Ameris Bancorp - (ABCB)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Our Board is regularly involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that the Company collects, stores and uses. Our principal objective for managing cybersecurity risk is to effectively identify and prevent or mitigate the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information.
The underlying controls of our information security program are based on regulatory guidance, recognized best practices and industry standards, including the National Institute of Standards and Technology Cybersecurity Framework. In addition, we leverage certain industry and government associations, third-party benchmarking, audits and threat intelligence feeds to facilitate and promote program effectiveness. Our Corporate Information Security Officer and our Chief Information Officer, to whom the Corporate Information Security Officer reports, as well as key members of their teams, regularly collaborate with peer banks, industry groups and others to consider cybersecurity and incident response issues, trends and best practices. The information security program is periodically reviewed by these individuals and their teams with the goal of addressing evolving threats and conditions. Our enterprise information security team consists of information security professionals with varying degrees of education and experience who are generally subject to professional education and certification requirements.
As one of the critical elements of our overall ERM approach, our cybersecurity program includes a focus on the following key areas:
•Governance. As discussed further below, the Board’s oversight of cybersecurity risk management is supported by the Enterprise Risk Committee of the Board (the “ERC”), which regularly interacts with the Company’s ERM function, Corporate Information Security Officer, Business Continuity Director and other key members of management. The activities of the ERC include a quarterly review of our cybersecurity risk profile, and the ERC provides a report of its activities at each meeting of the full Board.
•Technical Safeguards. We deploy technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
•Third-Party Risk Management. We have designed and maintain a comprehensive, risk-based program in accordance with applicable regulatory standards for identifying and overseeing cybersecurity risks, among others, presented by third parties with whom we engage for the conduct of our business, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
25
•Education and Awareness. We provide regular, mandatory training for our employees regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
•Incident Response Plan. In addition, we maintain a comprehensive incident response plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification to appropriate management committees and, as appropriate, the ERC. The incident response plan is overseen by our Business Continuity Director, who reports directly to our Chief Information Officer, and coordinated across multiple parts of the Company, with key members of management included in the implementation and execution of the plan. The incident response plan is updated as appropriate and evaluated at least annually.
We also engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability and penetration testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the ERC, who reports such results to the Board as appropriate, and we tailor our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
The threat posed by cyberattacks and other cybersecurity incidents is significant, notwithstanding our prevention and mitigation systems and processes. To date, we have not experienced cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to affect the Company, including our business strategy, results of operations or financial condition. For additional discussion of risks from cybersecurity threats, see “Cyberattacks or other security breaches could have a material adverse effect on our business.” in Item 1A., “Risk Factors.”
Governance
The Board, in coordination with the ERC, oversees our ERM process, including specifically the management of risks arising from cybersecurity threats. The Board and the ERC each receive periodic presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment and information security considerations that may arise with respect to our peers, key vendors and other relevant third parties. If a cybersecurity incident meeting established reporting thresholds should occur, the Board and the ERC would also receive timely information regarding such incident, plus appropriate updates until the situation has been sufficiently resolved.
Our Corporate Information Security Officer, who holds relevant degrees and certifications and has more than 15 years of information technology and information security experience specific to the financial services industry, is charged with managing our enterprise information security function and administering our information security program. This area’s roles and responsibilities include cybersecurity risk assessment, vulnerability assessment, defensive operations, threat intelligence and identity access governance, as well as coordination with our Business Continuity Director for additional risk assessment, incident response and business resilience. These responsibilities are addressed by a first line of defense function, with our second line of defense function, including the Corporate Information Security Officer, providing oversight, guidance, monitoring and management of the first line’s activities. Through ongoing engagement among these personnel, our Corporate Information Security Officer and other key members of management routinely monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents, and report such threats and incidents to the ERC when appropriate.