FIRST MID BANCSHARES, INC. - (FMBH)
10-K Filing Date: March 06, 2024
Risk management and strategy
The Company’s Information Security strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. The Company’s cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. The Company implements risk-based controls to protect the Company’s information, information systems, business operations, products and related services, and the information of the Company’s customers. The Company has adopted security-control principles based on the Federal Financial Institutions Examination Council (FFIEC) Cyber Security Assessment Tool (CAT), and other industry-recognized standards, and contractual requirements, as applicable. The Company also leverages industry associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds, and other similar resources to inform the Company’s cybersecurity processes and allocate resources.
The Company maintains security programs that include physical, administrative and technical safeguards, and the Company maintains plans and procedures whose objective is to help the Company prevent and timely and effectively respond to cybersecurity threats or incidents. Through the Company’s cybersecurity risk management process, the Company continuously monitors cybersecurity vulnerabilities and potential attack vectors to Company systems, and the Company evaluates the potential operational and financial effects of any threat and of cybersecurity countermeasures made to defend against such threats. The Company continues to integrate the Company’s cyber practice within the Company’s Risk Oversight Committee, and Enterprise Risk Management program, both of which are overseen by the Company’s Board of Directors and provide frameworks for identifying and tracking cyber-related business and compliance risks across the Organization. The Company periodically engages third-party consultants to assist us in assessing, enhancing, implementing, and monitoring the Company’s cybersecurity risk management programs and responding to any incidents.
As part of the Company’s cybersecurity risk management process, the Company conducts an annual “tabletop” exercise during which the Company simulates cybersecurity incidents to ensure that the Company is prepared to respond to such an incident and to highlight any areas for potential improvement in the Company’s cyber incident preparedness. This exercise is conducted at both the technical level and senior management level. In addition, all employees are required to pass mandatory cybersecurity training courses on an annual basis and receive bi-weekly phishing simulations to provide “experiential learning” on how to recognize phishing attempts.
The Company has established a cybersecurity vendor risk management program, which is a cross-functional program that forms part of the Company’s Enterprise Risk Management program and is supported by the Company’s security, compliance, and third-party partners. Through this evolving program, the Company assesses the risks from cybersecurity threats that impact the Company’s third-party service providers with whom the Company shares personal identifying and confidential
15
information. The Company continues to evolve the oversight processes to mature how the Company identifies and manages cybersecurity risks associated with the products or services the Company procures from third parties.
The Company has experienced, and may in the future experience, whether directly or through the Company’s third-party partners, cybersecurity incidents. While prior incidents have not materially affected the Company’s business strategy, results of operations or financial condition, and although the Company’s processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect the Company’s business strategy, results of operations or financial condition.
Governance
The Company’s Board of Directors has overall responsibility for risk oversight, with its committees assisting the Board in performing this function. The Company’s Board of Directors has delegated oversight of risks related to cybersecurity to two Board committees, the Risk Oversight Committee and Audit Committee, and each committee reports on its activities and findings to the Board on a quarterly cadence. The Audit Committee is charged with reviewing the Company’s cybersecurity processes for assessing key strategic, operational, and compliance risks. The Company’s Information Security Officer provides presentations to the Risk Oversight Committee and the Board, on cybersecurity risks quarterly. These briefings may include assessments of cyber risks, the threat landscape, updates on incidents, and reports on the Company’s investments in cybersecurity risk mitigation and governance. In the event of a potentially material cybersecurity event, the Incident Response Team (IRT) is notified and briefed, and meetings with that team and/or Executive Committee members are held, with the Board of Directors being briefed, as appropriate.
The Company’s Information Security Officer (ISO), James Hinks, leads our cybersecurity program and oversees the Company's Security Operations Team (SOC), supporting our security functions of identifying, preventing, detecting, responding, and recovering. The SOC team comprises personnel with extensive experience in information technology across the private and public sectors. Mr. Hinks holds multiple security accreditations and 24 years of experience in cybersecurity, software development, systems, networking, and other technology-related roles within public and private industries, with 14 years in IT leadership roles. Mr. Hinks has been employed with the Company since 2019, overseeing information security, disaster recovery, vendor management, and physical security.