FIRST BANCORP /PR/ - (FBP)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
The Corporation recognizes the significance of cybersecurity in the financial industry and the potential risks associated, such as the
risks arising from the loss of confidentiality, integrity, or availability of information systems. The Corporation’s processes to identify,
assess, and monitor material risks from cybersecurity threats are part of its Enterprise Risk Management (“ERM”) Program, which is
documented as part of the Corporate Incident Response Program and under which the Corporation has implemented a comprehensive
Corporate Information Security Program (“CISP”). Cybersecurity risk is managed as part of the overall information technology risk,
under the direction of the Corporate Security Office (“CSO”) led by the Corporate Security Officer (“CSO Officer”), who directly
reports to the Chief Operations Officer. The CSO Officer also serves as Chief Information Security Officer (“CISO”).
The CISP outlines the Corporation’s overall vision, direction, and governance to protect the confidentiality, integrity, and
availability of customer information and seeks to prevent unauthorized access as required by regulatory guidelines and industry
security best practices. The CISP is based on well-renowned frameworks such as the International Organizational Standard ISO 27000
series and the NIST Cybersecurity Framework. As such, it serves as a guide for the implementation of security safeguards across the
Corporation and its subsidiaries. The CISP also addresses cybersecurity breaches and procedures for appropriate response efforts,
including any required notification, depending on the severity of the specific security incident. In addition, the CISP incorporates a
risk-based approach to ensure that risk is treated in a consistent and effective matter and is designed to protect classified information
to prevent disclosure to unauthorized individuals; prioritize the use of information security resources by concentrating on critical
business applications; develop quality, cost-effective, and reliable systems; ensure the proper and secure disposal of sensitive
information; and implement adequate processes to ensure compliance.
The ERM Program includes a risk-based escalation process to manage corporate incidents, including cybersecurity incidents, and
notify the Risk Committee of the Board of Directors and applicable stakeholders as appropriate. The Corporation incorporates the
ERM Department, which is comprised of several members such as the ERM Director who is part of senior management, as well as
external expertise, in the review of its processes, including an independent third-party assessment of cybersecurity measures and
controls. The Corporation also invests in threat intelligence, vulnerability management, and incident response drills. Furthermore, all
of the Corporation’s employees and consultants with access to the Corporation’s network are required to complete a comprehensive
cybersecurity awareness program on an annual basis. Additionally, awareness and training on information technology and
cybersecurity risk is provided to the Board on a regular basis.
The Corporation has a Vendor Management Program and a Third-Party Risk Management function to manage the cybersecurity
risks associated with conducting business with third-party vendors, which includes the requirement for third-party vendors to
implement appropriate measures to ascertain security and confidentiality of the Corporation’s resources. The Corporation places
vendors into tiers based on the inherent risk due to the nature of the relationship with that vendor to determine any additional security
requirements commensurate to such level of risk.
The Corporation does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity
incidents, have materially affected the Corporation ’s business strategy, results of operations or financial condition as of December 31,
2023. While the Corporation continues to closely monitor cyber risk and has implemented processes that are intended to assess,
identify, and manage material risks from cybersecurity threats, security controls, no matter how well designed or implemented, may
only partially mitigate and not fully eliminate these risks. Events, when detected by security tools or third parties, may not always be
immediately understood or acted upon. See Item 1A, “Risk Factors – Risks Relating to Cybersecurity and Technology” for more
information on how cybersecurity risk could adversely affect the Corporation, which should be read in conjunction with this Item 1C.
36
Governance
Responsibility for risk oversight and management generally lies with the Corporation’s Board of Directors. To effectively manage
oversight of the CISP’s governance and cybersecurity risk management, the Board has delegated such responsibility to the Risk
Committee. As part of its oversight, the Risk Committee receives reports from the Executive Risk Management Committee and
Information Technology (“IT”) Steering Committee, which are committees at the management level, on the Corporation’s
cybersecurity processes. The Corporate Internal Audit Department performs periodic audits of the Corporation’s information security
practices and presents them to the Audit Committee of the Board. The scope of testing is in accordance with applicable regulatory
guidance and prudent business practices. The periodicity of testing is determined by the Corporate Internal Audit Department based on
their risk assessment. Findings from internal audit procedures are reported to Management and the Audit Committee of the Board of
Directors. In addition, the Vendor Management Committee periodically reports to the Risk Committee about the Vendor Management
program status. The Risk Committee provides the Board with updated information on the matters discussed in the Risk Committee
meetings as it relates to the CISP and the overall information security strategic direction and evaluates and approves (if necessary)
reports presented by executive management related to the information security strategic direction of the Corporation.
The CSO, led by the CSO Officer, oversees the CISP, its development, and any applicable updates in response to changes in
operations and other circumstances, and reports on a quarterly basis to the IT Steering Committee and to the Board’s Risk Committee.
The CSO Officer, who has been in charge since 2016, has over 20 years of experience in functional expertise concerning all aspects of
information security, integrity and privacy of systems, and data resources, and holds several relevant licenses and/or certifications.
Also, certain topics related to information security are presented on an ad hoc basis to the Executive Risk Management Committee.
The CSO provides the Board’s Risk Committee regular reports and engages in discussions on the effectiveness of the CISP, including
risk mitigation strategy and progress. The Board’s Risk Committee reviews and approves the CISP annually and receives a report on
the security safeguards annually.
See “Risk Management – Risk Governance” for more information on the Corporation’s risk governance structure.