RED RIVER BANCSHARES INC - (RRBI)
10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our ERM program is designed to identify, assess, and mitigate risks across our Company, including financial, operational, reputational, strategic, legal, liquidity, and credit. Cybersecurity is a critical component of this program as it is necessary for supporting our business and protecting our customers in an increasingly complex environment. The cybersecurity component of our ERM program is designed around the FFIEC Information Security IT Examination Handbook, the FFIEC Business Continuity Planning Handbook, and the FFIEC Cybersecurity Assessment Tool, and is designed to protect the security, availability, integrity, and confidentiality of our computer systems, networks, software, and information assets, including client and other sensitive data. Cybersecurity is an ongoing initiative that we monitor very closely. Threats to data security emerge and change rapidly. Cyber threats could include attacks that are common to most industries, such as ransomware attacks, unauthorized access, tampering, malware insertion, or other system integrity events, but could also include attacks from highly organized perpetrators targeting financial services companies.
The cybersecurity component of our ERM program consists of several elements including:
•A risk assessment process that identifies and prioritizes material cybersecurity risks, defines and evaluates the effectiveness of controls to mitigate the risks, and reports results to executive management and the board of directors.
•A third-party managed detection and response service, which monitors the security of our information systems around-the-clock, including intrusion detection and alerting.
•A dedicated information security team covering all critical cyber defense functions such as engineering, data protection, identity and access management, insider risk management, security operations, threat emulation, and threat intelligence.
•A training program that educates employees about cybersecurity risks and how to protect themselves from cyberattacks.
•An awareness program that keeps employees informed about cybersecurity threats and how to stay safe online.
•An incident response plan that outlines the steps we will take to respond to a cybersecurity incident, which is tested on a periodic basis.
We expect each of our employees to be responsible for the security and confidentiality of our client information and our computer systems. We communicate this responsibility to each employee upon beginning employment with us and regularly throughout their employment. We require new hires to complete training on cyber-crime, social engineering, and cybersecurity awareness, and we also require this training during each year of employment thereafter. Employees are tested on their understanding of these requirements and provide acknowledgement of their responsibilities.
Additionally, we regularly provide employees with information security awareness training covering the recognition and appropriate handling of potential phishing emails, which can introduce malware to our network, result in the theft of user credentials, and place sensitive data at risk. We regularly test employees to determine their susceptibility to phishing emails and require those more susceptible employees to take additional training.
We protect our network and information assets with industry-tested security products and processes. Our information security team actively monitors our networks and systems to detect suspicious or malicious activity. We also conduct vulnerability scans to determine areas that need improvement. Our cybersecurity team maintains their current knowledge through training, obtaining professional certifications, and participating in industry groups. Our information security team expands and tests their knowledge of cyber threats through on-the-job training and periodic simulated exercises to practice responses to potential real-life threats. We also engage expert cyber consultants, as necessary and appropriate.
We engage in regular assessments of our infrastructure, software systems, and network architecture, using both our internal information security team as well as third-party consultants to ensure that cybersecurity risks are appropriately identified and that controls are appropriately designed to mitigate such risks. We also maintain a third-party risk management program designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls, and monitoring vendor compliance with our cybersecurity requirements.
While cybersecurity risks have the potential to materially affect our business, financial condition, and results of operations, we do not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected us, including our business strategy, results of operations, or financial condition. For further discussion of risks from cybersecurity threats, see “Item 1A. Risk Factors” in this Report.
34
Governance
Our IT Director and ISO are primarily responsible for the cybersecurity component and are key members of the ERM program, reporting directly to the Chief Operating Officer and Chief Executive Officer, respectively. Both our IT Director and ISO engage with our information security team to accomplish the goals of the cybersecurity component of our ERM program. The information security team consists of information security professionals with varying degrees of education and experience. In particular, our IT Director and ISO are both qualified professionals with appropriate education, experience, and professional certifications. Each has more than 20 years of experience in the fields of IT and data security and hold relevant professional certifications that ensure expertise in preventing, detecting, and managing cyber risk.
Our board of directors has approved management committees, including the OTC, to provide operational risk oversight for information security risks. The IT Director is the chair of the OTC, and the ISO is a member of the OTC. The OTC generally meets quarterly to provide oversight of the risk management strategy, standards, policies, practices, and mitigation and prevention efforts employed to manage security risks. It also ensures that our internal control infrastructure is appropriate and commensurate with the growth of, or changes to, our information systems and processes. More frequent meetings may occur as needed to facilitate timely communication and monitoring efforts.
In the event of a cybersecurity incident, the IT Director and ISO would become aware of the incident or potential incident through their own detection, detection by us, detection by a third-party consultant, or, in the case of a cybersecurity incident occurring on a system administered by a third party, through notification from that third party. Upon becoming aware of a cybersecurity incident or a potential cybersecurity incident, the IT Director and the ISO, in collaboration with the information security team, other employees, and external consultants as needed, would work to mitigate any impact of the incident or potential incident. The IT Director and the ISO would also inform the OTC of an incident or potential incident.
Our board of directors has ultimate authority and responsibility for overseeing our ERM program, including risks related to cybersecurity. Our board oversees our ERM program through the Bank’s board, which meets monthly with the exception of August and November. The Bank’s board reviews all minutes of the OTC and also receives a report at each meeting regarding cybersecurity risk levels and performance regarding various information security metrics.