EAGLE BANCORP INC - (EGBN)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
As a publicly-traded financial institution, we are subject to various cybersecurity risks that could adversely affect our business, financial condition, results of operations and reputation, including, but not limited to, cyber-attacks against us or our service providers focused on gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data or causing operational disruption. As described below, we have risk management and governance practices and processes designed to address these risks.
The Company has established an enterprise risk management framework that outlines the processes and procedures the Company uses to identify, assess, mitigate, and monitor the risks faced by the Company, including cybersecurity risk.
Within the overarching enterprise risk management framework, we have an information security program designed to preserve the confidentiality, integrity, and availability of information or data on our systems and those of our service providers, as documented in our information security policy.
Our information security program takes a risk-based approach to identifying and assessing the cybersecurity risks that exist within our business and information technology systems. The program addresses the roles and responsibilities of the Board, its committees and management.
The Board is responsible for the oversight of cybersecurity risk management, as well as the selection of a Chief Information Security Officer (“CISO”), the management official responsible for administering and executing the information security program. The Board’s Technology Oversight Committee (“TOC”) assists the Board in its oversight of the information security program. The TOC reviews information security metrics, oversees significant instances of non-compliance with the
36
information security policy and monitors remediation of those instances, and reviews the appointment of the CISO for recommendation to the Board.
At the management level, the Enterprise Risk Management Committee (“ERMC”) is primarily responsible for cybersecurity risk management. As it pertains to the information security program, the ERMC assesses and monitors information security risks and approves the information security policy on at least an annual basis. Certain instances of non-compliance with the information security policy are escalated to the EMRC, which may further escalate to the TOC as appropriate. Once escalated to a committee, the committee is responsible for overseeing related remediation.
Our CISO is responsible for the overall administration and execution of the information security program and reports to our Chief Risk Officer (“CRO”). Our CISO has over thirty years of experience working in information security for a variety of companies and organizations, including multiple financial institutions. The CISO monitors the security of, among other things, systems, applications, tools, databases, computers, websites, cloud infrastructure, vendor tools, and user access systems. The CISO performs an annual information security risk assessment, which, among other things, documents inherent risk levels and controls in place to manage those risks. The information security risk assessment is presented to the Board annually.
We strive to minimize the occurrence of cybersecurity incidents and the risks resulting from such incidents. However, when a cybersecurity incident does occur, the Company has in place an incident response program to guide our assessment of and response to the incident. The CISO coordinates the Company’s response to a cybersecurity incident, including investigating, recording and evaluating any potential, suspected or confirmed incidents involving non-public customer information or Company confidential information.
On a regular basis, the CISO reports to the CRO information security risk issues, risk mitigation progress and developments, and information security enhancement initiatives. The CISO also reports the status of information security-related key risk indicators to the CRO. The CISO reports to the TOC monthly on information security developments and emerging risks, both in the industry and specific to the Company. The CISO and CRO report on the information security program to the TOC and the ERMC and review and propose updates to the information security policy to the ERMC.
The Company employs third parties in certain aspects of its information security and cybersecurity risk management. For example, we engage third parties to assess the information security risks related to new products, and we utilize third parties to conduct certain security operations and maintain certain information security infrastructure. We have adopted a Contract and Vendor Management Policy, which addresses the identification, measurement, monitoring, and management of our third-party service provider relationships, including those related to information security. The CISO assesses and monitors information risks posed by third parties and any non-compliance with the controls created to address such risks. With respect to cybersecurity incidents affecting our third party service providers, the CISO works with our service providers to understand and document any incidents, along with managing the impact to us and reporting such incidents to the CRO, ERMC, TOC, and, if applicable, the Board.
To date, we have not incurred any material losses related to cybersecurity incidents. However, the risk management and governance processes described above may not be sufficient to prevent cybersecurity incidents, and we could incur substantial costs and suffer other negative consequences from cybersecurity incidents. See “Part 1, Item IA. – Risk Factors” for more information on the cybersecurity risks facing the Company.