SIERRA BANCORP - (BSRR)
10-K Filing Date: March 22, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Our cybersecurity risk management program, a critical component of our overall enterprise risk management program, is based on recognized cybersecurity industry frameworks and standards, including those of the National Institute of Standards and Technology, Center for Internet Security Controls, regulatory guidance, and other industry standards. These frameworks provide a risk-based model for organizations to identify and manage cyber risks inherent to their business model.
Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. Using people, processes, and technology, we employ a variety of preventative and detective tools designed to monitor, alert, contain, and/or block suspicious activity. We design and implement controls designed to mitigate cyber risk, including ongoing education and training for employees and customers, preparedness simulations and tabletop exercises, and recovery and resilience tests. We actively monitor email for malicious phishing email campaigns and monitor remote connections. Additionally, we maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers.
Our Incident Response Plan, coordinated through the Senior Information Security Officer, provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification and escalation. The Incident Response Plan includes key members of executive and senior leadership, facilitates coordination across multiple parts of our organization, and is evaluated regularly.
We perform regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists, and engage independent auditors to periodically review our cybersecurity program, including our process, systems, and control effectiveness, and provide recommendations to continuously strengthen our program. Additionally, management conducts both bottom-up and top-down enterprise risk assessments, which include cyber security risk, and continuously monitors industry and government threat intelligence to identify emerging risks and ensure continued program effectiveness. For additional discussion, on cybersecurity risk, see Item 1A. Risk Factors, section 1.08 “Unauthorized disclosure of sensitive or confidential information, whether through a cyber-attack, or breach of our computer systems or any other means, severely harm our business.”
28
Governance
The Senior Information Security Officer, Director of Information Technology (IT), and Director of Information Services are responsible for managing our cybersecurity risk program. The Director of IT and Director of Information Services report to the Chief Administrative Officer and are responsible for designing and maintaining the company’s network security architecture, as well as the day-to-day management of key components of our cybersecurity risk program, including identity access management, vulnerability and patch management, intrusion prevention systems, and threat intelligence. The Senior Information Security Officer (ISO) reports to the Chief Risk Officer and provides guidance, oversight, monitoring, and challenge of first line activities. The ISO is responsible for the development and management of our information security program, which includes cybersecurity risk assessments, incident response, third-party risk management, and testing of first line activities.
Our Board of Directors and Executive Officer Committee have delegated oversight authority to a management-level IT/Operations Committee, which is comprised of executive and senior management leadership with cybersecurity technical and/or regulatory expertise. The IT/Operations Committee meets quarterly and has primary responsibility and oversight for risk management strategies related to technology, information security, cybersecurity, fraud, privacy, business continuity, and resilience. The ISO and Director of IT present Information Security and Information Technology reporting, including updates on the external threat environment and our cybersecurity program, including our performance in identifying, preventing, detecting, mitigating, and remediating cybersecurity threats. This information is subsequently reported up to the Board Risk Committee.
The Board Risk Committee is responsible for oversight of the Company’s enterprise risk management program, which encompasses information technology, information security and cybersecurity. This includes management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. The Board Risk Committee also has oversight of and establishment of risk appetite guidance through the approval of Policies and Programs including the information security and cybersecurity programs. Annual independent assessments of the Company’s cybersecurity program which are completed by external parties with the required expertise are also presented to the Board Risk Committee. The Chief Administrative Officer and Chief Risk Officer report to the Board and/or Board Risk Committee on cybersecurity risks and other matters reviewed by the IT/Operations Committee. Senior officers from IT or Information Security discuss cybersecurity matters that arise between Committee and Board meetings with the Chief Administrative Officer and/or the Chief Risk Officer, who will share these with the Company’s Executive Officers and Board members, as appropriate.