TRICO BANCSHARES / - (TCBK)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company's information security program is designed with the goal of maintaining the safety and security of our systems and data and we employ a holistic process for overseeing and managing cybersecurity and related risks. This process is supported by both management and our board of directors.
Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Chief Information Security Officer (“CISO”) is primarily responsible for this cybersecurity component and, as discussed below, periodically reports to the Information Technology/Cybersecurity Committee (“IT/Cybersecurity Committee”) of our board of directors.
Our objective for managing cybersecurity risk is to avoid or minimize the impacts efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), regulatory guidance, and other industry standards. This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our CISO and our Chief Information Officer ("CIO"), along with key members of their teams, regularly collaborate with peer banks, industry groups, law enforcement, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.
We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists.
We engage third parties, including vendors and other external service providers, to support our cybersecurity and data privacy processes such as risk assessments, program enhancements, and value-added user verification services. These third parties provide security services, including regular reviews of our security environment to provide an independent, industry-recognized risk rating and internal audits of our technology and security controls. Further, we deploy technical safeguards that are we believe are designed to help protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, endpoint detection and response, logging, monitoring and alerting, anti-malware functionality, email security, network security monitoring and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Our third-party risk management program includes processes for identifying and managing material cybersecurity risks arising from third-party providers. The program actively engages with the enterprise-wide risk assessment process and partners with cyber risk management to report relevant risks to the IT/Cybersecurity Committee of our board of directors. Furthermore, our third-party risk management program includes cybersecurity as an aspect of its risk assessment of third parties with the objective that key risks are identified and addressed. Moreover, the program also considers risks associated with certain fourth parties, entities that are partners or subcontractors of our direct third-party vendors, through assessments carried out internally and by our third-party service providers.
We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate board-approved management committees, as discussed further below, and to the IT/Cybersecurity Committee of our board of directors. The Incident Response Plan is coordinated through the CISO and key members of management are embedded into the plan by its design. This pIan facilitates coordination across multiple parts of our organization and is evaluated at least annually.
Lastly, we leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.
Governance
Our CIO and CISO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CIO and CISO have served in their positions since joining the Company in June, 2022 and January, 2022, respectively. Our CIO, who reports directly to the Chief Operating Officer, has 30 years of experience in various technology and security leadership positions across multiple industries including banking, insurance services, utilities, technology service providers, and as a member of the US Air Force. Prior to joining us, our CIO served as a CIO for multiple banks leading both technology and cybersecurity. Our CISO, reporting directly to the CIO, has over 35
25 TriCo Bancshares 2023 10-K
years of experience in various technology and security leadership positions across multiple industries including banking, healthcare, automotive, mining, education, engineering, construction, and dairy product production.
Our board of directors has approved various management committees including the IT/Cybersecurity Committee, which provides oversight and governance of the technology program and the information security program, as well as oversight and governance of the Company’s data and its storage. This committee is chaired by the CIO and includes various employees within the enterprise information security department, including the CIO and CISO, and other key departmental managers from throughout the entire company, including information technology, risk, compliance, operations and human resources/training. This committee generally meets quarterly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security, data risks and incidents. The committee reports its findings to the management Enterprise Risk Committee. More frequent meetings occur from time to time in accordance with the Incident Response Plan to facilitate timely informing and monitoring efforts. The CISO reports on key issues, including significant cybersecurity and/or privacy incidents, discussed at management committee meetings and the actions taken in connection with those meetings to the IT/Cybersecurity Committee of the board of directors on a quarterly basis (or more frequently as may be required).
Our Board of Directors has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program. That program is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures. The IT/Cybersecurity Committee of the board of directors regularly reviews our cybersecurity program with management and reports to the Board of Directors. The IT/Cybersecurity Committee meets at least quarterly (or more frequently as may be required), and receives updates from the CISO on topics with respect to the cybersecurity program. The IT/Cybersecurity Committee reviews and approves our information security and technology budgets and strategies annually. Additionally, the Risk Committee of our board of directors reviews our cyber security risk profile on a quarterly basis. The management IT/Cybersecurity and Risk Committees each provide reports of their activities to the full board of directors at each board meeting in the event all board members are not present at the relevant board committee meetings.
Cybersecurity Incidents
In February 2023, we experienced a cyberattack that resulted in the temporary interruption of our systems, disclosure of certain confidential information, litigation and governmental inquiries, the consequences of which may be material. See “Item 1A. Risk Factors - We experienced a criminal cyberattack in February 2023, which resulted in the temporary interruption of our systems, disclosure of certain confidential information, litigation and governmental inquiries, all of which could damage our reputation or create additional financial and legal exposure.” in Item 1A. Risk Factors which is incorporated by reference into this Item 1C.
In addition, we have experienced unrelated incidents involving unauthorized access to certain confidential information and systems. Typically, these incidents have involved attempts to commit fraud by taking control of a customer’s systems and/or emails, often by exploiting insider access or using compromised credentials. In other cases, the incidents have involved unauthorized access to certain of our customers’ private information, including credit card information, financial data, social security numbers or passwords. Some of these incidents have occurred at third-party providers, including third parties who provide us with various systems and/or services. For example, in 2023, one of our third-party vendors experienced a cybersecurity incident due to a previously unknown (i.e., zero-day) vulnerability in a popular file sharing software the vendor used called MOVEit Transfer. To date, none of these incidences have materially affected or are reasonably likely to materially affect the Company or our financial position or results of operations.
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, see "Risks Related to Operations, Technology Systems, Accounting and Internal Controls" in Item 1A. Risk Factors which is incorporated by reference into this Item 1C.