HANCOCK WHITNEY CORP - (HWC)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

The Company’s information security program is designed to protect the security, availability, integrity, and confidentiality of our computer systems, networks, software and information assets, including client and other sensitive data. The program is comprised of policies, guidelines, and procedures. These policies, guidelines, and procedures are intended to align with regulatory guidance, the ISO Code of Practice for Information Security Controls, and common industry practices. Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management process.

The Company expects each associate to be responsible for the security and confidentiality of client information. We communicate this responsibility to associates upon hiring and regularly throughout their employment. We require each associate to complete training to protect the confidentiality of client information at the time of hire and during each year of employment. Associates must successfully pass a test to demonstrate understanding of these requirements and provide acknowledgement of their responsibilities.

Additionally, we regularly provide associates with information security awareness training covering the recognition and appropriate handling of potential phishing emails, which can introduce malware to a company’s network, result in the theft of user credentials and, ultimately, place client or employee data, or other sensitive company data, and information at risk. The Company employs a number of technical controls to mitigate the risk of phishing emails. We regularly test associates to determine their susceptibility to phishing emails. We require susceptible associates to take additional training and provide regular reports to management. We additionally maintain procedures for the safe storage and handling and secure disposal of sensitive information.

The Company protects its network and information assets with industry-tested security products and processes. Our teams actively monitor company networks and systems to detect suspicious or malicious events. The Company evaluates potential cyber risks, as appropriate, in its regular risk assessments. The Company also conducts vulnerability scans, and contracts with third-party vendors to perform penetration tests against the Company’s network. In addition, the Company’s Cyber Defense Center team monitors threat intelligence sources to anticipate and research evolving threats, investigates their potential impact to financial services companies, examines the Company’s controls to detect and defend against those threats, and proactively adjusts the Company’s defenses against those threats. The Company also engages expert cyber consultants, as necessary and appropriate.

Before engaging third-party service providers who may have access to the Company's, customer, employee or other sensitive data, or to the Company's systems, we perform due diligence in order to identify and evaluate their cyber risks, which includes self-attestation questionnaires (developed using Service Organization Controls (SOC) reports). This process is led by the Vendor Management team and includes participation of dedicated information security resources. Third party service providers processing sensitive data are contractually required to meet applicable legal and regulatory obligations to protect sensitive data against cybersecurity threats and unauthorized access to the sensitive data. After contract executions, third party service providers deemed critical by our vendor management office undergo ongoing monitoring to ensure they continue to meet their security obligations and other potential cybersecurity threats.

As part of our information security program, we have adopted an Information and Cybersecurity Incident Response Plan (“Incident Response Plan”), which is administered by our Chief Information Security Officer (“CISO”) in close collaboration with our Director of Enterprise IT Risk. The Incident Response Plan describes the Company’s processes, procedures, and responsibilities for responding to cybersecurity incidents. The Incident Response Plan is intended to proceed on parallel paths in the event of a cybersecurity incident, including implementation of (i) forensic and containment, eradication, and remediation actions by information technology and security personnel and (ii) operational response actions by business, communications, and risk personnel. Our incident response team annually performs exercises to simulate responses to cybersecurity events.

The Incident Response Plan includes procedures for escalation and reporting of potentially significant cybersecurity incidents to the Company’s Chief Operating Officer, Chief Financial Officer, Chief Risk Officer, and our Board Risk Committee.

Impacts of Cybersecurity Incidents

To date, the Company has not experienced a cybersecurity incident that has materially impacted our business strategy, results of operations, or financial condition. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, results of operations or financial condition. See Item 1A. “Risk Factors” in this document for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure.

 

37


Cybersecurity Governance

Our Board of Directors is responsible for overseeing the Company’s business and affairs, including risks associated with cybersecurity threats. The Board oversees the Company’s corporate risk governance processes primarily through its committees, and oversight of cybersecurity threats is delegated primarily to our Board Risk Committee. The Board also periodically designates directors as its cybersecurity contact points. Our Chief Operating Officer facilitates the involvement of these designated directors in oversight of potentially significant cybersecurity incidents. The current directors designated as cybersecurity contacts are Chairman Jerry Levens, Board Risk Committee Chair Frank Bertucci, and Suzette Kent.

The Risk Committee oversees the management process associated with cybersecurity risk. Cybersecurity matters and assessments are regularly included in Board Risk Committee meetings. The Board Risk Committee has primary responsibility for overseeing the Company’s comprehensive Enterprise Risk Management program. The Enterprise Risk Management program assists senior management in identifying, assessing, monitoring, and managing risk, including cybersecurity risk, in a rapidly changing environment. The Board Risk Committee provides reports to the full Board on the Company’s information security program on an annual basis.

The Company’s CISO directs our information security program and the Director of Enterprise IT Risk directs our information technology risk management. Led by our CISO and Director of Enterprise IT Risk, a team of dedicated security professionals examines risks to the Company’s information systems and assets, designs and implements security solutions, monitors the environment and provides immediate responses to threats.

The CISO regularly attends Board Risk Committee meetings and sits in executive session with the Committee members at least annually to update committee members on material cybersecurity and other information security developments and risks. The CISO also provides an annual information security program summary report to the Board, outlining the overall status of our information security program and the Company’s compliance with regulatory guidelines.

The IT Risk Governance Subcommittee, a management level subcommittee of our Operations Committee, also addresses information security and is responsible for overseeing the protection of the integrity, security, safety and resiliency of corporate information systems and assets. The IT Risk Governance Committee meets quarterly to review the development of the program and provide recommendations. The subcommittee provides regular reports to the Operations Committee and, ultimately, the Board Risk Committee through the CISO. Together, our CISO and Director of Enterprise IT Risk co-lead the company’s IT Risk Governance Committee.

Our CISO is responsible for the Company’s information security program. In this role, the CISO manages the Company’s information security and day-to-day cybersecurity operations and supports the information security risk oversight responsibilities of the Board and its committees. The CISO is a member of the Company’s Corporate Operations group and reports to our Chief Information Officer, who in turn reports to our Chief Operating Officer. Our CISO has cybersecurity experience spanning more than two decades. Prior experience includes senior security roles in large government agencies and Fortune 200 companies. He has spoken at area colleges and various industry events about information security. He holds a degree in electrical engineering, is a graduate of banking school, and maintains several industry certifications.

Our Director of Enterprise IT Risk is responsible for the Company’s information technology governance, risk, and compliance program. In this role, the Director of Enterprise IT Risk provides independent oversight of information technology risk, promotes effective challenge to the Company’s information technology systems, and ensures that high level risks receive appropriate attention. The Director of Enterprise IT Risk is a member of the Company’s Corporate Risk Management Group and reports to our Chief Risk Officer, who in turn reports to our CEO. Our Director of Enterprise IT Risk has over two decades of business continuity, crisis management and risk experience in the financial services industry and maintains related industry certifications.