BANK OF HAWAII CORP - (BOH)
10-K Filing Date: February 29, 2024
As a company that collects and retains large volumes of customer and employee data, including payment card numbers and other personally identifiable information, we face significant and persistent cybersecurity risks. The protection and integrity of that data is important to us, which is demonstrated by the significant efforts and investments made to implement various measures to manage the risk of a security breach or disruption.
Risk Management and Strategy
Assessing, identifying and managing cybersecurity related risks are integrated into our overall Enterprise Risk framework, of which one of the objectives is to ensure the confidentiality, integrity, and availability of our information sets through the maintenance of a comprehensive information security program. One of the key aspects of this program is a risk assessment that is used to identify industry and company-specific risks, measure control effectiveness, identify any gaps that need to be addressed, and linking our controls with applicable policies, standards and guidelines to ensure that responsible parties are aware of their obligations with respect to this program..
Governance
Since the management of cybersecurity risks is ultimately the responsibility of the Board of Directors, it devotes significant time and attention to the oversight of cybersecurity and information security risks, and benefits from the technical expertise of its members. The Board of Directors reviews an Enterprise Risk Position report that reflects key risk measures and trends across the Company, including cybersecurity. The Board of Directors also reviews and approves the Information Security Policy annually and frequently receives presentations on and discusses cybersecurity and information security risks, industry trends and best practices.
The Audit & Risk Committee, which is charged with assisting the Board of Directors in fulfilling its oversight responsibilities related to the Company’s enterprise-wide risk management framework, receives an operational risk update at least quarterly that includes a review of cybersecurity and information security risk.
The Board of Directors is also responsible for the approval and oversight of the Information Security (IS) Program. Our Chief Information Security Officer (CISO), who is designated as the IS Program Coordinator, has extensive information technology, security and program management experience. The Information Risk and Controls Management Department, under the direction of the CISO, administers the IS Program with an objective of preventing cybersecurity incidents by ensuring the confidentiality, integrity and availability of company information. Central to incident management is the Information Security Incident Response Team (ISIRT), which is responsible for responding expeditiously and effectively to security incidents to minimize risks to the business, customers and consumers. In the event of an incident, we follow the detailed incident response plan, which outlines the steps to be followed from incident identification to mitigation, recovery and notification, including notifying functional areas, regulators, as well as senior leadership and the Board, as appropriate.
All of our employees also have a responsibility to protect the privacy of bank confidential and proprietary information. They are required to undergo periodic information security awareness training to ensure a clear understanding of their roles in protecting information assets and to create a security-minded culture.
We continue to strengthen the management and oversight of cybersecurity risks through new security system enhancements, policies, testing, identification and reporting. We also engage a third-party to perform penetration testing and ongoing analysis to identify potential vulnerabilities and areas for additional enhancements.
We utilize third party service providers to support and facilitate business and operational activities and to achieve strategic goals. However, third parties may expose us and our customers to various risks. We have implemented a Third Party Risk Management framework, which provides the tools and practices utilized in the oversight of third party service providers, with an objective to meet legal and regulatory obligations, contractual requirements, performance expectations, and our own principles and values.
We are subject to extensive federal and state regulation of customer privacy and the security of financial information. Our federal regulator, the FRB, is part of the Federal Financial Institutions Examination Council (FFIEC), which publishes extensive guidelines and examination procedures that are used to review the security of Bank of Hawaiʻi and other financial institutions.
For the 2023 period, we reported no material cybersecurity incidents affecting the confidentiality, integrity, or availability of data or systems. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
17
For further information, please see our risk factor titled “An interruption or breach in security of our information systems or those related to merchants and third-party vendors, including as a result of cyber attacks, could disrupt our business, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, or result in financial losses.”