Third Coast Bancshares, Inc. - (TCBX)
10-K Filing Date: March 07, 2024
Risk Management and Strategy
Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our Company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cybersecurity threats. Our Chief Information Security Officer (“CISO”) is primarily responsible for this cybersecurity program component and is a key member of the risk management organization, reporting directly to the Chief Risk Officer and as discussed below, periodically to the Risk Committee of our board of directors.
The program is based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). The NIST CSF framework provides the basis to evaluate our program for completeness and helps to ensure that the various components of the program are at a level that reduces cybersecurity risk to levels within the Company’s risk appetite, taking into account the current threat and regulatory environment. Key components of the cybersecurity program include:
42
The Company engages reputable third parties to conduct various risk assessments on a regular basis, including but not limited to maturity assessments and various testing. Following a defense-in-depth strategy, the Company leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks.
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe, and we may not be successful in preventing or mitigating all cybersecurity incidents that could have a material adverse effect on the Company. However, as of the date of this Form 10-K, the Company is not aware of any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion, please see Item 1A. “Risk Factors” for a discussion of cybersecurity risks.
Governance
Board of Directors Oversight
The Risk Committee of our board of directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. The Risk Committee of our board of directors reviews and approves our information security and technology budgets and strategies annually. Additionally, the Risk Committee of our board of directors reviews quarterly reports regarding the information security program and technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes.
Management Oversight
Our CISO is accountable for managing our enterprise information security department and overseeing our information security program. The CISO reports directly to the Chief Risk Officer. The CISO’s responsibilities include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business resilience. The CISO has over 20 years of experience in cybersecurity across the U.S Government, Department of Defense contracting, and financial services industry. Prior to joining the Company, the CISO served as the Deputy CISO for a major domestic financial services institution. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, reported to senior leadership and the Risk Committee and/or the Board in a timely manner.