HOME BANCORP, INC. - (HBCP)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
The Company recognizes that the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving the value of the Company. The Board of Directors, through the Enterprise Risk Committee (“ERC”), the Technology Steering Committee (“TSC”) and the Cyber Risk Oversight Committee (“CROC”), provides direction and oversight of the enterprise-wide risk management framework of the Company, and cybersecurity represents a component of the overall approach to enterprise-wide risk management. Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Director of Information Security is primarily responsible for this cybersecurity component and is a key member of the risk management organization, reporting directly to the Chief Risk Officer and, as discussed below, periodically to the TSC and the CROC. The Chairman of the CROC is an independent member of the Board of Directors and is considered an expert in technology and cybersecurity and provides regular updates on cybersecurity risk management to the Board of Directors.

Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Director of Information Security and Director of Information Technology, who reports directly to our Director of Technology Management, along with key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is reviewed periodically by such personnel with the goal of addressing changing threats and conditions.

We employ an in-depth, layered, defensive strategy that embraces a “trust by design” philosophy when designing new products, services, and technology. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and
15


provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks associated with our use of third-party service providers and our supply chain. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections as a sizable portion of our workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.

We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees, including the CROC. The Incident Response Plan is coordinated through the Director of Information Security and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually.

Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks. To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. For further discussion of risks from cybersecurity threats, see the section captioned “Risks Related to Our Operational and Information Technology Systems” in Item 1A. Risk Factors.

Governance

Our Director of Information Security is accountable for managing our enterprise information security department and delivering our information security program. The responsibilities of this department include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business resilience. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the Director of Information Security, provides guidance, oversight, monitoring and challenging the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and reports directly to the Chief Risk Officer. The department consists of information security professionals with varying degrees of education and experience. Individuals within the department are subject to professional education and certification requirements. Our Director of Information Security has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management. Certifications include Certified Information Security Manager (“CISM”) and Certified Information Systems Security Professional (“CISSP”), which includes continuing education requirements.

Our Board of Directors has approved management committees including the TSC, which focuses on technology impact, and the CROC, which focuses on business impact. These committees provide oversight and governance of the technology program and the information security program. The TSC is chaired by management within the Company and includes the Chief Risk Officer, Director of Information Security and Director of Technology Management as well as other key departmental managers throughout the entire company. These committees meet at least quarterly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings occur from time to time in accordance with the Incident Response Plan to facilitate timely informing and monitoring efforts. The Director of Information Security reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the CROC on a quarterly basis (or more frequently as may be required by the Incident Response Plan).

The CROC is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Director of Information Security and our Director of Technology Management provide quarterly reports to the CROC regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. Our Board of Directors reviews and approves our information security and technology budgets and strategies annually. Additionally, the CROC reviews our cyber security risk profile on an annual basis. The chairman of our CROC provides a report of its activities to the full Board of Directors at least quarterly.

16