FIRST HAWAIIAN, INC. - (FHB)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

The Company recognizes the critical importance of developing, implementing and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data.

Managing Material Risks and Integrated Overall Risk Management

The Company has implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. Our cybersecurity program is designed to align with industry standards and best practices, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We use various tools and methodologies to manage cybersecurity risk that are tested on a regular cadence. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, third-party conducted penetration tests and network monitoring. We also provide security awareness training for employees and contractors, maintain a cybersecurity insurance policy and invest in new security capabilities designed to address emerging threats.

In addition, the Company has a set of enterprise-wide policies, standards, and procedures concerning cybersecurity matters, which include an information security policy and program reviewed and approved by senior management and the Board of Directors. Additionally, technical standards and procedures related to incident response and use of Bank systems and devices are in place, as well as standards for critical security operational functions related to encryption, endpoint protection, vulnerability management, remote access, multifactor authentication, handling confidential information, use of internet, social media, email, and wireless devices. Policies and standards are subject to an internal review process and are approved by senior management.

42

The Company has strategically integrated cybersecurity risk management into our enterprise-wide risk management framework in alignment with the three lines of defense model to promote an enterprise-wide culture of cybersecurity risk management. This integration aims to provide that cybersecurity considerations are an integral part of our decision-making processes at every level. Our risk management team works closely with our enterprise technology and cybersecurity management teams to evaluate and address cybersecurity risks in alignment with our business objectives, regulatory requirements and operational needs.

Engaging Third Parties on Risk Management

Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts, including cybersecurity service providers, assessors, advisors and consultants, in evaluating and testing our cybersecurity program. These partnerships enable us to leverage specialized knowledge and insights to ensure our cybersecurity strategies and processes are aligned to industry best practices. Our collaboration with these third parties includes threat assessments and consultation on security improvements, program maturity and regulatory compliance. Additionally, we conduct multiple penetration tests annually and retain an external consultant to periodically evaluate the overall state of our program.

Overseeing Third-Party Risk

The Company has processes in place to oversee and manage risks associated with third-party service providers, including risks related to data breaches or other security incidents. This includes conducting security due diligence reviews of critical third-party providers, subjecting third parties to periodic risk assessments and requiring third parties to sign standard contractual provisions before receiving sensitive information from the Company.

Risks from Cybersecurity Threats

Like all financial institutions, we, as well as our third-party service providers, are the target of various evolving and adaptive security threats, including malware, ransomware, phishing, credential validation and distributed denial-of-service attacks. Cyber-attacks have also focused on targeting online applications and services, such as online banking, as well as cloud-based and other products and services provided by third parties. Operational failures and breaches of security from such attempts could lead to the loss or disclosure of confidential information or personal data belonging to the Company or our employees and customers. These failures and breaches could result in business interruption or malfunction and lead to legal or regulatory actions that could result in a material adverse impact on the Company’s operations, reputation and financial results.

See “Item 1A. Risk Factors” in this Form 10-K for further information about information and cybersecurity risk.

Governance

The Company’s Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats and the significance of these threats to our operational integrity and stakeholder confidence. Accordingly, the Board of Directors has established oversight mechanisms to ensure effective governance in managing these risks.

Board of Directors Oversight

As part of its responsibility to oversee the management, business, and strategy of the Company, the Board of Directors, through its Risk Committee, reviews and approves the Company’s risk management framework, including reviewing the overall risk appetite, risk management strategy and policies and practices established by management to identify and manage the risks we face. In addition, other Board committees are responsible for overseeing certain risks under their respective charters.

The Board’s Risk Committee is central to the Board’s oversight of cybersecurity risks and bears the primary oversight responsibility for this domain. The Risk Committee is composed of Board members with diverse expertise, including audit and finance and technology experience, equipping them to oversee cybersecurity risks effectively. The Risk Committee actively participates in strategic decisions related to cybersecurity, offering review and guidance on, among other things, program design, the Company’s cybersecurity risk profile and the effectiveness of its risk management strategies.

43

The Board Risk Committee reviews and receives regular briefings from the Chief Information Officer, Chief Information Security Officer (the “CISO”), Chief Technology Officer, Chief Operating Officer, Chief Risk Officer, Senior Vice President – Enterprise Information Security, Chief Audit Officer, and Chief Executive Officer on information security and technology risks, including discussions of the Company’s information security and cybersecurity risk management programs. The Board also receives regular reports on cybersecurity risks, vulnerabilities, incidents, staff security awareness training and overall progress to improve the Company’s cybersecurity risk profile.

Management’s Role in Managing Risk

Senior management is responsible for creating and recommending for approval to the Board of Directors risk appetite metrics related to cybersecurity, reflecting the aggregate levels and types of risk the Company is willing to accept in connection with the operation of our business and pursuit of our business objectives.

Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CISO, our Vice President – Cyber Risk Governance and our Senior Vice President – Enterprise Information Security. The management team is highly experienced in cybersecurity matters. The CISO has over 20 years of experience in cybersecurity including working at a global bank and leading cybersecurity vendors, and holds Certified Information Systems Security Professional (“CISSP”) and Certified Information Privacy Professional certifications for security and privacy, respectively. The CISO has a bachelor’s, master’s, and law degrees. The Vice President – Cyber Risk Governance has advanced degrees and certifications related to cybersecurity and over 15 years of experience with the federal government in a similar role. The Senior Vice President – Enterprise Information Security has more than 20 years of information security risk management experience, including serving as a bank CISO, and has bachelor’s and master’s degrees and holds the CISSP certification.

The CISO is responsible for developing and implementing the Company’s cybersecurity and information security program, reporting on cybersecurity matters to the Board and senior management, ensuring compliance with standards, remediating known risks, overseeing incident detection and response and leading the employee cybersecurity awareness training program. The Vice President – Cyber Risk Governance is responsible for third party cybersecurity risk management and cybersecurity risk and controls governance. The Senior Vice President – Enterprise Information Security provides regular updates to senior management and the Board’s Risk Committee regarding the effectiveness of security controls and the state of the Company’s cybersecurity program and risk level.

The Bank maintains a three lines of defense structure with the Cybersecurity Division as the primary security control owner, Enterprise Information Security providing review, assessment and challenge of risk management policies and processes, and an Internal Audit team providing independent review of the first and second lines of defense. The CISO facilitates communication across business lines to support effective and consistent information security risk identification and control infrastructure, maintaining an ongoing dialogue regarding emerging or potential cybersecurity risks, receiving updates on significant developments in the cybersecurity domain and ensuring that the Board’s oversight is proactive and responsive.

The CISO, Senior Vice President – Enterprise Information Security, and Vice President – Cyber Risk Governance regularly inform the Chief Executive Officer, the Chief Operating Officer, the Chief Risk Officer, the Chief Information Officer, the Chief Technology Officer, and the Chief Audit Officer of all concerns related to cybersecurity risks and incidents, including the status of projects to strengthen our information security systems, assessments of the information security program and the emerging threat landscape. This aims to ensure that senior management is kept up to date on the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters and strategic risk management decisions are escalated to the Company’s Board of Directors, ensuring that they have comprehensive information and can provide oversight with respect to critical cybersecurity issues.

44

Monitoring Cybersecurity Incidents

In addition to the monitoring and reporting described above, the Company maintains an Enterprise Information Security Response Program, which includes regular monitoring of information systems through deployment of security controls designed to detect and identify threats and sets forth immediate actions to mitigate the impact of cybersecurity incidents. The Company maintains a vulnerability management program to identify and remediate critical security vulnerabilities. An after-incident report is done to review critical events so as to inform long-term strategies for remediation and prevention of future incidents.