INDEPENDENT BANK CORP - (INDB)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity threats pose a risk to the Company, as crimes committed through or involving the internet, such as phishing, hacking, denial of service attacks, stealing information, unauthorized intrusions into internal systems or the systems of third-party vendors could adversely impact the Company’s operations or damage its reputation. The Bank manages cybersecurity threats proactively and maintains robust controls to protect its critical systems and data by investing in secure, reliable and resilient technology infrastructure, fostering a culture of technology risk awareness and continuously improving its technology risk management practices. The Company’s process for monitoring and mitigating cybersecurity risk is designed in conjunction with its overall Enterprise Risk Management Policy. The Company’s Information Security Program follows ISO 27002, an international standard for information security controls, as well as references to the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, the Federal Financial Institutions Examination Council Information Examination Handbook, and other regulatory guidance and industry standards.

The Company has several processes in place to oversee and identify these risks, such as the Information Technology Risk Governance Committee (“ITRGC”), which is responsible for oversight of information technology ("IT") and information security ("IS") risk. This committee oversees the establishment and revision of IT and IS key risk and key performance indicators and ongoing monitoring of these metrics. The Company’s Director of Enterprise Information Security is responsible for cybersecurity initiatives at the Company, including identifying and managing security risks, and escalating elevated risks to the Information Security Officer, who works in tandem with the Chief Risk Officer and collectively report on emerging and existing threats and mitigation strategies to the Board, which has oversight of cybersecurity risk, on a semi-annual basis, or more frequently, if needed. The Director of Enterprise Information Security and the Information Security Officer have 30 and 22 years, respectively, of information security experience across a wide range of industries and both possess substantial knowledge and expertise in how to manage information security and cybersecurity risks. Additionally, the team of employees supporting them maintain education and certification requirements necessary to carry out their responsibilities.

The Company has deployed a layered security approach to identify, measure, monitor and control information technology risks. The Company also maintains a documented Incident Management Standard and Technology and Cyber Incident Response Plan. These documents addresses the prevention, detection, mitigation, and remediation of cybersecurity incidents, and include appropriate timely incident escalations to be followed during an incident, up to and including executive leadership, management committees, such as of the ITRGC, and depending on incident severity, the Board or Board committee. The volume, severity, and root case of security incidents are reported on at monthly management committees. The Company will regularly engage independent third parties to assist in its cybersecurity preparedness, including but not limited to vulnerability scan assessments, secure code scan reviews, and cybersecurity incident response simulations. The Company’s internal audit department also performs annual cybersecurity penetration testing over the Company’s internal and external networks. Additionally, for third party related technologies, the Company’s Third Party Risk Management Program (“TPRM”) is involved with onboarding and ongoing monitoring of these vendor relationships. TPRM documents the Company’s view of applicable third party vendors assessing the vendor’s technological capability to provide products and/or services in a viable and risk adverse manner.

In an effort to mitigate risks related to cybersecurity threats, the Company has also designed and implemented required training for all employees, including training on the Company’s security and privacy policies, which are mandatory as part of the onboarding process, with refresher trainings required annually thereafter. Additionally, the Company carries out regular phishing simulation tests throughout the year to keep employees alert, spread awareness and ensure that employees have the knowledge and resources necessary to report suspicious activity.

While the Company has seen attempts to gain access against its systems, and expects such attacks to continue, or possibly intensify in the future, the Company has not experienced any material losses relating to cyber-attacks or other information security breaches as of December 31, 2023. As a protective measure, the Company maintains insurance coverage for cybersecurity incidents experienced by the Company, or by one or more of the Company’s third party providers, however such insurance coverage may not be sufficient to cover all losses incurred. As of the date of this Report, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For further
29

discussion surrounding risks from cybersecurity threats, refer to the section captioned “Risks Related to Information Security and Technology” within Item 1A this Report.