HILLS BANCORPORATION - (HBIA)

10-K Filing Date: March 05, 2024
Item 1C.Cybersecurity.

Description of Processes for Assessing, Identifying and Managing Cybersecurity Risks

Our operations are dependent on our ability to process financial transactions in a secure manner. Failure in or breach of our operational or security systems or infrastructure, or those of our third-party vendors and other service providers, could disrupt our business or the businesses of our customers, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses.

We maintain a cybersecurity program for assessing, identifying and managing material risks from cybersecurity threats. This program includes processes that are modeled after the National Institute of Standards and Technology’s Cybersecurity Framework and focuses on using business drivers to guide cybersecurity activities. This program is managed by a team of full-time employees, overseen by our Information Security Officer, as part of our Information Services team. Our Information Services team is tasked with conducting our day-to-day information technology operations. Furthermore, we consider cybersecurity risks as part of, and have incorporated our cybersecurity program into, our overall risk management processes.

We seek to use a defense-in-depth approach for cybersecurity management, layers of technology, policies and training at all levels of the enterprise designed to keep our assets secure and operational. We use various processes as part of our efforts to maintain the confidentiality, integrity and availability of our systems, including security threat intelligence, incident response, identity and access management, endpoint extended detection and response protection, network segmentation, data encryption, and event monitoring. In an effort to validate the effectiveness of our cybersecurity program and assess such program’s compliance with legal and regulatory requirements, we engage third-party service providers to perform audits, assessments and penetration tests.

Cybersecurity awareness among our employees is promoted with regular training and awareness programs. All employees who have access to our systems are required to undergo annual cybersecurity training and, each year, our employees must review and acknowledge our cybersecurity policies. Further, our Information Systems team is trained to understand how to manage, use and protect personally identifiable information. User access controls have been implemented to limit unauthorized access to sensitive information and critical systems. Employees are required to use multifactor authentication and keep their passwords confidential, among other measures.

We recognize that third-party service providers may introduce cybersecurity risks. In an effort to mitigate these risks, before contracting with certain technology service providers, when possible, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers and to require them to adhere to security standards and protocols.

Finally, we maintain cybersecurity insurance coverage.

Impact of Risks from Cybersecurity Threats

While we have not been materially impacted by cyber incidents, we have been subject to other intentional cyber incidents from third parties over the last several years, including denial of service attacks which attempt to interrupt service to customers and malicious software attacks on computer systems which attempt to allow unauthorized entrance. We also face risks related to cyber attacks and other security breaches in connection with card transactions that typically involve the transmission of sensitive information regarding our customers through various third parties. Some of these parties have in the past been the target of security breaches and cyber attacks, and because the transactions involve third parties and environments that we do not control or secure, future security breaches or cyber attacks affecting any of these third parties could impact us through no fault of our own, and in some cases we may have exposure and suffer losses for breaches or attacks relating to them. We also rely on numerous other third party service providers to conduct other aspects of our business operations and face similar risks relating
Page 24

to them. While we conduct security assessments on our higher risk third party service providers, we cannot be sure that their information security protocols are sufficient to withstand a cyber attack or other security breach. There can be no assurance that cyber incidents will not occur and they could occur more frequently and on a more significant scale.

Board of Directors’ Oversight and Management’s Role

Our Information Systems team is responsible for our efforts to comply with applicable cybersecurity standards, establish effective cybersecurity protocols and protect the integrity, confidentiality and availability of our Information Systems infrastructure. This team is responsible for cybersecurity threat prevention, detection, mitigation and remediation for the combined organization. Our cyber incident response plan requires all detections of suspicious activity in our Information Systems environment to escalate that activity to our Information Security Team who then evaluates the threat. Management (including representatives from the legal, operations, human resources, Information Systems and risk management departments) is notified by the Information Services team whenever a discovered cybersecurity incident may potentially have a significant impact on our business operations.

Our Board of Directors has delegated the responsibility for the oversight of cybersecurity risks to the Information Security and Technology Committees, which are ultimately responsible for assessing and managing our material risks from cybersecurity threats. The Information Security team and the Information Security Committee provide periodic cybersecurity program updates to senior management and to the Board. Management also updates the Board as new risks are identified and the steps taken to mitigate such risks.


© 2024 Material-Incidents. All rights reserved.