PROSPERITY BANCSHARES INC - (PB)
10-K Filing Date: February 28, 2024
Risk Management and Strategy
The Company’s risk management program is designed to identify, assess, and mitigate risks across various areas and functions, including financial, operational, technological, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. The Company’s Chief Information Security Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization, reporting directly to the Chief Risk Officer and as discussed below, periodically to the Strategic Technology Committee of the Bank’s board of directors.
29
The Company’s objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse its systems or information. The structure of the Company’s information security program is designed around the National Institute of Standards and Technology Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, the Company leverages certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. The Chief Information Security Officer and Chief Information Officer, who reports directly to the Director of Corporate Strategy, along with key members of their teams, regularly collaborate with peer banks and industry groups to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.
The Company employs an in-depth, layered, defensive strategy that embraces a “trust by design” philosophy when designing new products, services, and technology. The Company leverages people, processes, and technology as part of its efforts to manage and maintain cybersecurity controls. It also employs a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. The Company has established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. It engages in regular assessments of its infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. The Company also maintains a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and its supply chain. The Company also actively monitors its email gateways for malicious phishing email campaigns and monitors remote connections as a portion of its workforce has the option to work remotely. The Company leverages internal and external auditors and independent external partners to periodically review its processes, systems, and controls, including with respect to its information security program, to assess their design and operating effectiveness and make recommendations to strengthen its risk management program.
The Company maintains an Information Security Incident Response Policy (“Incident Response Policy”) and related procedures that provide a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the Crisis Management Team and to the appropriate regulatory and governmental authorities. As needed, the notification may include the CEO and/or the Company’s and Bank’s Board of Directors. The Incident Response Policy and procedures are coordinated through the Chief Risk Officer and key members of management are embedded into the procedures by their design. The Incident Response Policy facilitates coordination across multiple parts of the organization and is evaluated at least annually.
Notwithstanding the Company’s defensive measures and processes, the threat posed by cyber-attacks is severe. The Company’s internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while it has experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected the Company. For further discussion of risks from cybersecurity threats, see the section captioned “An interruption in or breach in security of the Company’s information systems may result in a loss of customer business and have an adverse effect on the Company’s results of operations, financial condition and cash flows” in Item 1A. Risk Factors.
Governance
The Chief Information Security Officer is accountable for managing the enterprise information security department and delivering the information security program. The responsibilities of this department include cybersecurity risk assessment, a portion of defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance and third-party risk management. The Company’s information technology department works together with information security in defense operations and is responsible for business resilience. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and the Company’s second line of defense function, including the Chief Information Security Officer, provides guidance, oversight, monitoring and challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the Chief Risk Officer. The department consists of information security professionals with varying degrees of education and experience. Individuals within the department are generally subject to professional education and certification requirements. The Company’s Chief Information Security Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management.
The Bank’s board of directors has approved the management level Operations Committee, which focuses on business impact, and the Enterprise Risk Management Committee (“ERM Committee”), which also focuses on business impact and provides oversight and governance of the information security program, and the board level Strategic Technology Oversight Committee (“STOC”), which focuses on technology impact and provides oversight and governance of the technology program. The Operations Committee is chaired by the Chief Operating Officer and includes the Chief Information Security Officer and Chief Information Officer and other key departmental managers from throughout the Company. This committee generally meets bi-weekly to discuss various operational
30
strategy and issues, including information technology and information security policies, practices, controls, and mitigation and prevention efforts.
The ERM Committee meets quarterly and oversees the information security program. It approves the broad objectives, strategies and major policies governing the Company’s protection of data assets and provides agreement on the definition and scope of the information security framework. Along with reviewing, approving, and prioritizing information security efforts, it reviews and challenges the results and adequacy of information security practices. From an enterprise perspective, the ERM Committee reviews the cybersecurity risk profile on a quarterly basis and reports on cyber risk to the Risk Committee of the Company’s board of directors.
STOC is responsible for overseeing the Company’s technology program, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. The Company’s Chief Information Security Officer and its Chief Information Officer provide quarterly reports to the STOC regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The Chief Information Security Officer also reports summaries of key issues, including significant cybersecurity and/or privacy incidents.