MidWestOne Financial Group, Inc. - (MOFG)
10-K Filing Date: March 08, 2024
ITEM 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
The Company has established an information security program that uses a risk-based methodology to ensure the confidentiality, integrity, and availability of its information. The Board of Directors and the Enterprise Risk Management Committee set enterprise risk strategy and make risk-informed decisions, which includes assessment and response to cybersecurity risk. The Board has appointed an Information Security Officer (“ISO”) to oversee the program. The program utilizes a combination of automated tools, manual processes, and third-party assessments to identify and assess potential cybersecurity threats. The program is supported by an organization structure that reflects support from across the business. Program objectives and results are regularly reported to the Enterprise Risk Management Committee, Audit Committee, and Board of Directors.
The Company conducts risk assessments and compliance audits, both internally and by independent third parties for comparison against industry standards, including the National Institute of Standards and Technology (“NIST”) cybersecurity framework and Federal Financial Institution Examination Council (“FFIEC”) guidance. Risk assessment results are used to develop appropriate cybersecurity controls and risk mitigation strategies, which are implemented throughout the organization.
We maintain a cybersecurity incident response plan to help ensure a timely, consistent, and effective response to actual or attempted cybersecurity incidents impacting the Company. The plan includes considerations for (1) detection, (2) analysis, which may include timely notice to our Board if deemed material or appropriate, (3) containment, (4) eradication, (5) recovery and (6) post-incident review. In addition, we also maintain a formal information security training program for all employees that includes training on topics such as phishing and email security best practices. Employees are also required to complete regular training on data privacy.
While we have a cybersecurity program designed to protect and preserve the integrity of our information systems, the Company also maintains cybersecurity insurance to manage potential liabilities resulting from specific cyber-attacks. However, it's important to note that although we maintain cybersecurity insurance, there can be no guarantee that our insurance coverage limits will protect against any future claims or that such insurance proceeds will be paid to us in a timely manner. For further discussion of risks from cybersecurity threats, see the section captioned “Operational Risks” in Item 1A. Risk Factors.
We use third party partners to audit, assess, and test our cybersecurity program governance and control effectiveness on an annual basis. These engagements include an IT general controls review, internal and external penetration testing, social engineering testing, and incident response exercises. Findings and recommendations from these engagements are reported to the Enterprise Risk Management and Audit Committees.
We rely on our information technology systems and networks in connection with many of our business activities. Some of these networks and systems are managed by third-party service providers and are not under our direct control. The Company has implemented a third-party risk management program to manage the cybersecurity risks associated with its use of third-party service providers.
24
Cybersecurity Incidents
While we have no knowledge that we have experienced a cybersecurity incident that has had or is reasonably likely to have a material adverse impact on our operations or financial results as of the date of this Form 10-K, there can be no assurance that we will not encounter such an incident in the future, notwithstanding the cybersecurity measures and processes we have undertaken. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, remediating or restoring our internal systems or information, implementing additional threat protection measures, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. Cybersecurity threats are expected to continue to be persistent and severe.
Cybersecurity Governance
The Board and the Enterprise Risk Management Committee have oversight responsibility for our information security program and receive regular updates on the status of the program and any emerging threats or incidents with the potential to impact operations or financial performance. To ensure that the Board is fully informed about cybersecurity risks, the ISO provides regular reports to both the Board and the Enterprise Risk Management Committee. These regular reports include an overview of the Company's current cybersecurity risk assessment, key risk areas, and any significant cyber incidents that have occurred or are reasonably likely to occur. In addition, the Enterprise Risk Management Committee receives regular updates on cybersecurity trends and emerging threats from program management. Our Audit Committee also plays a role in overseeing the Company’s cybersecurity and information security program. The Audit Committee reviews final reports from third-party engagements and receives presentations at its meetings concerning cybersecurity risk and related issues. All members of the Board receive copies of Audit Committee reports.
Company management is responsible for assessing and administering the cybersecurity risk program. Specifically, the Chief Information Officer (“CIO”) and the ISO are responsible for the prevention, mitigation, detection, and remediation of cybersecurity incidents. The ISO has relevant expertise in cybersecurity, with 18 years of experience managing components of the information technology and information security programs at the Company. The ISO has established expertise and proficiency in cybersecurity, and holds several cybersecurity certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified in Risk and Information Systems Control (CRISC). The ISO and CIO work closely with other management positions, including the Chief Risk Officer, Chief Financial Officer, General Counsel, President, and CEO to ensure that the Company has effective communication and understanding regarding its cybersecurity risk and related controls.
The IT and Security teams monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through various processes. These processes include risk assessments, vulnerability assessments, penetration testing, program exercises, security incident and event management, continuous monitoring, and threat intelligence gathering.
In 2023, the Board held an education session with outside experts on cybersecurity. The Company has also implemented a cybersecurity training and compliance program to ensure regular education for all employees. In addition, external parties are engaged to assess Company information security programs and practices, including incident management, service continuity, and information security compliance programs.
25