FIRST BANCSHARES INC /MS/ - (FBMS)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

The Company’s information security program is designed to protect the security of our computer systems, networks, software and information assets, including customer information. The program is comprised of technical controls, policies, guidelines, and procedures. These technical controls, policies, guidelines, and procedures are intended to align with regulatory guidance, and common industry standard security practices.

The board of directors and our executives appreciate the severity of cybersecurity-related risks and support the continuous development of and investment in the information security program.

Commitment to Security and Confidentiality

At the Company, we expect each associate to be responsible for the security and confidentiality of customer information. We communicate this responsibility to associates during on-boarding and throughout their employment. Annually, training courses are assigned to each associate to complete on how to protect the confidentiality of customer information at the time of hire and during each year of employment.

We regularly provide associates with information security awareness training, including the recognition and appropriate handling of potential phishing emails, which can introduce malware to a bank’s network, result in the theft of user credentials and, ultimately, place customer information at risk. We regularly use phishing campaigns to train associates to determine their ability to recognize phishing emails. For associates who fail a phishing campaign, the associates are assigned additional training courses.

Associates must also follow established procedures for the safe storage and handling and secure disposal of customer information. Old or obsolete computer assets are subject to defined procedures and processes to ensure safe destruction of information contained on those devices. For paper-based information or documents, we dispose of paper using shred bins for destruction.

Cybersecurity Incident Response Plan

As part of our information security program, we have adopted an Information Security Incident Response Plan (Incident Response Plan), which is administered by the Company’s Chief Information Security Officer (CISO). The Incident Response Plan describes the Company’s processes, procedures, and responsibilities for responding to incidents including security and cybersecurity. The Incident Response Plan is intended to be followed in the event of a cybersecurity incident, including implementation of (i) forensic and containment, eradication, and remediation actions by information technology and security personnel and (ii) operational response actions by business units, communications, legal, and risk personnel. The Incident Response Plan includes an annual tabletop exercise to simulate responses to cybersecurity events. If applicable, each exercise may result in postmortem and discuss lessons learned to evaluate any improvements to the Incident Response Plan.

The Incident Response Plan includes processes for escalation and reporting of cybersecurity incidents to the Incident Response Team.


Network and Device Security

The Company employs a constantly evolving, defense-in-depth methodology to cybersecurity. Robust high-availability firewalls are in place at the perimeter. Remote workers are supported through the Company’s secure VPN and uses multifactor authentication. The Company has a vulnerability management program in place that includes a managed detect and response platform to ensure monitoring of the Company’s network, ensures the timely installation of software patches, and provides a risk-based approach to addresses vulnerabilities across the network. Network security controls are in place to prevent unauthorized access to the network or the Company’s IT resources. The Company employs controls over its managed workstations, servers, and other endpoints to prevent inappropriate access or damage to physical, virtual, or data assets. Data loss prevention programs are in place to prevent the inappropriate transmission or exposure of sensitive data assets or customer information.
29




Cybersecurity training is provided to all employees as part of the overall cybersecurity program. The Company contracts with third party vendors to conduct internal and external penetration tests against the Company’s networks and IT assets to ensure controls are operating in an appropriate manner.

Impacts of Cybersecurity Incidents

To date, the Company has not experienced a cybersecurity incident that has materially impacted our business strategy, results of operations, or financial condition. Addressing cybersecurity risks is a priority for the Company, and the Company is committed to enhancing its systems of internal controls and business continuity and disaster recovery plans.

Third-Party Vendor Controls

Before engaging third-party service providers, the Company carries out a due diligence process. This process is led by the Enterprise Risk Management team and Information Security performs due diligence through the process. Risk assessments are reviewed using Service Organization Controls (SOC) reports, self- attestation questionnaires, and other tools.

Any third-party service provider or vendor utilized as part of the Company’s cybersecurity framework is required to comply with the Company’s policies regarding non-public personal information and information security. Third parties processing sensitive customer data are contractually required to meet all legal and regulatory obligations to protect customer data against security threats or unauthorized access. After contract executions, vendors undergo ongoing monitoring to ensure they continue to meet their security obligations.

Our Board of Directors’ Role in Oversight of Cybersecurity Threats

Our Board of Directors is responsible for overseeing the Company’s business and affairs, including risks associated with cybersecurity threats. The Board oversees the Company’s corporate risk governance processes primarily through its committees, and oversight of cybersecurity threats is delegated primarily to our Board Risk Committee.

The Board Risk Committee has primary responsibility for overseeing the Company’s comprehensive Enterprise Risk Management program. The Enterprise Risk Management program assists senior management in identifying, assessing, monitoring, and managing risk, including cybersecurity risk, in a rapidly changing environment. Cybersecurity matters and assessments are regularly included in Board Risk Committee meetings.

The Board’s oversight of cybersecurity risk is supported by our CISO and Cybersecurity Manager. The CISO and the Cybersecurity Manager attend Board Risk Committee meetings, periodically provides cybersecurity and other information security updates to the Board Risk Committee. The CISO also provides an annual information security program summary report to the Board, outlining the overall status of our information security program and the Company’s compliance with regulatory guidelines.

Our Management’s Role in Assessing and Managing Cybersecurity Matters

The Company’s CISO directs the Company’s information security program and our information technology risk management. The CISO and Cybersecurity Manager along with a team of dedicated security personnel examines risks to the Company’s information systems and assets, designs and implements security solutions, monitors the environment, and provides immediate responses to threats.
Role of the Chief Information Security Officer and Cybersecurity Manager

Our CISO is responsible for the Company’s information security program. In this role, the CISO manages the Company’s information security Program.

The CISO has experience with FDIC regulated financial institutions and holds the certification as a Certified Banking Chief Information Security Officer (CBISO) and participates in various Information Security peer groups and serves on the Mississippi Bankers Associations - Information Security Committee.

The Company’s Cybersecurity Manager oversees the day-to-day cybersecurity operations.

30



The CISO and Cybersecurity Manager support the information security risk oversight responsibilities of the Board and its committees. The CISO reports to our Chief Information Officer, who in turn reports to our Chief Executive Officer and President. The Cybersecurity Manager reports to the Information Technology Director, who in turn reports to the Chief Information Officer.

Our Cybersecurity Manager has experience spanning multiple OCC and FDIC regulated financial institutions across the nation. He holds various cybersecurity related certifications and is currently registered with the International Information Systems Security Certification Consortium as a Certified Information Systems Security Professional (CISSP) member in good standing.

Role of the Enterprise Risk Manager

Our Enterprise Risk Manager is responsible for oversight of the Company’s information technology governance and risk program. In this role, the Enterprise Risk Manager provides independent oversight of information technology risk, promotes effective challenge to the Company’s information technology systems, and ensures that high level risks receive appropriate attention. The Enterprise Risk Manager is a member of the Company’s Risk Management Group and reports to the Chief Risk Officer, who in turn reports to the Board Risk Committee.

Role of the IT Risk Governance Subcommittee

Governance of the information security program begins with the IT Risk Governance Subcommittee, a management level subcommittee, whose objective is to protect the integrity, security, safety and resiliency of corporate information systems and assets. Together, our CISO leads the Company’s IT Risk Governance Committee. The IT Risk Governance Committee meets regularly to review the development of the program and develop recommendations and provides regular reports to management, and, ultimately, the Board Risk Committee through the CISO.

Role of Enterprise Risk Management

Enterprise Risk Management (ERM) is a holistic process to identify, assess/measure, mitigate/control, and aggregate/escalate/report organizational risks, both internal and external, in order to make decisions aimed at maximizing shareholder value and achieving strategic goals. The overarching ERM program shapes information security strategy and development. ERM works with information security management to facilitate performance of Risk Assessments, the results of which are used to identify opportunities to strengthen the program.