REPUBLIC BANCORP INC /KY/ - (RBCAA)
10-K Filing Date: March 14, 2024
Risk management and strategy
The Company employs a multi-layered approach in an effort to assess, identify and manage risks from cybersecurity threats:
1. | Risk Assessment: On a regular basis, the Company conducts assessments to identify potential cybersecurity threats and vulnerabilities within our systems and networks. This includes evaluating the impact of potential breaches and the likelihood of occurrence. |
2. | Security Measures: The Company has implemented various security measures like firewalls, encryption, intrusion detections systems, and access controls to mitigate potential risks. Further, the Company also regularly updates software and security protocols to stay ahead of any emerging threats. |
3. | Employee Training: The Company provides associates with cybersecurity training and awareness programs. These initiatives are intended to help employees recognize and respond appropriately to potential threats like phishing attempts or social engineering. This includes conducting tabletop exercises, fostering preparedness and effective response within the Company. |
4. | Incident Response Plan: The Company has established an incident response plan in an effort to address and contain any breaches or cybersecurity incidents. This plan includes defining roles, responsibilities, and steps to recover from any potential attack. |
5. | Regular Audits and Monitoring: The Company conducts periodic audits and continuous monitoring of systems intended to detect any anomalies or potential security breaches. This involves using advanced tools to monitory network traffic and behavior for suspicious activities. |
6. | Disclosure and Transparency: The Company has implemented policies and procedures related to disclosing their cybersecurity risks and management strategies in their annual report, SEC filings, or other regulatory filings providing investors with an understanding of the potential impact on the Company’s operations and financials. |
This multi-layered approach has been integrated into the Company’s overall risk management system and processes. Integrating cybersecurity risk management into the overall risk management system demonstrates the Company’s commitment to addressing threats that could significantly impact its operations, financial stability, and reputation. This integration is intended to provide a holistic approach to risk management and helps in creating a more resilient organization against cybersecurity threats.
The Company, as an integral aspect of its regular operations and risk management processes, engages third-party entities and service organizations. The Company evaluates and selects these external partners through its due diligence process. This scrutiny is intended to provide alignment with the Company’s standards for security, reliability, and compliance. Additionally, the Company engages third-party firms to augment the Company’s cybersecurity defenses, leveraging external expertise to mitigate and prevent potential threats. Furthermore, the Company maintains ongoing oversight and monitoring of these third parties in an effort to mitigate potential risks and provide continued adherence to established protocols in order to foster an ecosystem of trusted collaborations within its operational framework.
During the periods covered by this report, there were no cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see Item 1A. Risk Factors – "The Company’s operations, including third-party and client interactions, are increasingly done via electronic means, and this has increased the risks related to cyber security," which are incorporated by reference into this Item 1C.
38
Governance
The Company’s Board of Directors (the “Board”) plays a pivotal role in overseeing risks arising from cybersecurity threats within the Company. The Board exercises oversight by adopting a Written Information Security Program, engaging in discussions, reviewing reports, and seeking updates on the Company’s cybersecurity posture. The Board’s Risk Committee oversees and monitors the Bank’s enterprise risk management practices. The Risk Committee assists the Company’s Board of Directors with monitoring the Company’s information technology and cybersecurity plans and policies, in addition to compliance with information security and technology risk management requirements, including reporting related to the SEC’s cybersecurity disclosure rules.
The Board is kept informed about cybersecurity issues through a structured and responsive communication process tailored to their needs. This involves updates provided by the Chief Information Security Officer (“CISO”) or other members of management during Board meetings or specific sessions dedicated to cybersecurity. Additionally, management reports to the Board on significant cyber incidents, emerging threats, and the effectiveness of existing security measures. The communication framework is intended to keep the board informed about cybersecurity matters, allowing them to make informed decisions and provide strategic guidance to fortify the Company’s defenses against potential threats.
The Company employs a software platform designed for tracking, monitoring, and managing cybersecurity threats across its systems and networks. The platform serves as a centralized hub that aggregates data from various sources, allowing the cybersecurity team, led by the CISO, to take action to mitigate risks. This technological tool serves as a key component in the Company’s cybersecurity arsenal, enhancing its ability to monitor, analyze, and respond to evolving cyber threats.
In cases where cybersecurity threats are deemed significant or pose a potential risk to the Company’s operations, they are escalated to members of management who oversee cybersecurity matters. Depending on the nature and criticality of the threat, it may be escalated to executives such as the CISO, Chief Information Officer, Chief Risk Officer, Chief Financial Officer, General Counsel, or other relevant senior management personnel. These leaders possess the expertise and authority to assess the situation’s impact on the Company’s operations, finances, and reputation. Further, these leaders have over 15 years of experience in their respective fields of expertise. Upon receiving this information, they engage in deliberation and decision-making, collaborating with the cybersecurity team to formulate and execute an appropriate response plan, which may include elevating the matter to the Risk Committee, or the Board, if warranted. This hierarchical escalation process is intended to ensure that key decision-makers are properly informed, enabling appropriate actions to mitigate the identified cybersecurity risks.
39