CITIZENS HOLDING CO /MS/ - (CIZN)
10-K Filing Date: March 29, 2024
Cybersecurity
Risk Management and Strategy
General. The Company’s information security program, including its processes with respect to cybersecurity, is focused on protecting our systems, networks, and data from unauthorized access by a third party. Concerns about cybersecurity risks impact, at some level, every facet of the Company’s operations, from the way we structure the services we offer, to how we communicate with our customers, to our interactions with and training of employees, and to the expenditures we make when expanding and enhancing our technological infrastructure. We expect this continue to be the case as cybersecurity threats, and the means to respond to those threats, continue to evolve.
The Company has adopted a defense-in-depth philosophy that relies on multiple systems and processes to reasonably provide for the confidentiality, integrity, and availability of our systems, networks, and data. Features of our information security include:
•Documentation: We have written policies and procedures that delineate the roles and responsibilities of the Company’s Board of Directors, executive management, and other employees, as well as outside parties, with respect to the various aspects of the information security program. This documentation helps to align the entire information security program with our efforts to maintain the integrity of the Company’s cybersecurity. These policies and procedures are reviewed and updated at least annually.
•Separation of duties: Separation of duties means that, where appropriate, a task is designed to ensure that more than one person or group is responsible for its completion. We believe that separation of duties helps to prevent fraud, misuse, or other security compromise, and we apply this concept when we delegate administrative and oversight responsibilities to multiple groups for certain aspects of the information security program, including identity and access management, network management, system administration, policy oversight, monitoring, and alerting.
•The principle of least privilege: Access approval for the Company’s employees is coordinated between an employee’s manager, the Company’s human resources department and the Information Technology Service Desk. The goal is to give an employee access rights to our data, applications, and other information resources only to the extent necessary for the employee to perform the functions of the particular job. Any change in employment responsibilities that requires access changes is implemented using the same access approval procedures. Finally, all remote access into the Company’s networks must include approval by the Information Security Officer (which we refer to as the “ISO”).
•Vulnerability and patch management: The Company’s vulnerability management program includes internal and external scanning using third-party tools and services. Software patches are deployed based on criticality of vulnerability. Further, we track our performance in implementing patches, and if implementation timing falls below performance expectations, management will take steps to identify and remediate the root causes of implementation delays.
•Risk assessments: At least annually, management conducts risk assessments to assess the existence, severity and trends of cybersecurity risks and other risks that the Company’s information security program faces. The scope of an individual risk assessment can be the whole organization, parts of the organization, an individual information system, specific system components, or services.
•Log management: System security logs are consolidated by the Company’s Security Incident and Event Management system and are reviewed by the Bank’s contracted Managed Service Security Provider via both automatic and manual processes for anomalous behavior.
•Incident response: The incident response process is designed to, among other things, promptly elevate a cybersecurity threat or incident to the parties responsible for leading our efforts to identify, contain and mitigate the threat or incident, notify impacted customers or other third parties and comply with applicable law, regulations, and regulatory expectations.
•Employee training: Information security is an integral component of our employee training program. Training includes efforts to maintain security awareness among employees at all times by means of company-wide communications of cybersecurity risks or incidents.
The information security program applies to all the Company’s business lines and employees as well as to vendors and other third parties with access to the Company’s information systems or its confidential and proprietary information. Whenever we consider a new product or service to offer to its clients, or a new means of offering or providing an existing product or service, or a new back-office process or procedure, the implications to the Company’s information security are required to be considered.
Our ISO leads the Company’s information security team. The Board of Directors oversee our information security team, receiving regular updates related to the material features of the information security program, our success and failures in maintaining information security and emerging threats and management’s proposed response thereto.
Strategy and Testing. As mentioned above, the Company employs a layered, defense-in-depth approach that leverages people, processes, and technology to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools to monitor, block and provide alerts regarding suspicious activity and to report on any suspected threats. These controls include appropriate access controls based on least privilege, multifactor authentication for remote and privilege access, and encryption to protect data. The information security program is designed to comply with applicable laws and regulations and is driven by industry standards for financial institutions, including the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool. We work closely with government and industry associations to stay abreast of developments and share best practices with respect to cybersecurity. The following paragraphs describe how we test, or otherwise obtain feedback about, the Company’s cybersecurity and other information security. The feedback we develop through testing and assessment, in addition to information about cybersecurity threats or incidents impacting other entities, is incorporated into the Company’s information security program to enhance our cybersecurity; in certain circumstances a new or emerging cybersecurity threat may require modifications to how we conduct business.
The Company’s information security team utilizes the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security version of the FFIEC Cybersecurity Assessment Tool to perform an annual assessment of our information security program. The assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The assessment incorporates cybersecurity-related principles from the FFIEC Information Technology Examination Handbook and regulatory guidance, and concepts from other industry standards.
The assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Cybersecurity Maturity aspect of the assessment is designed to help management measure the institution’s level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes tests to determine whether an institution’s behaviors, practices and processes can support cybersecurity preparedness within the following five domains:
● | Cyber risk management and oversight |
● | Threat intelligence and collaboration |
● | Cybersecurity controls |
● | External dependency management |
● | Cyber incident management and resilience |
We also retain third parties to test the effectiveness of our cybersecurity efforts. Annually, we obtain independent third-party audits of the information security program, including program maturity and overall control effectiveness. Each year we engage a third-party security firm to conduct both external and internal penetration tests. The goal of these assessments is to discover vulnerabilities in the Company’s in-scope corporate networks. When testing reveals potential vulnerabilities in the Company’s security, management works to develop appropriate mitigation plans to resolve any outstanding issues; we also consider other recommendations to enhance our cybersecurity that these security firms may offer, implementing those that management concludes are appropriate within the context of the Company’s information security program and processes.
In addition to audits and testing by third party security firms, our information security program and infrastructure is subject to supervision by the FDIC and the DBCF, including regular in-depth examinations by subject-matter experts from the FDIC and DBCF. The laws and regulations that these regulators administer impose very high expectations on the Company with respect to its information security policies, procedures, processes, and controls. In particular, the Interagency Guidelines
Establishing Information Security Standards (the “Guidelines”) require us to implement a comprehensive written information security program that includes administrative, technical and physical safeguards designed to (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and (4) ensure the proper disposal of customer information and consumer information. We also must comply with the information sharing requirements and restrictions enacted pursuant to the GLBA. The regulators’ supervision of the Company is designed to ensure, among other things, that our information security program meets all the standards set forth in the Guidelines and that we operate in compliance with the GLBA and all other applicable information security laws and regulations. Finally, in addition to external scrutiny, our internal audit department reviews our compliance with the Guidelines, the GLBA and other laws and regulations, including those related to information security. If any of these examinations identify deficiencies or areas for improvement, the Company’s information security team works with management to act as promptly as reasonably possible to address the action item resulting from any such examination or review.
Diligence of Vendors and Other Third Parties. As noted above, the Company’s information security program applies to our vendors and other third parties (referred to collectively as “vendors”) with access to our information systems and networks and/or confidential and proprietary information. Before we grant access to the Company’s systems, or a vendor otherwise obtains access to the Company’s confidential and proprietary information, our information security team assesses the vendor’s information security program. We review the vendor’s information security policy (to the extent the third party is willing to provide a copy of such policy), information security audits, service organization reports and similar information; the team will also investigate the background, reputation and history of prior cybersecurity incidents of such vendor or other third party. If the information security team is not satisfied that the vendor’s information security infrastructure is adequate to reasonably protect the Company’s systems and confidential and proprietary information from unauthorized access, and there is no suitable solution to address the information security team’s concerns, then we will not engage such vendor.
The vendors we retain are also categorized by the level of risk that the vendor presents to us, of which information security risk is a component. The information security team annually reviews those vendors in the “high risk” category and periodically reviews other vendors. This review includes obtaining updated information security audits and service organization reports, where available, and otherwise analyzing whether the vendor’s cybersecurity risk profile has materially changed.
The information security team’s review process does not, and cannot, guarantee that a Company vendor will not suffer a cybersecurity incident that impacts us. Due to the possibility that a vendor’s information security may be breached, we also negotiate provisions in vendor contracts that address cybersecurity incidents. In addition to including provisions that address the parties’ relative responsibility for damages resulting from a cybersecurity incident at a vendor, these contracts also typically include provisions to ensure that the Company receives timely and complete notification of a cybersecurity incident and cooperation in responding thereto so that we can assess the extent of the incident’s impact on the Company’s systems or information, mitigate any adverse effects arising therefrom and comply with any customer or regulation notification requirements and other legal, regulator or contractual obligations.
Incident Response. For those situations where a cybersecurity threat or incident arises, whether internal to the Company or relating to one of its vendors, we have also organized an incident response team. The incident response team includes representatives from the information technology, operations, risk management, legal (including securities law counsel), privacy and finance departments, among others. In addition to meeting quarterly, the incident response team (or a subset of the team) gathers whenever there is a threatened or actual breach of the Company’s information security (whether involving an external actor or an internal party) to determine the nature and extent of the threatened or actual breach and, if appropriate, the steps to take in response thereto to protect the Company’s information security and mitigate any harm that has already occurred. The team is also responsible for ensuring the Company complies with legal and regulatory requirements (including notifying affected customers and regulators and making any filings required by the securities laws). The activities of our incident response team are reported to the Board’s Enterprise Risk Management Committee.
The Company also maintains a cyber insurance policy that provides cyber liability coverage.
Employee Training and Security Awareness. All employees are required to complete quarterly security awareness training programs. Courses within the training program include general cybersecurity best practices as well as a course specifically related to social engineering, email, and social media security. The Company also conducts routine internally focused exercises to help raise employee awareness of the risks associated with cybersecurity. For example, over the course of 2023, employees received at least one email per month designed to test employees’ ability to identify and avoid potential “phishing” emails, and those employees that fail this phishing test are assigned additional training. In addition, annually the Company’s incident response team engages in a cyber-attack tabletop exercise to train the incident response team in overcoming a simulated attack against The Citizens Bank’s payment systems and processes.
Governance and Oversight
Management Role. The Company takes a layered approach to the governance of its cybersecurity risk management. The first line of defense against cybersecurity risk is the company’s information security team, led by the ISO. This team is primarily responsible for promptly identifying cybersecurity risks associated with our existing and anticipated operations and once identified, assessing as to the level that each cybersecurity risk poses to us, and then controlling or mitigating to the extent reasonably possible (in the context the Company’s operations and resources, and competitive factors affecting how banks and other financial services companies conduct operations, among other things).
The efforts of our information security team to address cybersecurity risk are reviewed by the Chief Risk Officer, which oversees our enterprise risk management program. The Chief Risk Officerfocuses on the quality of the Company’s risk management process in order to manage risks within acceptable tolerance levels. As it pertains to cybersecurity risk, the Chief Risk Officer challenges the processes that the information security team has implemented to identify, assess, control, and mitigate cybersecurity risk. The Chief Risk Officer collaborates with the ISO and other business unit owners impacted by our cybersecurity risk management practices to develop and monitor controls and other processes that mitigate identified risks.
As the third line of defense against cybersecurity risk, our Internal Audit Department, with the assistance of outside experts, annually reviews and tests the Company’s processes, including its policies, procedures, and controls, with respect to cybersecurity risk. The Internal Audit Department reports the results of its review, including the steps management intends to take to address any findings, to the Audit Committee of the Board of Directors.
Board Oversight. The Company’s Board of Directors oversees the risks related to our technological infrastructure, information security, cybersecurity, business continuity and disaster recovery programs.