OLD SECOND BANCORP INC - (OSBC)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Cybersecurity risk is the risk of exposure to harm or loss resulting from misuse or abuse of technology by malicious actors. Cybersecurity risk is an important and continuously evolving focus for us as significant resources are devoted to protecting and enhancing the security of computer systems, software, networks, storage devices, and other technology assets. Security efforts are designed to protect against, among other things, cybersecurity attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt or degrade service, sabotage systems or cause other damage. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We have experienced, and expect that we will continue to experience, a higher volume and complexity of cyber-attacks. We have implemented precautionary measures and controls reasonably designed that follow the National Institute of Standards and Technology (NIST) and other industry standards to address this increased risk.

34

Managing Material Risks & Integrated Overall Risk Management

We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our risk management team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our strategic objectives, business environment and operational needs.

Engage Third-parties on Risk Management

Ongoing business expansions may expose us to potential new threats as well as expanded regulatory scrutiny including the introduction of new cybersecurity requirements. We continue to make significant investments in enhancing our cyber defense-in-depth capabilities and to strengthen our partnerships with the appropriate government and law enforcement agencies and other businesses in order to understand the full spectrum of cybersecurity risks in the operating environment, enhance defenses and improve resiliency against cybersecurity threats. Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements.

Oversee Third-party Risk

Third parties with which the Company does business or that facilitate the organization’s business activities (e.g., vendors, supply chain, exchanges, clearing houses, etc.) are also sources of cybersecurity risk. Third-party cybersecurity incidents such as system breakdowns or failures, misconduct by the employees of such parties, or cyber-attacks, including ransomware and supply-chain compromises, could affect their ability to deliver a product or service or result in lost or compromised information. Because we are aware of the risks associated with third-party service providers, we implement stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. Monitoring includes quarterly assessments by our Chief Information Security Officer (“CISO”) and on an ongoing basis by our security engineers. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties.

Governance

Our Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. Our Board has established robust oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence.

Board of Directors Oversight

Our Information Technology Steering Committee (“ITSC”) is central to the Board’s oversight of cybersecurity risks, which are incorporated into our overall risk management program overseen by our Board Risk Committee. These Committees meet no less than quarterly and are composed of board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. While, as of the date of this Annual Report on Form 10-K, we have not encountered cybersecurity challenges that have materially impaired our operations or financial standing, our systems and those of our customers and third-party service providers are under constant threat and it is possible that we could experience a significant event in the future.

Management’s Role Managing Risk

While the ITSC and our Board of Directors to which it reports oversees cybersecurity risk management, management is responsible for the day-to-day cybersecurity risk management processes. The Chief Risk Officer (“CRO”) and the CISO play a pivotal role in informing the ITSC and Board Risk Committee on cybersecurity risks. Comprehensive briefings are presented to the ITSC and Board Risk Committee on a regular basis, with a minimum frequency of quarterly. These briefings encompass a broad range of topics, including:

Maturity of our cyber landscape commensurate to inherent risks of environment;
Emerging threats;
Status of ongoing cybersecurity initiatives and strategies;
Incident reports and learnings from any cybersecurity events;
Compliance with regulatory requirements and industry standards; and
Results of internal and external testing of cybersecurity controls.

35

In addition to our scheduled meetings, CISO maintains an ongoing dialogue with management and the Board of Directors regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive. The CISO actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives. The CISO conducts a quarterly review of our cybersecurity posture and the effectiveness of our risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.

Risk Management Personnel

Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO. With over 30 years of experience in the field of cybersecurity and operational risk, he brings a wealth of expertise to his role. His background includes extensive experience as an enterprise CISO and holds several certifications including ISACA’s, CISM and CRISC and is well-recognized within the industry. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee cybersecurity training program.

The CISO is responsible for identifying technology and cybersecurity risks and is responsible for the controls to manage threats. To help safeguard the confidentiality, integrity and availability of our infrastructure, resources and information, we maintain an Information Security Program designed to prevent, detect, and respond to cyberattacks. The ITSC and Board of Directors is periodically provided with updates on the Information Security Program, recommended changes, cybersecurity policies and practices, ongoing efforts to improve security, as well as our efforts regarding significant cybersecurity events.

The CISO conducts a quarterly review of our inherent risk posture against the effectiveness of our cyber risk management strategies. This review helps in measuring the effectiveness of controls and identifying areas for improvement ensuring cyber controls is commensurate with our inherent risk profile and the Board’s risk appetite.

Monitoring Cybersecurity Incidents

The CISO continually monitors for the latest developments in cybersecurity, including potential threats and innovative risk management techniques. We deploy defense-in-depth safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, access controls, and ongoing vulnerability assessments as well as ongoing acquisition of knowledge crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and prevent escalation of any loss or damage from the cybersecurity incident. The Incident Response Plan is continually updated in response to an ever-changing threat landscape to provide long-term strategies for remediation, prevention of future incidents and resiliency to all types of threats. The incident response teams (i) include subject matter experts to address cyber threats and (ii) includes representatives from the accounting team to monitor threat escalation and identify events that may warrant Board notification and a Form 8-K cybersecurity notice.

Reporting to Board of Directors

The CISO, in his capacity, regularly informs the ITSC and Board Risk Committee of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks we face. Furthermore, significant cybersecurity matters and strategic risk management decisions are escalated to the Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

For additional information regarding the risk we face from cybersecurity threats, please see the risk factor titled “Our information systems may experience an interruption or breach in security and cyber-attacks, all of which could have a material adverse effect on our business.” included in Part I. Item 1A. - Risk Factors of this report.