FIRST BANCORP /NC/ - (FBNC)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company recognizes the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving the value of the Company. The Board, primarily through its Risk Committee, provides direction and oversight of the enterprise-wide risk management framework of the Company, and cybersecurity represents a component of the Company’s overall approach to enterprise-wide risk management. The Company's Information Security Program establishes policies and procedures for the measurement of the effectiveness and efficiency of information security controls related to both design and operations. The Company leverages the following guidelines and frameworks to develop and maintain its Information Security Program: FFIEC Information Security IT Examination Handbook, FFIEC Business Continuity Management IT Examination Handbook, FFIEC Cybersecurity Assessment Tool, and GLBA 501(b). In general, the Company addresses cybersecurity risks through a comprehensive, cross-functional approach that is focused on confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cyber threats when they occur.
As one of the elements of the Company’s overall enterprise-wide risk management approach, the Information Security Program is focused on the following key areas:
•Security Operation and Governance: The Board has delegated to senior management responsibility for the Information Security Program which is managed through the IT Steering Committee, which maintains alignment and appropriate insight regarding information security activities.
•Collaborative Approach: The Company has implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
•Security Competencies: The Information Security department oversees a program of security competencies and tools designed to protect the confidentiality, integrity, and availability of our data. These assets represent a blend of various management (e.g., policies), operational (e.g., standards and processes), and technical controls (e.g., tools and configurations).
•Incident Response Plan: The Company has a contracted with a third-party to provides continual security monitoring 24 hours per day, seven days per week, where resources actively deliver threat analysis, vulnerability management, intrusion detection, and intrusion hunting. The Company’s Incident Response Plan helps reduce the risks related to security incidents by providing guidelines on responding to incidents.
•Third-Party Risk Management: Management of the Company’s third parties, including vendors and service providers, is conducted through a risk-based approach and the level of due diligence is driven from risk factors established by our Risk Management department. The process provides awareness and collaboration across internal teams including Information Security and Business Continuity. A Technical Requirements review process is conducted on new or significantly changed third parties, applications, or technology to ensure that systems or third parties meet certain security baseline requirements. This process is aimed at advocating the necessary security, infrastructure, and application standards or controls so that information systems and the third party have recovery plans in place.
•Security Awareness and Education: The Company provides annual, mandatory training for personnel regarding security awareness as a means to equip the Company’s personnel with the understanding of how
31
to properly use and protect the computing resources entrusted to them, and to communicate the Company’s information security policies, standards, processes and practices.
The Company leverages regular assessments to identify current and potential threats and vulnerabilities within the Company’s environment. Technical vulnerabilities are identified using automated vulnerability scanning tools, penetration testing, and system management tools, whereas non-technical vulnerabilities are identified via process or procedural reviews. The Company conducts a variety of assessments throughout the year, both internally and through third parties. Vulnerability assessment and penetration tests are performed on a regular basis to provide the Company with an unbiased view of its environment and controls. Vulnerabilities identified during these assessments are inventoried in a centralized tracking system and reported to management on a regular basis. A multi-step approach is applied to identify, report and remediate these vulnerabilities, and the Company adjusts its information security policies, standards, processes and practices as necessary based on the information provided by these assessments. The results of key assessments are reported in summary to the Board annually.
Governance
The Risk Committee of the Board provides direction and oversight of the enterprise-wide risk management framework of the Company, including the management of risks arising from cybersecurity threats. The Board Risk Committee reviews and approves the Information Security Program and receives regular presentations which include updates on cybersecurity risks, including the threat environment, evolving standards, projects and initiatives, vulnerability assessments, third-party and independent reviews, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Board Risk Committee also receives information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. The full Board receives reports from the Board Risk Committee related to information cybersecurity.
Our Chief Information Officer ("CIO"), works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s Incident Response Plans including an assessment of the potential materiality of any cybersecurity incident. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CIO, Information Security, and Risk Management teams monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Corporate Crisis Management Team and ultimately the Board when appropriate.
To our knowledge, neither cybersecurity threats, nor the results including as a result of any previous cybersecurity incidents have materially affected the Company, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A, Risk Factors - Risks Related to Out Business.