PEOPLES BANCORP INC - (PEBO)
10-K Filing Date: February 28, 2024
ITEM 1C CYBERSECURITY
Risk Management and Strategy
Peoples has a comprehensive Enterprise Risk Management program (“ERM Program”), which includes policies and processes for assessing, identifying and managing material risks from cybersecurity threats to Peoples and its customers. Peoples’ information security policy and procedures are reviewed and assessed on an annual basis and as needed throughout the year by the Risk Committee of the Board. Peoples assesses itself against the Federal Financial Institutions Examination Council’s (“FFIEC”) Cybersecurity Assessment Tool (“CAT”) on a quarterly basis. Additional assessment of Peoples’ cybersecurity capabilities is performed by consultants, and regulators annually. Identified risks resulting from these assessments are documented, rated and mitigated by Peoples Bank’s Chief Information Security Officer (“CISO”), with oversight by the Risk Committee.
Peoples also has a third-party risk management program pursuant to which Peoples performs annual reviews of third-party vendors as to their cybersecurity and business continuity capabilities to ensure they meet the stated requirements and the risk appetite of Peoples as documented in Peoples’ information security policy. Vendors not meeting Peoples’ risk requirements are notified of
33
necessary improvements and, if the vendors cannot mitigate the identified risks, Peoples looks to identify alternative vendors. Documentation of performance of the third-party risk assessments is retained and acknowledged by appropriate Risk and Information Security employees of Peoples.
Roles and Responsibilities
Peoples’ Board of Directors provides oversight of risks from cybersecurity threats primarily through the Risk Committee of the Board. The Risk Committee is comprised of all of the independent directors of the Board, along with Peoples’ Chief Executive Officer (“CEO”), and is responsible for oversight of Peoples’ risk management policies, programs and processes. The Risk Committee is organized and conducts its business pursuant to a written charter adopted by the Board. At least annually, the Risk Committee reviews and reassesses the adequacy of its charter and recommends any proposed changes to the full Board as necessary to reflect changes in regulatory requirements, authoritative guidance and evolving practices. The Risk Committee provides a report to the entire Board at each meeting of the Board of Directors regarding the overall risk condition of the firm and whether Peoples risk remain within its stated risk appetite.
Peoples’ Chief Risk Officer (“CRO”) reports to the Risk Committee and the Chief Operating Officer and has primary responsibility for the design and implementation of the ERM Program. The ERM Program establishes Peoples’ risk appetite, monitors key risk and performance indicators, identifies key risks within the firm, designs and executes specific risk initiatives and monitors risk mitigation efforts and control processes. The CRO updates the Risk Committee quarterly on the overall risk condition of Peoples inclusive of any cybersecurity issues or threats.
Peoples Bank also has an executive governance structure which includes the Capital and Risk Management Committee (“CRMC”). The CRMC, which is comprised of individuals representing each of the functional areas of Peoples and its subsidiaries, meets monthly and is responsible for the review of risk issues faced by Peoples, including material risks from cybersecurity threats. Summaries of the topics and discussions at CRMC meetings are provided to the Risk Committee along with an overview and recommendations regarding key risks and mitigating actions.
The CISO has primary responsibility for assessing and responding to material risks from cybersecurity threats. The current CISO is an experienced Information Security and Information Technology officer with 21 years of experience in Information Security and Information Technology and a master’s degree in business administration. The CISO is also a Certified Information Systems Security Professional (“CISSP”), which is an industry recognized certification that recognizes cybersecurity professionals with the knowledge, skills and abilities to lead an organization’s information security program. On a quarterly basis, the CISO updates the Risk Committee on the state of cybersecurity and potential risks to Peoples’ to be considered by the Risk Committee.
Assessment and Response to Cybersecurity Threats
Peoples employs an in-depth, layered, defensive approach that leverages people, processes, and encryption and multi-factor authentication technology to manage and mitigate cybersecurity threats. Peoples employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Peoples and the CISO leverage several technologies and a third-party Managed Security Service Provider to monitor and respond to cybersecurity threats. In the event that the CISO assesses a material risk from a potential cybersecurity threat, the CISO immediately notifies and works with Peoples’ Crisis Management Team, which includes Peoples’ General Counsel, to appropriately respond and mitigate the threat. If necessary, third-party resources will be engaged, with the support of Peoples’ cyber insurance provider, to mitigate the cybersecurity threat, perform forensic activities and distribute appropriate notifications to impacted parties and/or regulators. In the event a material cybersecurity incident occurs that requires notification to the Board of Directors, the General Counsel and CEO will coordinate notifications to the Board of Directors and provide updates to the Board of Directors as needed.
While Peoples has implemented security controls and processes to mitigate against cybersecurity threats, Peoples cannot be certain that these measures will be successful. The threat from cybersecurity attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date, Peoples has not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, Peoples’ systems and those of its customers and third-party service providers are under constant threat and it is possible that Peoples could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by Peoples and Peoples' customers. Any breach, compromise or disruption of its information security or systems as a result of a cybersecurity incident or threat could result in damage to Peoples’ reputation, loss of customer business, increased costs of incentives to customers or business partners in order to maintain their relationships, litigation, increased regulatory scrutiny and potential enforcement actions, repairs of system damage, increased investments in cybersecurity (such as obtaining additional technology, making organizational changes, deploying additional personnel, training personnel and engaging consultants), increased insurance premiums, and loss of investor confidence and a reduction in the price of Peoples’ common shares, all of which could result in financial loss and material adverse effects on Peoples’ results of operations and financial condition.
34