PREMIER FINANCIAL CORP - (PFC)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Premier’s risk management program is designed to o identify, measure, prioritize, and manage risk, including information security and cybersecurity risk, in relation to the Company’s desired risk appetite established by its Board of Directors. Premier uses a risk-based approach to manage and mitigate threats to information technology resources. Periodic risks assessments are conducted to identify, assess, and reduce information security and cybersecurity risks to acceptable levels.

Premier maintains an active Information Security Policy (the “IS Policy”) and associated programs, procedures and standards (collectively with the IS Policy, the “ISPP”) in alignment with Federal Financial Institutions Examination Council and National Institute of Standards and Technology guidance to help in the mitigation of risks that may impact the Confidentiality, Integrity and Availability (aka “CIA Triad”) of systems and information. The components of the IS Program are reviewed and approved annually by senior management and the IS Policy is reviewed and approved annually by either the Risk Committee of the Board of Directors or the full Board of Directors. These annual reviews and approvals ensure the ISPP meets expectations to safeguard Premier and customer confidential information. The ISPP is subject to annual review by our auditors (both internal and external), the FDIC, and the ODFI to ensure it is in alignment with Premier’s internal risk management practices, government regulatory expectations and industry best practices. We use auditors and other third party resources, in addition to internal tools and resources, for security monitoring and testing.

Premier maintains an Information Technology Incident Response Policy and an Information Security Incident Response Playbook that together coordinate the identification, reporting and escalation, containment, and remediation responses of any potential information security incident. Each cybersecurity incident is reviewed by the Chief Information Security Officer (“CISO”) to determine if the matter

24


 

needs escalated to the Company’s Information Response Team, Information Security Oversight Committee (“ISOC”), Enterprise Risk Management Committee (“ERMC”), or the Board of Directors or Board-level Risk Committee.

Premier address third-party risks as part of Premier’s Vendor Risk Management (“VRM”) Policy and Program. The purpose of the VRM is to provide a consistent framework to direct Premier in the assessment, measurement, monitoring and control of risks related to vendors and third parties with whom Premier does business. Premier assesses and monitors the cybersecurity controls of third party service providers and partners. As part of the initial and regular monitoring of the vendor, the Company reviews a vendors internal controls based on the COSO framework in alignment with their formal SOC II assessments. The focus of the review is on a vendor’s internal management and security practices including but not limited to, physical/systems security, business resiliency, application programing practices, systems security monitoring, and systems change control/authorization.

The VRM currently is managed under the direction of the CISO, with a goal of ensuring that vendors meet obligations associated with the confidentiality, integrity, and availability of Company and customer information. Beginning with the establishment of vendor relationships, vendors are risk rated based on their criticality to the operations of Premier and the sensitivity of the information such vendor has or utilizes to provide services to the Company. These assessments include, but are not limited to, a review of financial, operational and security aspects of the vendor. After the establishment of the vendor relationship, vendors are reevaluated on a regular basis based on their criticality and risk rating, with such reevaluations being conducted either annually, every two years or every three years.

Notwithstanding the focus Premier places on cybersecurity, Premier may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company. As of the date of this Form 10-K, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion, please see Item 1A. “Risk Factors” for a discussion of cybersecurity risks.

Governance

The Premier Board of Directors has assigned to the Board Risk Committee (“BRC”), along with the ERMC, oversight of risk management, including risks associated with information security and cybersecurity. The BRC is comprised of independent directors of Premier with participation from Premier’s executive leadership and additional members of management. The ERMC is chaired by the Chief Risk Officer and, in addition to general oversight of risk management, is responsible for documenting all risks for the organization and reporting to the BRC issues of a critical nature. The ERMC meets monthly and is a cross-functional group comprised of all members of executive leadership and additional members of management from different areas of the Company. The ISOC) is responsible for managing and mitigating information security and cybersecurity risks where appropriate and escalates issues to the ERMC. The ISOC is chaired by the CISO and includes select members of executive leadership and representatives from the Risk Management Department and Information Technology Department. The ISOC meets at least monthly. Routine reporting of the status of cybersecurity risks and mitigation activities progress from the ISOC to ERMC and finally to BRC.

The information security and third-party risk management programs of the Company are managed by the CISO who is a member of the Company’s Risk Management Department, reporting directly to the Company’s Chief Risk Officer who reports directly to the Chief Executive Officer. The CISO’s responsibilities include: maintaining the information security risk assessment and related reports to management; monitoring reasonably foreseeable threats, internal and external, that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or data systems; overseeing the development, implementation, enforcement and maintenance of the ISPP; implementing appropriate changes to the program in response to industry or regulatory mandates; monitoring the entire ISPP, reviewing it at least annually, and adjusting as necessary for changing regulation, technology, personnel, procedures and business arrangements; reporting the status of the ISPP periodically; ensuring information security awareness training is provided to all employees on a regular basis; ensuring the ISPP assessments are updated to include control changes for existing/new products, processes, and systems reflecting the associated changes to risk and mitigation methodology; providing guidance to management on emerging risks, cyber threats and regulatory changes; and maintaining information security program strategic goals in alignment with IT and PFC business strategy.