CapStar Financial Holdings, Inc. - (CSTR)

10-K Filing Date: March 12, 2024
ITEM 1C. CYBERSECURITY

 

Cybersecurity is a high-priority item for legislators and regulators at the federal and state levels, as well as internationally. State and federal banking regulators have issued various policy statements and, in some cases, regulations, emphasizing the importance of technology risk management and supervision. These policy statements and regulations indicate that financial institutions should design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers accessing internet-based services of the financial institution. For example, a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution’s operations after a cyberattack involving destructive malware. Additionally, financial institutions are expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to cyberattacks.

 

There are a number of state and federal laws and regulations that govern financial privacy and cybersecurity. At the federal level, this includes the privacy protection provisions of the Graham Leach Bliley Act (“GLBA”) and related regulations, including Regulation P, which govern the treatment of nonpublic personal information. Under these privacy protection provisions, we are limited in our ability to disclose non-public information about consumers to nonaffiliated third parties. These limitations require disclosure of privacy policies and notices to consumers and, in some circumstances, allow consumers to prevent disclosure of certain personal information to a nonaffiliated third party. Consumers also must be notified in the event of a data breach under applicable state laws. On April 1, 2022, a final rule issued by federal financial regulatory agencies became effective – that rule imposes upon banking organizations and their service providers notification requirements for significant cybersecurity incidents. Specifically, the rule requires banking organizations to notify their primary federal regulator as soon as possible and no later than 36 hours after the discovery of a “computer-security incident” that rises to the level of a “notification incident” as those terms are defined in the rule. Banks’ service providers are required under that rule to notify any affected bank to or on behalf of which the service provider provides services “as soon as possible” after determining that it has experienced an incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided to such bank for as much as four hours.

 

27


 

Additionally, effective December 9, 2022, the FTC’s amendments to the GLBA’s Safeguards Rule went into effect. That rule requires financial institutions to: (i) appoint a qualified individual to oversee and implement their information security programs; (ii) implement additional criteria for information security risk assessments; (iii) implement safeguards identified by assessments, including access controls, data inventory, data disposal, change management, and monitoring, among other things; (iv) implement information system monitoring in the form of either “continuous monitoring” or “periodic penetration testing;” (v) implement additional controls including training for security personnel, periodic assessment of service providers, written incident response plans, and periodic reports from the qualified individual to the board of directors. Additionally, multiple states and Congress are considering laws or regulations which could create new individual privacy rights and impose increased obligations on companies handling personal data.

 

Risk management and strategy.

 

In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and store sensitive data. “Information systems” means electronic information resources that we own or use, including physical or virtual infrastructure controlled by these information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the information necessary to maintain or support our operations. Because cybersecurity threats continue to evolve, we have been required and may continue to be required to expend significant resources to continue to implement, modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. Financial expenditures may also be required to meet regulatory changes in the information security and cybersecurity domains. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as the expanding use of internet banking, mobile banking and other technology-based products and services by us and our customers. See “Item 1A. – Risk Factors” in this Report for a further discussion of risks related to cybersecurity.

 

To address cybersecurity threats (defined as potential unauthorized occurrences on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of those systems or any information residing in those systems therein), we have implemented an incident response policy (“IRP”), which includes our cybersecurity policy, plan, and associated playbooks. The IRP is a component of our overall enterprise risk management and business continuity frameworks. We employ an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity relative to our information systems, as well as to report on any suspected advanced persistent threats. The IRP is designed to allow for the detection and timely and efficient recovery from cybersecurity incidents (defined as unauthorized occurrences, or a series of related unauthorized occurrences, on or conducted through our information systems that jeopardize the confidentiality, integrity, or availability of those systems or any information residing therein) and events by providing a well-defined, organized approach for handling any potential threats to the confidentiality, integrity, and/or availability of our information systems.

 

The IRP generally is overseen by our Incident Response Team (“IRT”), which has designated an Incident Response Team Coordinator (“IRTC”). The IRTC is responsible for maintaining the IRP as well as testing and reporting to the appropriate internal committees, and our Board and its designated committee. Our Information Security Officer is the primary IRTC, however, if necessary we may assign the specific IRTC duties to a different staff member (technical staff or outsourced vendor if appropriate) for specific matters.

We contract with a third-party vendor who monitors our information systems for suspicious activity, such as unauthorized intrusions. Suspected or confirmed threats, incidents, or events, however, also may be reported by bank employees, customers, intrusion detection systems, third-party servicers, or government entities. Once reported, cybersecurity incidents are to be brought to the attention of the IRTC.

After receiving notice of a cybersecurity incident, the IRTC is responsible for investigating the threat to determine whether an actual incident has occurred and, if so, whether a more thorough assessment by the entire IRT is appropriate. During these assessments, steps may be taken to isolate affected systems. Outside advisors may be employed regarding the cybersecurity threat, including to conduct of legal and forensic investigations and work with other third-parties who might be engaged to assist in any response and associated publicity.

28


 

During or at the conclusion of an assessment of a cybersecurity incident, we will respond to the incident. The response will vary based upon the severity of the incident or event. In determining the level of response, we have identified four general classification levels for incidents. Incident and risk event levels each vary from no (or low) risk to high risk. The determination of the incident and risk level will dictate the level of personnel that will be responsible for addressing the incident, controlling the effects of the incident and formulating the response to the incident. Responses may include, when appropriate and/or required, notification to regulatory agencies (e.g., FDIC, FinCEN, SEC), authorities (e.g., F.B.I., Department of Justice), customers, third parties or internal personnel.

The IRT is responsible for providing an orderly response to security incidents and risk events; preventing a serious loss of profits, public confidence, or information assets by providing an immediate, effective, and skillful response to any unexpected event which negatively impacts the confidentiality, integrity, and/or availability of our systems, network, or the non-public personal information of its customers, interruptions to customers’ experiences, or other anomalous situations; taking the steps it deems necessary to contain, mitigate, or resolve a security incident or risk event; and investigating suspected security incidents and risk events in a timely and cost effective manner, reporting findings to management, determining an appropriate course of action, and coordinating communications to customers, regulatory authorities, and law enforcement agencies as necessary. Investigations at the lowest level of risk are coordinated by the IRTC. The IRT has increasing levels of responsibility and involvement in the next three levels of risk.

Following a cybersecurity incident, and during its investigation and the formulation of a response, our processes also envision measures designed to contain and/or eradicate the incident and prevent further effects. Once it is determined that the incident has been resolved, we then work to establish appropriate controls (if applicable) to address similar future events and/or prevent another similar event from occurring in the future. To date, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.

 

Governance.

As indicated above, reports of cybersecurity incidents initially are to be brought to the attention of the IRTC, who determined the extent of involvement of the IRT. The IRT is comprised of the following core members who are to be included in the investigation of all cybersecurity incidents:

 

IRT

Information Security Officer - Lead

Chief Operations Officer

Director of Information Technology

Chief Risk and Compliance Officer

Lead IT Systems Specialist

Depending upon the type of incident or event, representatives from other areas of the Company (e.g., senior executives such as our Chief Financial Officer and Chief Executive Officer, Legal/Compliance, Corporate Security, Internal Audit, Human Resources, Directors of Banking and Mortgage, Corporate Communications) may be included on any of these teams from time to time for a particular investigation/response.

The principal management personnel that are responsible for the assessment and management of our cybersecurity risks include:

Position

Relevant Expertise

Information Security Officer

18 years’ experience in banking. With emphasis in fields as Merchant Service Provider, Electronic Banking, Security, IT-Help Desk, BSA, Vendor Management, Internal Audits with Compliance Officer.
10 years (2006-2016) of work and experience in Disaster Risk and Business Continuity Planning, along with Incident Response Planning. Formulated Continuity Planning and Disaster Recovery Plans for the Financial Institution with 8 Branches.

29


 

 

4 years as Merchant Services Provider, ensuring more than 400 merchant card terminals were uploaded to PCI Compliance Standards for Security at the merchant level.
3 years of Branch Incident Security monitoring including security video monitoring and reporting of incidents.

Director of Information Technology

Total of over 30 years’ experience in Information Technology and Information Security in financial institutions.
19 years’ previous experience, prior to CapStar merger, with merged organization, with responsibilities overseeing information technology and information security.
Previously certified as community bank technology officer.
Five years’ previous experience in auditing, including information technology and information security, with two other financial institutions.
Three years previous experience as a Tennessee bank regulatory where responsibilities included IT and Information Security examination responsibilities.

As part of its oversight responsibilities over the Company risks and controls, the Board ultimately is responsible for overseeing our cyber and information security risks, including our program for GLBA compliance. The Board has delegated this responsibility to its Risk Committee. The highest-level rated incidents are brought immediately to the attention of the Chair of the Board and/or the Chair of the Risk Committee. At each regular meeting of the Risk Committee, our ISO reports to the Risk Committee regarding any level one through three events (non-critical to medium) threats, as well as security testing, training, audits, key cybersecurity metrics, and our efforts to identify, prepare for, prevent, and respond to critical threats. The Risk Committee receives regular updates on the status of our information security program, penetration testing results, infrastructure assessments, threat environment, security operations, operational events, vendor and supply chain security, and application/data security.