FIRST MERCHANTS CORP - (FRME)

10-K Filing Date: February 29, 2024

ITEM 1C. THE CORPORATION’S CYBERSECURITY PROCESSES, POLICIES AND GOVERNANCE.

The increased use of, and dependence on, information management systems in order to engage with customers and conduct business necessarily creates cyber risk. Despite the significant resources and security measures used by the Corporation, the incentives for threat actors to obtain financial payment information and customer non-public information, or to conduct ransomware will continue to exist. Cyber breach statistics over the past several years evidence the targeting of numerous banking institutions and credit bureaus. Phishing attempts have also significantly increased and political conflict also presents cyber threats by nation states.

Operational risk is inherent in the Corporation’s activities and can present itself in numerous ways, including internal or external fraud, business disruptions or failures, noncompliance with applicable laws and regulations, cyber breach, or failure of third parties, among other events. The result of these could be reputational harm, financial losses, or litigation and regulatory fines for the Bank. The Corporation operates in a fashion that allows operational risk to be in line with its risk appetite. To govern, monitor and control operational risk, the Corporation maintains an Enterprise Risk Management (“ERM”) Program, which sets thresholds for risk appetite by key risk areas, such as strategic risk and operational risk. These thresholds are monitored by the Compliance and Internal Audit Departments and key metrics are reported to management and Board committees. The ERM Program includes managing material risks from cybersecurity threats.

Use of third-party software and services also exposes the Corporation to cybersecurity risk as numerous service providers host critical data or have direct contact with our bank customers. Although the Corporation adheres to industry standard practices in conducting thorough due diligence of vendors and contract management, should a vendor experience a breach the bank could still suffer reputational harm, and potentially financial losses. Expanded use of cloud-based technologies and providing our customers more internet-based product offerings to continue to remain competitive will serve to increase these potential risks. The Corporation’s third party risk management program helps to mitigate risks posed by reliance on third and fourth parties. Governance of third parties includes a due diligence and risk assessment prior to contract execution, with oversight completed based on a frequency defined by the third parties risk profile.

The Corporation received written notice during 2023 that certain of its customer data was potentially included in the global incident involving Progress Software Corporation (“MOVEit Transfer”). The incident did not involve the Bank’s internal network or IT systems, but was rather related to a third party prominent financial institution vendor that utilized MOVEit Transfer in its service offering to the Bank. Based on the investigation, the Bank’s customers who use online and mobile banking could have had personal information copied through the cyberattack. The vendor confirmed that it implemented the recommended patches released by Progress Software Corporation for the platform. The Bank worked with the vendor to determine the potentially impacted customers and the extent of information potentially exposed and the Bank notified potentially affected customers appropriately. The incident did not impact the ongoing operations of the Bank and the Bank’s cyber insurance is expected to cover many of the costs related to the incident. The MOVEit Transfer incident is the only cybersecurity incident that materially affected the Corporation during the 2023 fiscal year.

To combat these ever-present cyber risks, the Corporation maintains a comprehensive Information Security Program, which includes annual risk assessments, an Incident Response Plan, and a layered control environment meant to detect, prevent, and limit unauthorized or harmful actions across our information technology environment. Policies over information security are Board-approved and various types of control testing is conducted throughout the year, both by internal and external parties. Findings are actioned on throughout the year and reported to various committees. The Corporation has adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework for the management and development of cybersecurity controls and is an active participant in the financial sector information sharing organization structure, known as the Financial Services Information Sharing and Analysis Center.
30


PART I: ITEM 1A., ITEM 1B., AND ITEM 1C.

The Corporation’s Chief Information Security Officer (CISO) is responsible for assessing and managing the Corporation’s risks from cybersecurity threats. The CISO is an active Certified Information Security Systems Professional and has been with the organization for 17 years with over 20 years of experience in technology infrastructure and security.

The Information Security Department conducts cyber incident tabletop exercises on an ongoing basis. These exercises vary by topic, but may include internal incident response teams, executive management, and third parties that provide services across forensic, legal, and public relations capabilities. The purpose of these tabletops is to simulate a cyber event and work through the event using our Incident Response Plan. This allows our incident response team to become familiar with the logistics of the plan, as well as provide feedback to improve the process and plan. External subject matter experts, such as Bank legal counsel, forensic advisors, marketing agency and insurance broker participate in these exercises.

Management has established an Information Security Committee in order to assist executive management and the Board of Directors of the Bank in fulfilling their oversight responsibilities related to information security. The Corporation uses multiple assessors, consultants, auditors and other third parties in the fulfillment of the information security program. These third parties participate in testing and validation processes, as well as the execution of certain program-related controls.The Committee reports its activities, key conclusions and recommendations to the Enterprise Risk Management Committee and the Board’s Risk and Credit Policy Committee of the Board on a quarterly basis. At the Information Security Committee, security-related policies and standards are reviewed and recommended for approval, annual risk assessment results and action plans are noted, annual penetration test reports shared, current security incidents discussed, and relevant cyber risks and trends are presented.

The Corporation’s Board of Directors has delegated primary responsibility for oversight of cybersecurity risk to its Risk and Credit Policy Committee, with its Audit Committee also considering cyber risk as part of financial oversight. The Information Security Department provides an annual update to the Risk and Credit Policy Committee of the Board on the state of the Information Security Program. This cybersecurity “deep dive” includes review of key security incidents and review of the Information Security Policy, Information Security Program, the Incident Response Plan, and the Acceptable Use Policy. The Board is then presented with the update by the Chair of the Risk and Credit Policy Committee.

The Board considers cybersecurity risks in business strategy by getting updates on the Bank’s cybersecurity risk assessment. It assesses the experience of management personnel responsible for preventing, mitigating, detecting and remediating any cyber incidents, including the Chief Information Security Officer.

In 2022, the Board appointed Jason Sondhi to its Board of Directors. Mr. Sondhi has experience managing companies who provide endpoint detection and incident response, vulnerability scans, security information and event management, security employee training and vCISO services. Mr. Sondhi’s cybersecurity expertise assists the Board in overseeing management’s cybersecurity related efforts.
31