First Internet Bancorp - (INBK)

10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity

We believe that cybersecurity and the protection of data and customer information in our possession, custody or control is of paramount importance to our business. We have therefore designed and implemented a framework of policies, programs and procedures (the “Information Security Program”) intended to protect the confidentiality, integrity, and availability of our critical systems and information, including customer information. The Information Security Program is informed by interagency guidance issued by banking regulators as well as the FFIEC Information Security Booklet and Cybersecurity Assessment Tool. This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the guidance to help us identify, assess, and manage cybersecurity risks relevant to our business.

Cybersecurity Risk Management and Strategy

Our Information Security Program is aligned to the Company’s business strategy. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk, including legal, compliance, strategic, operational, and financial risk. Key elements of our Information Security Program include:

risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment;
internal testing of our security controls and our response to cybersecurity incidents;
the use of external service providers, to assess, test or otherwise assist with aspects of our security controls;
training and awareness programs for all employees that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
maintenance and regular testing of a Business Continuity Plan that includes redundant back-up systems for all critical functions;
a physical security program that is tested regularly;
obtaining and maintaining appropriate insurance and indemnification for cybersecurity incidents; including insurance to cover cybersecurity incidents affecting third party vendors and service providers: and
a third-party risk management program for service providers, suppliers, and vendors, that provides for the assessment, monitoring and management of cybersecurity risk presented by the Company’s use of such third parties.
20



In the last three fiscal years, the Company has not experienced any material cybersecurity incidents, and expenses incurred from cybersecurity incidents were immaterial. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A.

Cybersecurity Governance

Our Board of Directors keeps apprised of and oversees technology risk and cybersecurity of the Company, and receives updates from the Company’s Information Security Officer (“ISO”) on a quarterly basis. However, the Board has delegated certain specific responsibility for overseeing cybersecurity threats, among other things, to its Audit and Risk Committee. Our ISO and Chief Risk Officer provide the Audit and Risk Committee and the Company’s internal Enterprise Risk Management Committee periodic reports on our cybersecurity risks and cybersecurity incidents, if any. The Board, and the Audit and Risk Committee, have appropriate expertise in planning for and dealing with cybersecurity threats. Specifically, and without limitation, David Becker, Ann Dee and Justin Christian all possess specific expertise in this area.

The Audit and Risk Committee and the entire Board review and approve the Company’s Information Security Policy, Incident Response Policy, Third Party Risk Management Policy, Risk Appetite Statement and other relevant policies on at least an annual basis. Our ISO, who has over twenty-five years of experience in the system, network, and cybersecurity space, is responsible for implementing the Information Security Program alongside our Chief Information Officer. The ISO and Chief Information Officer both serve on the Enterprise Risk Management Committee, which is chaired by our Chief Risk Officer. They are supported by our team of technology professionals, who are responsible for information technology security monitoring and for managing the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. Incidents are reported to and handled under our Incident Response Policy, which designates an incident response team and includes procedures and processes to identify, assess, respond to, mitigate and report on cybersecurity incidents.