credentials from CISCO,
32 The PNC Financial Services Group, Inc. – 2023 Form 10-K


Microsoft and F5, and industry certifications including but not limited to: Certified Information Systems Security Professional issued by the International Information System Security Certification Consortium; the Cybersecurity and Infrastructure Security Agency and Certified Information Security Manager issued by the Information Systems Audit and Control Association; and the Certificate of Cloud Security Knowledge issued by the Cloud Security Association.

Cyber Risks Related to Third Parties

Risks from cybersecurity threats associated with its use of third-party service providers are addressed as part of the information security risk and third-party risk domains, and their management is integrated into the ERM Framework.
To control cyber risks at third parties and protect customer data and systems, PNC assesses suppliers and third parties through a third-party security program that includes periodic security assessment. The third-party security program also includes regular monitoring of certain third parties using an independent security rating service that is designed to ensure insight and alerting is available at scale. In the event of an incident at a third party, there are specific incident response processes and protocols in place that are designed to protect PNC from potential adverse impacts.