Origin Bancorp, Inc. - (OBK)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Origin’s information security program is designed to protect the security, availability, integrity, and confidentiality of our computer systems, networks, and software and information assets, including client and other sensitive data. The program is comprised of policies, guidelines, and procedures, which are intended to align with regulatory guidance, and common industry practices. Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management process.
Cybersecurity Risk Management and Strategy
At Origin, we expect each employee to be responsible for the security and confidentiality of client information. We communicate this responsibility to employees upon hiring, and regularly throughout their employment. We require each employee to complete training to protect the confidentiality of client information at the time of hire and during each year of employment. Employees must successfully pass a test to demonstrate understanding of these requirements and provide acknowledgement of their responsibilities.
Additionally, we regularly provide employees with information security awareness training, covering the recognition and appropriate handling of potential phishing emails, which can introduce malware to a company’s network, result in the theft of user credentials and, ultimately, place client or employee data, or other sensitive company data, at risk. Origin employs a number of technical controls to mitigate the risk of phishing emails. We regularly test employees to determine their susceptibility to phishing test emails. We require susceptible employees to take additional training and provide regular reports to management. We additionally maintain procedures for the safe storage and handling and secure disposal of sensitive information.
Origin follows FFIEC guidance in protecting its network and information assets with industry-tested security products and processes. Our Network and Information Security teams actively monitor company networks and systems to detect suspicious or malicious events. The Company evaluates potential cyber risks, as appropriate, in its regular risk assessments. Additionally, we conduct vulnerability scans, and contract with third-party vendors to perform penetration tests against the Company’s network. The Company also engages expert cyber consultants, as necessary and appropriate.
Before engaging third-party service providers, we perform due diligence in order to identify and evaluate their cyber risks. This process is led by the Operational Risk Management team and includes participation of dedicated information security resources. Risk assessments are performed using Service Organization Controls (“SOC”) reports and other tools. Third party service providers processing sensitive client data are contractually required to meet applicable legal and regulatory obligations to protect sensitive data against cyber security threats and unauthorized access to the sensitive data. After contract executions, third-party service providers undergo ongoing monitoring to ensure they continue to meet their security obligations and other potential cybersecurity threats.
As part of our information security program, we have adopted an Information and Cybersecurity Incident Response Plan (Incident Response Plan), which is primarily overseen by our Vice President, Information Security Officer (“ISO”). The Incident Response Plan describes our processes and procedures for responding to cybersecurity incidents, outlining various work streams, including containment and remediation actions by information technology and security personnel, as well as operational response actions by business, communications, and risk personnel. Our incident response team performs exercises to simulate responses to cybersecurity events.
The Incident Response Plan includes procedures for escalation and reporting of potentially significant cybersecurity incidents to our Chief Operating Officer, Chief Financial Officer, Chief Risk Officer, Chief Legal Counsel, and other executives as needed.
46


To date, we have not experienced a cybersecurity incident that has materially impacted our business strategy, results of operations, or financial condition. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, results of operations or financial condition. Please see Part I, Item 1A. Risk Factors for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure.
Cybersecurity Governance
Our Board of Directors is responsible for overseeing our business and affairs, including risks associated with cybersecurity threats. The Board oversees our corporate risk governance processes primarily through its committees, and oversight of cybersecurity threats is delegated primarily to our Risk Committee. We created management-level Cyber Risk and Information Technology Committees to govern and oversee the information security program on a day-to-day basis. The Risk Committee receives updates from management regarding review and assessments of cybersecurity and technology risk consistent with FFIEC guidance. Cybersecurity governance is a standing agenda item on each Risk Committee meeting. The Risk Committee reports to the full Board on a quarterly basis, including an overview of all matters discussed and approved at each Risk Committee meeting. Additionally, we have engaged the former Chief Information Officer of a Fortune 500 global technology company to consult with our Board of Directors, management, and management-level Cyber Risk and Information Technology Committees on cybersecurity and data privacy matters.
Our Information Security Officer (“ISO”) is responsible for the Company’s information security program. Our ISO holds a degree in Computer Information Systems and is a graduate of Louisiana Tech University. He possesses over 15 years of experience in diverse technology and information security roles within the financial services sector, with four years experience in the ISO role. In this role, the ISO manages the Company’s information security and day-to-day cybersecurity operations and supports the information security risk oversight responsibilities of the Board and its committees. The ISO is a member of our Corporate Operations group and reports to our Chief Risk Officer, who in turn reports to our President and CEO. The ISO regularly attends Risk Committee meetings to review the Company’s material cybersecurity developments and risks, and otherwise periodically provides relevant cybersecurity updates to the Risk Committee, as appropriate.