Stellar Bancorp, Inc. - (STEL)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our Company, including financial, operational, regulatory, reputational, and legal. The Board is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). The Company’s cybersecurity policies, standards, processes and practices are integrated into the Company’s ERM program and are based on recognized frameworks established by the Federal Financial Institutions Examination Council and other industry recognized standards. Our Chief Information Security Officer (“CISO”), who reports directly to the Bank’s Chief Risk Officer (“CRO”), along with key members of his team, regularly collaborates with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues to identify best practices. The information security program is periodically reviewed by the Bank’s CISO with the goal of addressing changing threats and conditions. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

Risk Management and Strategy

As one of the critical elements of the Company’s overall ERM approach, the Company’s cybersecurity risk management program and strategy is focused on the following key areas:

Governance—As discussed in more detail under the heading “Governance,” the Board’s oversight of cybersecurity risk management is supported by the Risk Committee of the Board (the “Risk Committee”) and by the Technology Committee of the Board (the “Technology Committee”), which regularly interacts with the Company’s ERM function, CRO, Chief Information Officer (“CIO”), CISO and other members of management and relevant management committees. In recognition of the evolving landscape of cyber threats and the critical importance of safeguarding our digital assets and customer information, the Bank has taken proactive steps to enhance our cybersecurity framework and risk management practices. Central to these efforts is the expertise and oversight provided by the Board, particularly through the involvement of its
36

Technology Committee. This committee is composed of directors with significant experience in technology and cybersecurity, working to align our cyber risk management strategies with best practices and industry standards.

Technical Safeguards—The Company deploys layered technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through penetration testing, vulnerability assessments and cybersecurity threat intelligence.

Incident Response and Recovery Planning—The Company has implemented a robust, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents. To that end, the Company has established and maintains a comprehensive cybersecurity incident response plan that establishes a structured approach for the Company’s response to a cybersecurity incident, such plan is tested and evaluated on a regular basis. The Company has implemented controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.

Outside Experts—The Company routinely works with outside experts, consultants, auditors and other third parties in connection with managing its cybersecurity risks and for advice regarding best practices and technical expertise.

Third-Party Risk Management—The Company maintains a robust, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.

Education and Awareness—The Company provides regular, mandatory training for personnel regarding cybersecurity threats to equip the Company’s personnel with effective tools to address cybersecurity threats.

The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee of the Board, the Risk Committee, the Technology Committee and the Board. The Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

During the fiscal year of this Report, the Company has not identified risks from cybersecurity threats, including as a result of prior cybersecurity incidents that individually or in the aggregate have materially affected or are reasonably anticipated to materially affect the organization. Nevertheless, the Company recognizes cybersecurity threats are ongoing and evolving, and we continue to remain vigilant. For more information on the Company's cybersecurity-related risks, see “Item 1A. Risk Factors – Risks Related to Cybersecurity, Third-Parties and Technology.” The prior incidents enabled us to enhance our operational and cybersecurity risk management practices. The lessons learned have also informed our approach to conducting tabletop exercises simulating potential cyber threats, allowing the Bank to assess and improve our response protocols.

Governance

The Board, in coordination with the Risk Committee and Technology Committee, oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The Board and the Technology Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews. The CRO reports to the Technology Committee and management committees information regarding cybersecurity incidents that meet established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board, Technology Committee and appropriate management committees review the Company’s approach to cybersecurity risk management through reporting by the CISO. The Technology Committee and the Board approve the Information Security Program and all supporting Policies.

The CISO, in coordination with the Bank’s CRO, CIO and General Counsel, works across the Company to implement and monitor a program designed to protect the Company’s information systems from cybersecurity threats and promptly respond to any cybersecurity incidents in accordance with the Company’s cybersecurity incident response plan. The Company has recently bolstered cybersecurity leadership, with the addition of a Director of Information Security Officer (“DISO”). The DISO possesses a wealth of experience in the field of information security, notably having served as a regulator in charge of information security for over seven years. This background provides the DISO with a deep understanding of cybersecurity challenges and regulatory requirements faced by financial institutions. This expertise is invaluable in enhancing our cyber defenses and ensuring our compliance with stringent regulatory standards.
37


The Company’s CISO has served in various roles in information technology and information security for over twenty years, including serving as a Cyberspace Operations Officer in the United States Air Force Reserves and instructing for the SANS Technology Institute. The Company’s CISO holds an undergraduate degree in Business Administration and has attained the professional certification of Certified Information Systems Security Professional (“CISSP”) and numerous GIAC certifications. The Company’s CRO has over a 25-year career in the banking industry and is currently serving as Senior Executive Vice President and Chief Risk Officer of Stellar Bank and Chief Risk Officer of Stellar Bancorp, Inc. Previously, the CRO has held the positions of President and Chief Risk Officer at Allegiance Bank and Executive Vice President and Chief Risk Officer at Allegiance. The Company’s CRO’s banking career as an executive started at Independence Bank in 2002 as Senior Credit Officer and eventually was promoted to President in 2009. Between 2010 and 2013, the CRO also served as CEO of Independence Bank until joining Allegiance Bank following a merger. The Company’s CRO has since assumed the roles of Regional President, Deputy Chief Credit Officer, and Chief Administration Officer at Allegiance Bank. The CRO holds an MBA from the University of Houston and a Bachelor of Arts in Finance & Marketing from the same institution.

The Company’s CEO, CFO and GC each hold undergraduate and/or graduate degrees in their respective fields, and each have significant experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats. The members of the Boards of Directors of the Company and the Bank have hundreds of combined years of experience running successful companies and managing enterprise risk. Specific cybersecurity expertise is brought to the Board from independent directors who lead or have led technology firms and, as such, have direct managerial oversight of cybersecurity risks.