ASSOCIATED BANC-CORP - (ASB)
10-K Filing Date: February 08, 2024
ITEM 1C.Cybersecurity
Risk Management and Strategy
The Corporation recognizes the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving the value of the Corporation. The Board of Directors, through the ERC, provides direction and oversight of the enterprise-wide risk management framework of the Corporation, and cybersecurity represents a component of the Corporation’s overall approach to enterprise-wide risk management. The Information Security Program establishes policies and procedures for the measurement of the effectiveness and efficiency of information security controls related to both design and operations. The Corporation leverages the following guidelines and frameworks to develop and maintain the Information Security Program: FFIEC Information Security IT Examination Handbook, FFIEC Business Continuity Planning Handbook, FFIEC Cybersecurity Assessment Tool, Center for Internet Security Critical Security Controls, National Institute of Standards and Technology Special Publication 800 Series, ISO-27000 Standard and GLBA 501(b). In general, the Corporation seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on confidentiality, security and availability of the information that the Corporation collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cyber threats when they occur.
As one of the elements of the Corporation’s overall enterprise-wide risk management approach, the Information Security Program is focused on the following key areas:
•Security Operation and Governance: As discussed in more detail under the heading “Governance,” the ERC has delegated to senior management responsibility for managing the Information Security Program. Senior management carries out this mandate through the Operational Risk and Enterprise Risk Management Committees. To maintain alignment and appropriate insight regarding information security activities, an Information Security Steering Committee provides general program insight.
•Collaborative Approach: The Corporation has implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
•Security Competencies: The Information Security organization oversees a program of security competencies and tools designed to protect the confidentiality, integrity, and availability of our data. These assets represent a blend of
43
various management (e.g., policies), operational (e.g., standards and processes), and technical controls (e.g., tools and configurations).
•Cyber Defense Center and the Incident Response Plan: The Corporation has a Security Operations Center, known as the “Cyber Defense Center,” which provides continual security monitoring 24 hours per day, seven days per week, where resources actively deliver threat analysis, vulnerability management, intrusion detection, intrusion hunting and red team exercises. The Corporation’s Incident Response Plan helps reduce the risks related to security incidents by providing guidelines on responding to incidents by focusing on a roadmap for coordinating personnel, policies, and procedures to ensure incidents are detected, analyzed, and handled.
•Third-Party Risk Management: Management of the Corporation’s third parties, including vendors and service providers, is conducted through a risk-based approach and the level of due diligence is driven from risk factors established by Corporate Risk Management. The process provides awareness and collaboration across all internal teams including Information Security and Business Resumption. A Technical Requirements review process is conducted on new or significantly changed third parties, applications, or technology to ensure that systems or third parties meet certain security baseline requirements. This process is aimed at advocating the necessary security, infrastructure, and application standards or controls so that information systems and the third party have recovery plans in place.
•Security Awareness and Education: The Corporation provides annual, mandatory training for personnel regarding security awareness as a means to equip the Corporation’s personnel with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate the Corporation’s information security policies, standards, processes and practices.
The Corporation leverages regular assessments to identify current and potential threats and vulnerabilities within the Corporation’s environment. Technical vulnerabilities are identified using automated vulnerability scanning tools, penetration testing, and system management tools, whereas non-technical vulnerabilities are identified via process or procedural reviews. The Corporation conducts a variety of assessments throughout the year, both internally and through third parties. Vulnerability assessment and penetration tests are performed on a regular basis to provide the Corporation with an unbiased view of its environment and controls. Vulnerabilities identified during these assessments are inventoried in a centralized tracking system and reported to management on a regular basis. A multi-step approach is applied to identify, report and remediate these vulnerabilities, and the Corporation adjusts its information security policies, standards, processes and practices as necessary based on the information provided by these assessments. The results of key assessments are reported in summary to the Board of Directors annually.
Governance
The Board of Directors, through the ERC, provides direction and oversight of the enterprise-wide risk management framework of the Corporation, including the management of risks arising from cybersecurity threats. The ERC reviews and approves the Information Security Policy. The Board of Directors receives regular presentations which include updates on cybersecurity risks, including the threat environment, evolving standards, projects and initiatives, vulnerability assessments, third-party and independent reviews, technological trends and information security considerations arising with respect to the Corporation’s peers and third parties. The Board of Directors also receives information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the full Board of Directors discusses the Corporation’s approach to cybersecurity risk management with the Corporation’s CISO.
The CISO, under the guidance of our CIO, CRO, CEO and General Counsel, works collaboratively across the Corporation to implement a program designed to protect the Corporation’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Corporation’s incident response and recovery plans including an assessment of the potential materiality of any cybersecurity incident. To facilitate the success of the Corporation’s cybersecurity risk management program, multidisciplinary teams throughout the Corporation are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and the 2nd Line Information Security Risk Management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Corporate Crisis Management Team and ultimately the ERC when appropriate.
The CISO has served in various roles in Information Technology and Information Security for over 35 years, including serving in a Chief Information Security Officer role of two large public companies, including Associated Bank for 17 years. The CISO holds an undergraduate degree in Management Information Systems and has attained the professional Information Systems
44
Audit and Control Association certification of Certified Information Security Manager in 2005. The CIO holds an undergraduate degree in business management, with a minor in international business, and is currently pursuing a master’s degree in cybersecurity and has served in various roles in information technology for over 30 years, including serving as either the Chief Technology Officer or Chief Information Officer of four public companies. The CRO has over 30 years of banking experience, holds a degree in computer science, and earned the CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors. The Corporation’s CEO and General Counsel each hold degrees in their respective fields, and each has extensive experience managing risks at the Corporation and similar financial institutions, including risks arising from cybersecurity threats.
To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Corporation, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A, Risk Factors — Operational Risks.