Item 1C.

Cybersecurity

 

Cybersecurity Risk Management and Strategy

 

Cybersecurity risks for financial institutions have significantly increased in recent years in part because of the proliferation of new technologies to facilitate and conduct financial transactions. The Company maintains a comprehensive risk-based cybersecurity program to identify, measure, manage, and disclose material cybersecurity risks. The Company utilizes the Federal Financial Institution Examination Council’s ("FFIEC") Cybersecurity Assessment Tool ("CAT") as a diagnostic test to help identify the Company’s cyber risk level and determine the maturity of our cybersecurity program. The CAT is supplemented by an annual self-assessment and external audits and reviews, the results of which drive the development and implementation of the Company’s cybersecurity strategy to ensure that cyber risk management practices are aligned with the risk profile of the Company.

 

The Company uses the Center for Internet Security ("CIS") Critical Security Controls framework to balance cybersecurity risk exposure with investment in mitigation strategies. This framework provides a prescriptive, prioritized set of cybersecurity safeguards that fully align with those of the National Institute of Standards and Technology, the International Standards Organization 27000 series, and the requirements and guidance from applicable regulatory authorities, including the Federal Financial Institutions Examination Council.

 

The Company’s cybersecurity strategy is enabled by people, processes, and technology that provide multilayered defenses including advanced capabilities for early and rapid cyber threat identification, detection, protection, response, and recovery. The Company employs a team of dedicated, skilled talent to operationalize the cybersecurity strategy. The internal team is supported by arrangements with a third party to provide continuous endpoint monitoring and incident response.

 

The Company’s entire workforce receives mandatory cybersecurity training that includes quarterly social engineering exercises and informative online courses assigned based on assessed skill gaps. The Company also provides cyber risk awareness guidance to customers and promotes customer cyber hygiene through periodic communications. The Company conducts scenario-driven test exercises simulating impacts and consequences developed through analysis of real-world cybersecurity incidents as well as known and anticipated cyber threats. These exercises are designed to assess the viability of the Company’s incident response and management programs and provide the basis for continuous improvement.

 

The Company actively monitors and evaluates threats, events, and the performance of its business operations and continually adapts its risk mitigation activities accordingly. To that end, the Company maintains a comprehensive vulnerability management program that includes regular internal scans of the entire network to identify and measure the severity of security vulnerabilities, a team of dedicated network engineers who are responsible for fixing identified vulnerabilities within pre-defined timeframes based on severity, and at least annual independent network penetration testing by a qualified third party.

 

Cyber risk monitoring also includes the Company’s arrangements with and exposure to third party service providers. We identify the criticality of our third-party service providers, in part, by determining their use of and access to confidential customer information. We conduct comprehensive cybersecurity reviews on all third parties that have access to confidential information. Our third-party reviews make use of technology that provides significant visibility into third party organizations, in real time, to assess third party compliance with a host of globally recognized IT security standards and frameworks and the likelihood of a cyberattack on a third party.

 

The Company also maintains a robust firewall system and firewall management program to restrict inbound and outbound network traffic. A dedicated team of network engineers manages firewall rulesets and monitors firewall health and alerting.

 

The risks from cybersecurity threats have not materially affected the Company’s business strategy, results of operations, or financial condition. Although the Company has invested substantial resources to manage and reduce cybersecurity risk, it is not possible to eliminate this risk. The Company obtains insurance that protects against certain losses, expenses, and damages associated with cybersecurity risk. See Item 1A, “Risk Factors,” for additional information regarding cybersecurity risk.

Cybersecurity Governance

 

The Company’s Board of Directors devotes significant time and attention to its oversight of cybersecurity risk. Select members of the Board serve on the Information Systems Steering Committee ("ISSC"), which is responsible for approving IT strategic plans and all IT-related policies and for oversight of the information security program, among other matters. To fulfill its responsibilities, the ISSC receives periodic reports on the cybersecurity risk management program, including information security risks and incidents, emerging threats, and both internal and independent audit reports on the effectiveness of the control environment.

 

 

Executive leadership is responsible for management of the cybersecurity program. The IT Security Director supervises daily operations of the cybersecurity program and reports directly to the Chief Risk Officer ("CRO"). The CRO chairs the Information Security Sub-Committee ("Sub-Committee"), a management committee that meets at least monthly to receive regular updates on the status of the cybersecurity risk management program and strategic cyber initiatives. The Sub-Committee’s actions and activities are reviewed by the ISSC at least quarterly. The Company has a management level Change Control Board ("CCB") which is responsible for reviewing and approving actions of the vulnerability management team, changes to hardware/software including the introduction of new hardware/software, and changes to firewall rulesets. The IT Security Director serves as a voting member of the CCB. Additionally, the Company has a Cyber Incident Response Team ("CIRT") which includes key members of management including the CRO and IT Security Director. The CIRT manages significant cyber-specific events with escalation up to executive leadership and the Board.

 

Back SEC Filing Thank you for subscribing