XML 51 R33.htm IDEA: XBRL DOCUMENT v3.25.3
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Sep. 30, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Information Security Program
Pathward maintains a comprehensive Information Security Program to promote the principles of sound information security governance and to ensure risk-taking activities are in line with the Company’s strategic objectives, risk appetite, and regulatory requirements. The Information Security Program governs the confidentiality, integrity, and availability of data, and defines the responsibilities of departments and individuals for such data. The Information Security Program is designed to protect information resources from a wide range of threats to ensure business continuity and minimize business risk.

Risk Management and Strategy
The goal of the Information Security Program is to prevent cybersecurity incidents. The Information Security Program aligns to the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). The Information Security Policy is designed to address compliance by Pathward and its personnel with applicable laws and regulations. Information security controls are designed to follow the Center for Internet Security ("CIS") controls framework. Policies and program standards that align with CIS and Payment Card Industry Data Security Standard ("PCI-DSS") are also in place.

The Information Security teams include experienced, highly qualified architects, engineers and analysts who support all aspects of cybersecurity including security architecture, identity and access management, vulnerability management, security operations, as well as governance, risk and compliance. The majority of the Information Security staff holds at least one cybersecurity-related certification.

Pathward has a formal Enterprise Risk Management ("ERM") department. The Company’s Chief Risk Officer is responsible for developing and executing the risk framework and ERM plan for the Company. The Company has implemented a three lines of defense model. The first line of defense ("1LOD") is responsible for owning, measuring, and managing the risks and controls. The second line of defense ("2LOD") is responsible for monitoring risk and controls in support of management. The third line of defense ("3LOD") is the independent audit function.

Based on the risk appetite of the Company, the ERM department monitors enterprise-wide risk and control profiles. The ERM department provides monthly and quarterly risk reporting to management and the Board of Directors. The ERM department ensures accurate and timely risk assessments are prepared throughout the organization. The ERM department and compliance team also administer a documented regulatory change control process when new and revised regulations need to be implemented.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Pathward maintains a comprehensive Information Security Program to promote the principles of sound information security governance and to ensure risk-taking activities are in line with the Company’s strategic objectives, risk appetite, and regulatory requirements. The Information Security Program governs the confidentiality, integrity, and availability of data, and defines the responsibilities of departments and individuals for such data. The Information Security Program is designed to protect information resources from a wide range of threats to ensure business continuity and minimize business risk.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Role of Management
Pathward’s Information Security Program is managed by the Company’s Chief Information and Operations Officer ("CIOO") and Chief Information Security Officer ("CISO"). The current CIOO has over 30 years of experience in senior leadership positions in the areas of information technology, technology innovation and enterprise architecture, and has been recognized for various technology and leadership awards. The current CISO reports to the CIOO and has extensive years of experience in information security both at Pathward and at other companies as well as many years of executive management experience. The CISO regularly reports to executive management, the Risk Committee of the Board of Directors (the “Board Risk Committee”) and the Board of Directors regarding all aspects of information security including cybersecurity risk and incidents. The Information Technology Committee and Executive Risk Committee provide governance and oversight of the Information Security Program. These Committees convene at least four times annually, reporting significant activities and issues upward to the Board Risk Committee and the Board of Directors as necessary.

Role of the Board of Directors
The Board of Directors has delegated oversight of all enterprise risks relevant to the Company, including information technology and cybersecurity risk, to the Board Risk Committee, which consists of three independent non-employee directors. The CISO provides quarterly updates on information security and cybersecurity risk to the Board Risk Committee, as well as an annual cybersecurity overview and information security report to the full Board of Directors. The Risk Committee oversees the Information Security Program including through the annual review and approval of any material changes to the Information Security Policy.
Security Awareness Training
All Pathward employees play a crucial role in cybersecurity defense. Pathward has implemented a security awareness training program that includes annual mandatory training for employees and contractors as well as ongoing phishing resiliency testing. The security awareness program also includes periodic videos and educational articles that are shared with employees through a partnership with corporate communications.

Third Party Risk Management Program
The Information Security third party risk management program is a piece of the overarching enterprise third party risk management program. The Information Security team’s reviews of third parties include initial and periodic security assessments, documentation and audit report reviews, and consultation on any security enhancements recommended based on the results of the completed reviews.

Incident Response Program
Management has developed and implemented a risk-based incident response program to minimize the impact to Pathward and its customers in the event of an information security incident. The incident response program has defined protocols to declare and respond to an identified incident and includes appropriate containment and restoration strategies. Pathward maintains a documented Cybersecurity Incident Response Plan and has identified Information Technology and Information Security staff who are responsible for assisting with a data breach incident response event. Team members have defined roles, responsibilities and must participate in incident response training and walk-through events at least annually. Pathward has contracted with an incident response provider in the event of a security breach. In addition, Pathward has acquired a cybersecurity insurance policy.

Pathward has established a Crisis Management Team ("CMT"), which is comprised of executive leadership and key senior stakeholders and is engaged immediately following a cybersecurity incident. The CMT provides leadership and maintains ultimate executive level oversight during each phase of the incident.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Information Technology Committee and Executive Risk Committee provide governance and oversight of the Information Security Program.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The CISO regularly reports to executive management, the Risk Committee of the Board of Directors (the “Board Risk Committee”) and the Board of Directors regarding all aspects of information security including cybersecurity risk and incidents. The Information Technology Committee and Executive Risk Committee provide governance and oversight of the Information Security Program. These Committees convene at least four times annually, reporting significant activities and issues upward to the Board Risk Committee and the Board of Directors as necessary.
Cybersecurity Risk Role of Management [Text Block]
Role of Management
Pathward’s Information Security Program is managed by the Company’s Chief Information and Operations Officer ("CIOO") and Chief Information Security Officer ("CISO"). The current CIOO has over 30 years of experience in senior leadership positions in the areas of information technology, technology innovation and enterprise architecture, and has been recognized for various technology and leadership awards. The current CISO reports to the CIOO and has extensive years of experience in information security both at Pathward and at other companies as well as many years of executive management experience. The CISO regularly reports to executive management, the Risk Committee of the Board of Directors (the “Board Risk Committee”) and the Board of Directors regarding all aspects of information security including cybersecurity risk and incidents. The Information Technology Committee and Executive Risk Committee provide governance and oversight of the Information Security Program. These Committees convene at least four times annually, reporting significant activities and issues upward to the Board Risk Committee and the Board of Directors as necessary.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Pathward’s Information Security Program is managed by the Company’s Chief Information and Operations Officer ("CIOO") and Chief Information Security Officer ("CISO").
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The current CIOO has over 30 years of experience in senior leadership positions in the areas of information technology, technology innovation and enterprise architecture, and has been recognized for various technology and leadership awards. The current CISO reports to the CIOO and has extensive years of experience in information security both at Pathward and at other companies as well as many years of executive management experience.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The CISO regularly reports to executive management, the Risk Committee of the Board of Directors (the “Board Risk Committee”) and the Board of Directors regarding all aspects of information security including cybersecurity risk and incidents. The Information Technology Committee and Executive Risk Committee provide governance and oversight of the Information Security Program. These Committees convene at least four times annually, reporting significant activities and issues upward to the Board Risk Committee and the Board of Directors as necessary.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true