Investar Holding Corp - (ISTR)
10-K Filing Date: March 07, 2024
Risk Management and Strategy
As a financial institution, we believe that the risk of cybersecurity incidents is a significant, increasing, and always evolving risk for our business. Federal law and regulations require us to maintain a comprehensive written information security program, and federal banking regulators regularly issue guidance regarding cybersecurity threats intended to enhance our cybersecurity risk management. Accordingly, we have developed and implemented processes for assessing, identifying and managing material risks from cybersecurity threats designed to comply with federal law and regulations and protect against cybersecurity threats to our business. Our program is supported by management and the Company’s Board of Directors (the “Board of Directors”). The Company maintains an active cyber insurance policy to enhance protections against material data intrusions or loss of privacy. For an overview of the federal banking laws and regulations that govern our management and oversight of cybersecurity risks, refer to Item 1. Business – Supervision and Regulation – “Financial Privacy and Cybersecurity Requirements,” incorporated by reference into this Item 1C.
The Company’s Information Security Program (the “Program”) is comprised of five pillars: the Information Security Policy, the Enterprise Information Security Risk Assessment, the Incident Response Plan, a formalized Security Awareness Campaign, and an enterprise monitoring and reporting program.
• | The Information Security Policy contains numerous distinct administrative and technical controls that govern data security for the organization and is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The policy is reviewed and approved by the Board of Directors annually. |
• | The Enterprise Information Security Risk Assessment quantifies risk criteria utilizing the same impact measures, including financial, strategic, operational, and reputational, set forth by the Enterprise Risk Committee. The risk assessment is reviewed and approved by the Board of Directors annually. The Enterprise Risk Committee includes members of management from various departments and members of the Board of Directors and oversees the overall risk management of the Company. The Enterprise Risk Committee meets as often as appropriate to perform its responsibilities, but no less than once per calendar quarter and reports findings and provides recommendations to the Board of Directors on a routine basis. |
• | The Incident Response Plan (“IRP”) includes procedures for responding to actual or potential cybersecurity incidents, including providing timely notice to customers and our bank regulatory agencies when appropriate. The IRP is based on the NIST Cybersecurity Framework. The plan is tested annually through tabletop exercises. |
• | The Security Awareness Campaign is designed with the goal that employees are educated on policy, threats, and best practices from onboarding and throughout their tenure at the Company. This effort includes an onboarding training program, annual attestation and training, and weekly communication designed to help instill in employees a security mindset through repetition. |
• | The Company maintains an enterprise monitoring and reporting program, which identifies key risk indicators for tracking and identifying trends. The key risk indicators are presented to the Company’s Information Technology Committee (“IT Committee”) and the Board of Directors on a monthly basis. |
The Program is monitored each year through various internal and external audits, as well as OCC regulatory exams. Vulnerability and penetration testing are also conducted at least annually by an independent third party to supplement the vulnerability and patching program routinely performed by internal staff. Third-party vendors supplement the Company’s internal patching program as necessary. The Company also utilizes a third-party “SOC as a Service” to monitor extended detection and response logs and network traffic.
Third-party service provider risk is evaluated prior to and throughout the relationship. Third-party service providers must meet a minimum set of baseline security standards prior to being onboarded. During onboarding, the third party and the services they provide are added to the Information Security Risk Assessment, including consideration of inherent risk factors and mitigating controls. Alternative vendors and the effort to transition between vendors are identified during onboarding as well as in the event that the selected provider may fail in providing contracted services at any time. After a third party is onboarded, they are subject to the annual third-party risk management program, specific to their assigned risk criticality. This effort includes the review of service organization controls reports, business continuity and disaster recovery efforts, insurance certificates, and other compliance related concerns when applicable.
During the last three years we have not experienced any cybersecurity incidents that have materially affected our Company, including our business, strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats may be reasonably likely to materially affect us, refer to Item 1A. Risk Factors – Risks Related to our Business – “We rely on information technology and telecommunications systems, many of which are provided by third-party vendors” and – “Cyberattacks or other security breaches could adversely affect our operations, net income or reputation,” incorporated by reference into this Item 1C.
Governance
The Board of Directors is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board of Directors and the IT Committee. The IT Committee consists of members of the Board of Directors and key members of management. The IT Committee’s primary purpose is to assist the Board of Directors in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. The Chief Information Security Officer (“CISO”) provides monthly information security reports on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board of Directors. The CISO also provides the Board of Directors with an annual Information Security Program Summary Report in compliance with federal banking guidelines.
The program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. The Chief Information Officer (“CIO”) and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company's technology infrastructure. The CISO holds two cybersecurity industry leading certifications (CISSP, CCSP) and has more than 20 years of technology experience. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.