CYBERSECURITY Our approach
evaluate key performance indicators and metrics, such as incident response times and threat resolution effectiveness. These measures are crucial for understanding our program’s contribution to the organization’s resilience. Our program is managed by a team of technical and cybersecurity professionals dedicated to proactive identification, containment, and eradication of cybersecurity threats. We have a comprehensive control framework that is continually assessed for effectiveness using well-established threat intelligence and risk management programs. Innovation is at the heart of our cybersecurity strategy. We leverage AI-driven threat detection systems and invest in technologies that not only enhance security but also align with our environmental commitments. The CISO has a dedicated Security Operations Centre (SOC) responsible for the management of cyber incident handling, detection, response and recovery. This specialized team executes on containment strategies and recovery support in the event of a cybersecurity incident in accordance with CWB’s protocols. We proactively conduct regular threat analysis activities to identify vulnerabilities in technology and operational processes, and opportunities for remediation. Vulnerabilities are assessed across all technologies and services, and we have defined timeframes around remediation, based on the criticality of the affected service and impact or likelihood of exploitation. We maintain insurance coverage to help mitigate against certain potential losses associated with cyber incidents. Recognizing the importance of the entire supply chain to our security posture, we have a mature third-party security risk management program. This program assesses the cybersecurity practices of our vendors, ensuring they uphold the required standards.
Our cybersecurity program is a mature practice, influenced by well-recognized industry security frameworks. Guided by the National Institute of Standards and Technology (NIST) framework and aligned to industry standards like COBIT 5 and ISO/IEC 27001, we manage information security with precision and foresight. These frameworks not only bolster our defenses but also echo our dedication to responsible information technology governance and management. Our cybersecurity governance is robust, with the Chief Information Security Officer (CISO) at the helm, reporting to the Chief Information Officer, and ultimately to our Board of Directors. This governance structure ensures accountability and strategic alignment with our sustainability goals. Our Board provides oversight and receives quarterly reports, which include updates on the ongoing maturation of our program and our proactive measures for risk management. Within our three lines of defence model, our Information Security team is responsible for execution of our cybersecurity risk management program, with second and third-line oversight provided by the Risk Management and Internal Audit teams. Our Board of Directors provides oversight of our cybersecurity risk management program and receives quarterly reporting on key activities and the ongoing maturation of our program. We are committed to continuous advancement in our cybersecurity efforts. By regularly updating our practices and investing in the currency of our technology, we enhance our ability to respond to emerging threats. To demonstrate the impact of our cybersecurity initiatives, we regularly
2023 HIGHLIGHTS
• Continued to prioritize IT governance and data protection by investing in our people, processes, technology and governance programs to ensure our clients’ information remains secure in an evolving threat landscape;
• Focused on the protection of client information through enhanced data security safeguards as we continue to advance our digital banking and payments capabilities;
• Continued to enhance key knowledge and capabilities within our Cybersecurity Incident Response team to advance our understanding of the rapidly changing landscape and respond to cyber incidents; and,
• Provided Board and executive education sessions, with support from external experts, focused on elevated cybersecurity risks and the development of a cybersecurity risk appetite statement.
20 2023 SUSTAINABILITY REPORT AND PUBLIC ACCOUNTABILITY STATEMENT
Powered by FlippingBook