GUARANTY BANCSHARES INC /TX/ - (GNTY)

10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY.

Cybersecurity Risk Management and Strategy

Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal. Given the increasing reliance on technology and potential cyber threats, information security (and by entailment cybersecurity) is a critical component of this

39


 

program. Our Chief Information Security Officer (“CISO”) is primarily responsible for this cybersecurity component and is a key member of the enterprise risk management organization, which is overseen by our Chief Risk Officer. As discussed below, our CISO reports periodically throughout the year on cybersecurity related risks, threats, and our responses, to the Technology Committee and our board of directors.

Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions, and our information systems, Guaranty has implemented comprehensive cybersecurity practices. Key components of the cybersecurity program include the following:

A dedicated cybersecurity team working closely with our Information Technology team to cover all critical cyber defense functions such as engineering, data protection, vulnerability management, identity and access management, insider risk management, security operations, threat emulation and threat intelligence.
A risk assessment process that identifies and prioritizes material cybersecurity risks, identifies and evaluates the effectiveness of controls to mitigate the risks, and reports results to executive management and the Board of Directors.
A Managed Detection and Response (“MDR”) service, which provides an additional layer of around-the-clock security monitoring (including intrusion detection and alerting) for information systems.
A training program that educates employees about cybersecurity risks, how to protect themselves from cyberattacks, and encourages general awareness about cybersecurity threats and how to stay safe online.
An incident response plan, which is tested periodically and outlines the steps that will be taken to respond to a cybersecurity incident. The Bank engages reputable third-parties to conduct various independent assessments on a regular basis, including but not limited to security audits, vulnerability assessments, and various other testing.

The Bank leverages in-house resources and third-party service providers to implement and maintain processes and controls to manage identified risks.

Our Vendor Management program is designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to maintain appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements.

The Bank’s risk management program and strategy are designed to ensure confidential information and information systems are appropriately protected from a variety of threats, both natural and man-made. Periodic risk assessments are performed to validate control requirements and ensure that the Bank’s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of Bank and customer information. Minimally, these controls include identity and access management, data encryption, data loss prevention, incident response, security monitoring and alerting, third party risk management, and vulnerability management.

The Bank’s risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Bank's business objectives.

Risks from Cyber Threats

Like many businesses, the Bank faces numerous cybersecurity risks in connection with providing services to our customers. Guaranty does not currently believe that any current or pervious cybersecurity threats have materially affected, or are reasonably likely to materially affect the Bank, including its business strategy, results of operations, or financial condition. Unfortunately, the sophistication of cyber threats continues to increase, and the Bank’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. No cybersecurity program will be able to anticipate all cyber threats and breach attempts, and there may exist limitations to the ability to effectively implement preventive measures against such breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Bank’s business strategy, results of operations or financial condition, please refer to Item 1A Risk Factors.

40


 

Governance

Board of Directors Oversight

The Board of Directors is charged with overseeing the establishment and execution of the Bank’s risk management framework and monitoring adherence to related policies required by applicable regulations and statutes. Consistent with this responsibility, the Board may delegate some responsibilities to the Audit Committee. The CISO holds the primary day-to-day responsibility for the strategic, operational, and risk management components of cybersecurity. The Audit Committee, and the board through summary reports, receives updates on cybersecurity risks and incidents and the cybersecurity program through direct communication with the CISO. Additionally, awareness and training on cybersecurity topics is provided to the Board at least annually.

Management's Role

The Information Security department is responsible for implementing and maintaining the Banks’s Information Security program, which addresses cybersecurity risk management and cyber threats. The Information Security department consists of cybersecurity and information risk professionals who assess, identify, and manage cybersecurity risks. Information Security is led by the CISO, who reports directly to the Chief Financial Officer and with dotted-line reporting to the Audit Committee. Additionally, the CISO is a key member of the Technology Committee, which is charged with Bank’s managerial oversight and steering organization for all information technology areas (including cybersecurity).

The Bank’s CISO has over 20 years of experience in cybersecurity across various verticals. Our CISO brings a wealth of expertise to his role. His background includes extensive experience and certifications in all facets of information technology and information security. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. The Bank’s CISO remains informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. To assist the Information Security team in such knowledge acquisition, we subscribe to services that provide Bank personnel with alerts on security incidents and threats. Our CISO oversees the implementation and processes for regular monitoring of our information systems. This includes the deployment of advanced security measures and regular internal/external assessments to identify potential vulnerabilities. In a cybersecurity incident, the information security incident response plan is enacted. This plan includes immediate actions to mitigate the impact of and remediate the incident.