Third Coast Bancshares, Inc. - (TCBX)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our Company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cybersecurity threats. Our Chief Information Security Officer (“CISO”) is primarily responsible for this cybersecurity program component and is a key member of the risk management organization, reporting directly to the Chief Risk Officer and as discussed below, periodically to the Risk Committee of our board of directors.

The program is based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). The NIST CSF framework provides the basis to evaluate our program for completeness and helps to ensure that the various components of the program are at a level that reduces cybersecurity risk to levels within the Company’s risk appetite, taking into account the current threat and regulatory environment. Key components of the cybersecurity program include:

A risk assessment process that identifies and prioritizes cybersecurity risks; defines and evaluates the effectiveness of controls to mitigate the risks; and reports results to executive management and the board of directors.
A third-party managed detection and response service, which monitors the security of our information systems around-the-clock, including intrusion detection and alerting.
An incident response plan that outlines establishes a structured approach for the Company's response to a cybersecurity incident. The incident response plan is coordinated through the CISO and key members of management are embedded into the plan by its design. The plan facilitates coordination across multiple parts of our organization and is evaluated at least annually.
A training program that educates employees about cybersecurity risks and how to identify and escalate cybersecurity events.
A third-party risk management program designed to ensure that our key vendors meet our expectations on cybersecurity. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements.

42


 

The Company engages reputable third parties to conduct various risk assessments on a regular basis, including but not limited to maturity assessments and various testing. Following a defense-in-depth strategy, the Company leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks.

Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe, and we may not be successful in preventing or mitigating all cybersecurity incidents that could have a material adverse effect on the Company. However, as of the date of this Form 10-K, the Company is not aware of any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion, please see Item 1A. “Risk Factors” for a discussion of cybersecurity risks.

Governance

Board of Directors Oversight

The Risk Committee of our board of directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. The Risk Committee of our board of directors reviews and approves our information security and technology budgets and strategies annually. Additionally, the Risk Committee of our board of directors reviews quarterly reports regarding the information security program and technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes.

Management Oversight

Our CISO is accountable for managing our enterprise information security department and overseeing our information security program. The CISO reports directly to the Chief Risk Officer. The CISO’s responsibilities include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business resilience. The CISO has over 20 years of experience in cybersecurity across the U.S Government, Department of Defense contracting, and financial services industry. Prior to joining the Company, the CISO served as the Deputy CISO for a major domestic financial services institution. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, reported to senior leadership and the Risk Committee and/or the Board in a timely manner.