FIRSTSUN CAPITAL BANCORP - (FSUN)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Cybersecurity is a critical component of our overall risks given the increasing reliance on technology and potential of cyber threats. Our Chief Information Security Officer is primarily responsible for this cybersecurity component and is a member of the information technology organization, reporting directly to the Chief Information Officer and regularly reports on the state of the program to the Risk Committee of our Bank’s Board of Directors.
Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the Federal Financial Institutions Examination Council (“FFIEC”) regulatory guidance, and other industry standards such as the Center for Internet Security (“CIS”). In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Chief Information Security Officer and our Chief Information Officer regularly collaborate with industry groups to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.
We leverage people, processes, and technology with an in-depth, layered, defensive strategy as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote
56

connections as a significant portion of our workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe.
Therefore, we will experience risk to potential vulnerabilities now and in the future but have built a program to recognize and respond to these vulnerabilities for the purposes of identification and remediation of those vulnerabilities and the impact they can have on our business. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks.
Additionally, we maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate management and/or executives. We have created and maintain a Crisis Management Plan as part of our overall Incident Response Plan which provides for the escalation path and management of an incident by the appropriate designated executives. The Incident Response Plan is coordinated through the Chief Information Security Officer and key members of the information technology management team are embedded by design. The Crisis Management Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually.
Further, our risk from cybersecurity threats includes failure in or breach of our operational or security systems or infrastructure managed by third-party vendors and extends to other third parties, which could disrupt our businesses, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs, and/or cause losses.
While we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected the Company. For further discussion of risks from cybersecurity threats, see the section captioned “A failure in or breach of our operational or security systems or infrastructure, or those of our third-party vendors and other service providers or other third parties, including as a result of cyber-attacks, could disrupt our businesses, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses.” in Item 1A. Risk Factors.
Governance
Our Chief Information Security Officer is accountable for managing our enterprise information security department and delivering our information security program. The responsibilities of this department include cybersecurity risk assessment, threat intelligence, control evaluation and assessment, incident response, vulnerability assessment, threat intelligence, third-party risk management, change management, and business resilience. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function. The second line of defense function is separated from the first line of defense function through organizational structure and overall cybersecurity management is independently reviewed by a third line through the audit function. The department, as a whole, consists of information security professionals with varying degrees of education and experience. Individuals within the department are generally subject to professional education and certification requirements. In particular, our Chief Information Security Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management.
Various management committees exist including the Information Technology Steering Committee, which focuses on technology impact. This committee provides oversight and governance of the technology program and the information security program. This committee is chaired by the Chief Information Officer and includes other executives across the Bank and the Chief Information Security Officer is a part of this committee. This committee meets quarterly to provide oversight of technology projects and services including strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks.
The Chief Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at the meeting and the actions taken to the Risk Committee of our Board of Directors on a quarterly basis (or more frequently as may be required by the Incident Response Plan).
The Risk Committee of our Bank’s Board of Directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Chief Information Security Officer and our Chief Information Officer provide quarterly reports to the Risk Committee of our Bank’s Board of Directors regarding the information security program and the
57

technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The Risk Committee of our Bank’s Board of Directors reviews and approves our information security policies and strategies. The Risk Committee of our Bank’s Board of Directors provides a report of their activities to the full Board of Directors at each board meeting.
Vendor Incident
As disclosed in our Form 8-K filed on July 14, 2023, on or about May 31, 2023, we were informed by a third-party vendor of a zero-day vulnerability in the vendor’s managed file transfer software MOVEit (the “Vendor Incident”). The Bank utilizes MOVEit for securely transferring sensitive and confidential information and other data, including for its First National 1870 and Guardian Mortgage divisions.
We publicly disclosed this breach and provided appropriate notifications to potentially impacted customers. We now understand that the SEC is conducting an investigation into data breaches resulting from the failures in the Progress software and on or about February 26, 2024, we received a request from the SEC to preserve and provide various documents and information relating to the SEC’s investigation. The fact that the SEC has begun an investigation does not mean that the SEC believes that anyone (including FirstSun) has violated federal securities laws, nor does it mean that the SEC has a negative opinion of any person, entity, or security. It is a non-public fact-finding inquiry, with which we intend to fully cooperate.
The costs associated with the Vendor Incident have not had, and neither it nor the SEC’s investigation (including responding to any information requests from the SEC) are expected to have a material adverse impact on the Company’s financial condition or results of operation.