HUNTINGTON BANCSHARES INC /MD/ - (HBAN)
10-K Filing Date: February 16, 2024
Item 1C: Cybersecurity
Cybersecurity represents an important component of Huntington’s overall cross-functional approach to risk management. Our cybersecurity practices are integrated into Huntington’s ERM approach, and cybersecurity risks are among the core enterprise risks identified for oversight by our Board of Directors (“Board”) through our annual ERM assessment. See “Risk Factors—Operational Risks” for information on risks from cybersecurity threats. Our cybersecurity policies and practices follow the cybersecurity framework of the National Institute of Standards and Technology and other applicable industry standards.
Consistent with Huntington’s overall ERM policies and practices, our cybersecurity program includes:
•Vigilance: We maintain a global cybersecurity threat operation designed to detect, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing disruptions to our business.
•Collaboration: We have established collaboration mechanisms with public and private entities, including intelligence and enforcement agencies, industry groups, and third-party service providers to identify and assess cybersecurity risks.
•Systems Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, access controls, and ongoing vulnerability assessments.
•Third-Party Management: We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, such as vendors, service providers, and other users of our systems.
•Education: We provide periodic and ongoing training for personnel regarding cybersecurity threats, with such training scaled to reflect the roles, responsibilities, and access of relevant personnel.
•Incident Response Planning: We have established and maintain incident response plans that address our response to a cybersecurity incident, and such plans are tested at least annually, or more frequently as needed.
•Communication and Coordination: We utilize a cross-functional approach to evaluating the risk from cybersecurity threats, involving management personnel from the technology, operations, legal, risk management, internal audit, and other key business functions, as well as members of our Board and the Technology Committee of the Board regarding cybersecurity threats and incidents.
•Governance: The Board’s oversight of cybersecurity risk management is supported by the Technology Committee, which has responsibility for the development, implementation, maintenance, and risk management of the cybersecurity program and regularly interacts with Huntington’s ERM function, individual members of management, and relevant management committees.
A key part of Huntington’s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of our processes and practices through auditing, assessments, tabletop exercises, and other exercises focused on evaluating effectiveness. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, and independent reviews of our information security control environment and operating effectiveness. The results of such assessments and reviews are reported to the Technology Committee and the Board, and we adjust our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews.
The Technology Committee of the Board oversees the management of risks from cybersecurity threats, including the policies, processes and practices that management implements to address risks from cybersecurity threats. The Board and the Technology Committee each receive regular presentations and reports on cybersecurity risks which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to peers and vendors. The Board and the Technology Committee also receive prompt information regarding the occurrence of any potentially material cybersecurity incidents, including ongoing updates, when applicable. To keep the Board apprised of the continually shifting landscape, the Chief Information Security Officer provides updates to the Technology Committee on information security and cybersecurity matters on at least a quarterly basis, and more frequently as necessary. The entire Board also participates in periodic cyber-related tabletop exercises.
2023 Form 10-K 41
Huntington’s Chief Information Security Officer is a member of our Information and Technology Risk Committee that is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across Huntington. The Chief Information Security Officer also works with members of the ELT, which includes our Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, and General Counsel. We believe our Board and management have the appropriate expertise, background, and depth of experience to manage risks arising from cybersecurity threats including applicable knowledge gained through industry experience, academia, ongoing internal and external training, and regular discussions with consultants and peers with applicable knowledge and expertise. In particular, one of our Board members has an extensive cybersecurity background, including having most recently served as the first-ever U.S. National Cyber Director. In addition, other members of our Board and management hold varying levels of relevant cybersecurity certifications.
The Company’s Chief Information Security Officer works collaboratively across Huntington to implement a program designed to identify and protect our information systems from cybersecurity threats and to promptly detect and respond to cybersecurity incidents. To facilitate this program, multi-disciplinary teams throughout Huntington are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with Huntington’s incident response plan. Through ongoing communications across the organization, the Chief Information Security Officer monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents in real time, and reports such incidents to the CEO and the Technology Committee and the Board when appropriate, as discussed above.