As Webster Bank marches toward the $100 billion-asset threshold that would make it a Category IV bank, the lender is stepping up its hiring efforts and fortifying its cybersecurity infrastructure.
To prepare for crossing that line, the Stamford, Connecticut-based regional bank – which now counts about $80 billion in assets – is investing to bolster its risk and compliance infrastructure, and readying for higher capital and liquidity requirements, as well as more regulatory reporting.
The bank is also approaching the milepost with cybersecurity top of mind, since the Category IV designation heightens expectations around the use and collection of data, said Vikram Nafde, the bank’s chief information officer.
“What we have to do for that is a series of things in the space of data, cybersecurity, but also digital and the regulatory reporting,” Nafde said during a recent interview. “There’s a big component of technology … as we get closer and closer to the $100 billion mark.”
To that end, the bank is hiring with an eye toward strengthening its risk framework and controls, Nafde said. Webster will also hire for new data-related roles, including those concerning data collection, storing and governance, and continues hiring for cybersecurity roles, he said.
The bank, which has close to 4,300 employees, plans to hire about 200 people this year. Of that number, about 25 will be hired for technology and cybersecurity roles on the IT team, said Nafde, who’s been at the bank since 2020 and became CIO in 2022.
Although there’s chatter that the $100 billion barrier may go away, given calls for tailoring and expectations of regulatory relaxation under the Trump administration, Webster CEO John Ciulla said during a March 5 conference appearance “that’s not our base case [although] it might get less onerous.”
Still, the possibility of change has led the bank to be thoughtful in building out its capabilities, executives indicated.
About three-quarters of Webster’s Category IV-related expenses shareholders “would want us to do anyway, to build a more resilient and more industrialized bank,” Ciulla said.
The other 25% “are a little bit regulatory check-the-box,” so the bank is trying to stagger those expenses, so that if the $100 billion barrier goes away or the requirements for becoming a large bank change, Webster can defer some of those expenses, he said.
As it becomes Category IV-ready, the bank expects to add between $40 million and $60 million in run rate operating expenses over the next several years, Webster CFO Neal Holland said during the bank’s most recent earnings call. The lender expects 2025 expenses to total around $1.4 billion, and Nafde said the bank’s tech spending will be higher this year than last.
As the bank beefs up to accommodate growth, cybersecurity remains a top priority across the business, Nafde said. Webster maintains a “defense in-depth” strategy to ward off threats, assuming a breach posture rather than simply relying on prevention measures.
Increasingly, the bank is applying zero-trust principles – referring to a security strategy that focuses on strict controls and continuous authentication – and zeroing in on data loss prevention, to keep sensitive information from being leaked, he said.
“We have various tools layered in to make sure we have the right cyber posture,” Nafde said.
Patty Voight, Webster’s chief information security officer, said the bank also engages in ongoing awareness and training with colleagues, customers and third-party vendors Webster works with.
As the bank constantly assesses its third- and fourth-party ties, it considers what kind of information is stored with them, and employs rigorous protocols with new partnerships, Nafde said.
“Because risk is out there, a passive approach is not going to work,” he said.
Investments the bank is making for its Category IV move put it in a “position of optionality,” Ciulla said. If mergers and acquisitions become easier from a regulatory standpoint, the bank will be ready with the right technology, risk and data infrastructure for a whole-bank acquisition in a year, or two or three, he said.
For now, Webster is focused on tuck-in acquisitions that can strengthen the bank’s deposit and fee franchise. The bank’s last deal was its 2023 purchase of Ametros, a custodian and administrator of medical funds from insurance claim settlements. Webster is interested in businesses that would further enhance its healthcare vertical, Ciulla said last week.
The lender’s move to the cloud makes acquisitions far easier to integrate, Nafde noted.
The bank is “essentially done” with that migration, having transitioned every business application to the cloud, and is in the process of shutting down data centers, he said. Being able to do M&A more nimbly is one of the perks of that move, he added.
“The longest pole in the tent used to be, how can we get the data centers to connect and all the systems to work?” Nafde said, but today “lots of these smaller companies grew up in the cloud age.”
