HomeStreet, Inc. - (HMST)
10-K Filing Date: March 06, 2024
ITEM 1C CYBERSECURITY
Cybersecurity Risk Management and Strategy:
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks.
We also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things:
•conducting regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K;
•running tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
•regular cybersecurity training programs for employees, management and directors; conducting annual customer data handling training for all our employees;
•conducting annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data;
•comparing our processes to standards set by the National Institute of Standards and Technology (“NIST”), International Organization for Standardization (“ISO”), and Center for Internet Security (“CIS”);
•leveraging the NIST cybersecurity framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident;
•operating threat intelligence processes designed to model and research our adversaries;
•closely monitoring emerging data protection laws and implementing changes to our processes designed to comply;
•undertaking regular reviews of our consumer facing policies and statements related to cybersecurity;
•proactively informing our customers of substantive changes related to customer data handling;
•conducting regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
•through policy, practice and contract (as applicable) requiring employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care;
•maintaining a risk management program for suppliers, vendors, and other third parties, which includes conducting pre-engagement risk-based diligence, implementing contractual security and notification provisions, and ongoing monitoring as needed; and
•carrying information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident.
These approaches vary in maturity across the business and we work to continually improve them.
Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. As part of the above approach and processes, we regularly engage with assessors, consultants, auditors, and other third parties, to review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading "Risks Related to Information Technology" included as part of our risk factor disclosures in Item 1A of this Form 10-K.
37
In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.
Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Our Board Enterprise Risk Management Committee ("ERMC") is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the ERMC receives an overview from management and the management steering committee of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the ERMC generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer and Chief Information Officer. Members of the ERMC are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks may also be considered during separate Board meeting discussions. The Board engages external cyber security experts, as needed, leveraging their expertise as part of our ongoing effort to evaluate and enhance our cybersecurity program. They help with cyber defense capabilities and transformation designed to mitigate associated threats, reduce risk, enhance our cybersecurity posture, and meet the Company's evolving needs.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Security Officer, Chief Information Officer, and our management technology steering committee. Such individuals have collectively over 30 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs, as well as several relevant certifications, including Certified Information Security Manager and Certified Information Systems Security Professional.
These members of management and the management technology steering committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such a material cybersecurity incident.