GUARANTY BANCSHARES INC /TX/ - (GNTY)
10-K Filing Date: March 14, 2024
Cybersecurity Risk Management and Strategy
Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal. Given the increasing reliance on technology and potential cyber threats, information security (and by entailment cybersecurity) is a critical component of this
39
program. Our Chief Information Security Officer (“CISO”) is primarily responsible for this cybersecurity component and is a key member of the enterprise risk management organization, which is overseen by our Chief Risk Officer. As discussed below, our CISO reports periodically throughout the year on cybersecurity related risks, threats, and our responses, to the Technology Committee and our board of directors.
Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions, and our information systems, Guaranty has implemented comprehensive cybersecurity practices. Key components of the cybersecurity program include the following:
The Bank leverages in-house resources and third-party service providers to implement and maintain processes and controls to manage identified risks.
Our Vendor Management program is designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to maintain appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements.
The Bank’s risk management program and strategy are designed to ensure confidential information and information systems are appropriately protected from a variety of threats, both natural and man-made. Periodic risk assessments are performed to validate control requirements and ensure that the Bank’s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of Bank and customer information. Minimally, these controls include identity and access management, data encryption, data loss prevention, incident response, security monitoring and alerting, third party risk management, and vulnerability management.
The Bank’s risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Bank's business objectives.
Risks from Cyber Threats
Like many businesses, the Bank faces numerous cybersecurity risks in connection with providing services to our customers. Guaranty does not currently believe that any current or pervious cybersecurity threats have materially affected, or are reasonably likely to materially affect the Bank, including its business strategy, results of operations, or financial condition. Unfortunately, the sophistication of cyber threats continues to increase, and the Bank’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. No cybersecurity program will be able to anticipate all cyber threats and breach attempts, and there may exist limitations to the ability to effectively implement preventive measures against such breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Bank’s business strategy, results of operations or financial condition, please refer to Item 1A Risk Factors.
40
Governance
Board of Directors Oversight
The Board of Directors is charged with overseeing the establishment and execution of the Bank’s risk management framework and monitoring adherence to related policies required by applicable regulations and statutes. Consistent with this responsibility, the Board may delegate some responsibilities to the Audit Committee. The CISO holds the primary day-to-day responsibility for the strategic, operational, and risk management components of cybersecurity. The Audit Committee, and the board through summary reports, receives updates on cybersecurity risks and incidents and the cybersecurity program through direct communication with the CISO. Additionally, awareness and training on cybersecurity topics is provided to the Board at least annually.
Management's Role
The Information Security department is responsible for implementing and maintaining the Banks’s Information Security program, which addresses cybersecurity risk management and cyber threats. The Information Security department consists of cybersecurity and information risk professionals who assess, identify, and manage cybersecurity risks. Information Security is led by the CISO, who reports directly to the Chief Financial Officer and with dotted-line reporting to the Audit Committee. Additionally, the CISO is a key member of the Technology Committee, which is charged with Bank’s managerial oversight and steering organization for all information technology areas (including cybersecurity).
The Bank’s CISO has over 20 years of experience in cybersecurity across various verticals. Our CISO brings a wealth of expertise to his role. His background includes extensive experience and certifications in all facets of information technology and information security. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. The Bank’s CISO remains informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. To assist the Information Security team in such knowledge acquisition, we subscribe to services that provide Bank personnel with alerts on security incidents and threats. Our CISO oversees the implementation and processes for regular monitoring of our information systems. This includes the deployment of advanced security measures and regular internal/external assessments to identify potential vulnerabilities. In a cybersecurity incident, the information security incident response plan is enacted. This plan includes immediate actions to mitigate the impact of and remediate the incident.