ISABELLA BANK Corp - (ISBA)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk
As a financial institution, we may be the target of a security breach due to a cybersecurity attack. While we have not encountered a cybersecurity incident that has materially impacted our operations or financial results, a security breach due to a cyber-attack in the future could result in a material impact to us, our customers, and our third-party vendors. The risk of such event could increase in the future due to the expansion of mobile banking and other internet-based product offerings, our use of internet-based services for internal and external purposes, acquisition and integration of new products and other offerings, increased use of third-party software solutions, and the growing reliance on mobile devices.
Cybersecurity incidents have increased in number and severity and it is expected that these trends will continue. Techniques used in cyberattacks evolve frequently, are increasingly sophisticated, and may not be recognized until launched. Cyber-attacks can originate from a wide variety of sources, including both internal and external sources, cyber-criminals, hacktivists, groups linked to terrorist organizations or hostile countries, or third parties whose objective is to broadly disrupt the operations of
8

Table of Contents
financial institutions. We may be unable to fully prevent cyber-attacks due to the inability to anticipate, detect, or recognize threats to our systems, or to implement effective preventative measures against all breaches. In addition, we do not have control over the cybersecurity of the systems of our customers, counterparty, and third-party service providers.
Our products, services and systems are accessed through critical company or third-party operations. These operations involve the storage, processing and transmission of sensitive data, including proprietary or confidential data, regulated data, and personal information of employees and customers. Successful breaches, employee wrongdoing, or human or technological error could result in unauthorized access, disclosure, modification, misuse, loss, or destruction of company, customer, or other third-party data or systems. Examples of a breach include theft of sensitive, regulated, or confidential data, including personal information; loss of access to critical data or systems through ransomware, destructive attacks, or other means; and business delays, service or system disruptions, or denials of service.
Should we, or the third parties we do business with, fall victim to successful cyber-attacks or experience other cybersecurity incidents, the result could include negative consequences. Such consequences could include, but are not limited to: significant disruption of our operations and those of our customers, including losing access to important business systems; misappropriation of confidential information related to customers, counterparties, employees, or other parties; severe damage to our reputation; the inability, or extended delays in the ability, to fully recover and restore data that has been stolen, manipulated, or destroyed, or the inability to prevent systems from processing fraudulent transactions; violations of applicable privacy and other laws; financial loss to us or our customers, counterparties, or employees; exposure to the risk of litigation, regulation, and other liability, which may include fines or other penalties and increased cybersecurity or other insurance premiums. The extent of a particular cyber-attack and the steps we must take to investigate and respond to it may not be immediately clear, and it may take a significant amount of time before such an investigation can be completed.
We have cybersecurity insurance intended to cover expenses related to notification, credit monitoring, investigation, crisis management, public relations, and legal advice. In addition, we maintain insurance to cover restoration of data, certain physical damage, and third-party injuries caused by potential cybersecurity incidents. However, damage and claims arising from such incidents may not be covered or may exceed the amount of any insurance available. Insurance policies and coverage are reviewed at least annually in detail.
Risk Management
Cybersecurity threats are assessed, identified, and managed within our Enterprise Risk Management Framework. We use a multi-layered approach to effectively manage risk. This approach includes, but is not limited to: (1) employees who are responsible for and manage risk; (2) employees and systems that oversee, monitor, and report risk: and (3) independent assurance, evaluation, and oversight of risk management activities.
Our security strategy is a layered approach. We utilize multiple layers of defense, both internally and externally, to ensure the integrity of our systems and data. We engage reputable security partners (assessors, consultants, auditors, and other third parties) for real time analysis and protection of our network infrastructure. This includes the use of preventative and detective tools to monitor, block, and alert us to suspicious activity. We utilize industry and regulator recognized assessment tools, such as the FFIEC Cybersecurity Assessment Tool and the Ransomware Self-Assessment Tool, to identify potential cybersecurity threats as well as the impact they could have on the Bank. Dashboards are used to track and monitor cybersecurity activity and trends.
We have established programs in place to proactively mitigate and respond to cybersecurity risk. The Vendor Management Program provides management with a framework to evaluate new vendors and ensure ongoing monitoring of third parties, including the evaluation of cybersecurity risk. The Incident Response Plan provides a framework for management to respond to and minimize the impact of an incident involving our information technology systems, or that of one of our third-party providers. The Business Continuity Plan provides information to prepare for and manage a business disruption.
Governance
All employees play a critical role in managing cybersecurity risk. Our Enterprise Risk Management Framework utilizes the three lines of defense model to define roles and responsibilities to effectively manage risk. First line employees own and manage risk, the second line oversees, monitors, and reports risk, and the third line provides independent assurance of risk management activities.
We employ Information Technology staff to analyze and protect our network infrastructure. Members of our IT staff have relevant training and education in computer networks and systems, information security and intelligence, and hold industry certifications related to network security, enterprise IT governance, and risk and information systems control. In addition, our
9

Table of Contents
employees’ network with peer banks, participate in industry groups, and attend ongoing training to stay abreast of cybersecurity threats and best practices.
Within the Enterprise Risk Management Framework, we have established committees, both at the management and board level, to oversee risk, and ensure cybersecurity risk is escalated appropriately to the Board.
The Information Technology Risk Management Committee is chaired by the Chief Technology Officer and comprised of IT management and other key stakeholders from across the Bank. They are responsible for identifying, measuring, monitoring, and controlling risk generated within IT, including cybersecurity risk. This committee reviews and updates risk assessments as necessary and monitors activity through risk reports and dashboards. A cybersecurity dashboard, which includes a summary of key risk metrics, is reviewed and monitored by the IT Risk Management. The Chief Technology Officer and Information Security Officer provide quarterly reports to the Board Risk Committee.
The Board Risk Committee assists the Board in fulfilling its responsibilities related to the oversight of the Bank’s Enterprise Risk Management Framework. The Board Risk Committee oversees executive management's design, implementation, and maintenance of an effective risk management program to ensure compliance with laws and regulations, and operation within the parameters established in the Bank’s risk appetite statement. This includes a review of the cybersecurity dashboard which summarizes key risk indicators and identifies emerging risks.
The Board Risk Committee provides a verbal risk report and meeting minutes to the Board at least quarterly. This includes a discussion of key risks and effectiveness of internal controls. In addition, cybersecurity incidents are escalated to the Board in a timely manner using the processes defined within the Bank’s Incident Response Plan.