CASS INFORMATION SYSTEMS INC - (CASS)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Managing cybersecurity risk within Cass is an ongoing, multifaceted process aimed at safeguarding digital assets and sensitive information. Led by the Company’s Chief Information Security Officer (“CISO”) and overseen by the Executive IT Council, the Company has a dedicated team of security professionals to implement the Company’s information security processes.
The Executive IT Council is comprised of the CEO, CFO, Chief information Officer (“CIO”), CISO, and all heads of business units that serve together to manage and oversee the Company’s IT program as a whole. As part of this function and at the direction of the CISO, the Executive IT Council is charged with approving and providing oversight of the IT solutions that enhance the Company’s security posture. As more fully described in “Governance” below, the CISO and CIO regularly report the Executive IT Council’s findings to the Audit and Risk Committee of the Board, and to the full Board, in an effort to provide a collaborative and multi-point cybersecurity program.
The Company also relies on certain critical third party IT vendors that support processing, transmission, and storage of data, which has become more critical given the information security risks that are intensified through the Company’s increased use of remote work arrangements. The Company has also engaged a third party to help monitor and analyze its system activities.
The Company’s information security program is comprised of three primary components that guide the activities of employees and advisors tasked with managing the program:
•Information Security Policy: The Company maintains an Information Security Policy that aligns with the National Institute of Standards and Technology and ISO 27001 cybersecurity guidelines and frameworks. This policy is reviewed at least annually by the Company’s IT Security & Risk team, with updates approved by the Board of Directors. The Information Security Policy addresses the standards, design, scope, testing, and operation of the
19
Company’s cybersecurity program. All Company employees are trained both initially and on an annual basis on the information security requirements set by the policy. Employees whose work is more pertinent to cybersecurity management and risk, such as software development, receive additional and more specialized training.
•Incident Management Policy: The Company’s Incident Management Policy provides the structure and guidance for the Company’s cyber incident response operations to ensure the quick detection of security events and vulnerabilities, as well as promote a rapid response to security incidents and mitigation measures. A dedicated security incident response team is tasked with addressing security incidents and driving the Company’s response.
•Cyber Risk Management Program: The Company performs a comprehensive risk assessment on an annual basis to identify and prioritize potential threats and vulnerabilities, then uses the results to implement and revise policies, assign responsibilities, and deploy security controls to address them on an ongoing, 24-7 basis.
Using the policies and programs described above, Cass has implemented a multi-layered cybersecurity approach, including, deployment of advanced endpoint protection, threat intelligence, and anomaly detection tools, continuous monitoring of network traffic through intrusion detection and prevention systems, regular penetration testing and vulnerability assessments, and encryption of sensitive data at rest and in transit.
Cass is dependent on third-party vendors to support operations and business objectives. Recognizing the interconnected nature of the Company’s business, Cass places emphasis on managing third-party cybersecurity risk by maintaining a Vendor Management Policy. This policy establishes guidelines for conducting due diligence on vendors’ security practices, making ongoing risk assessments and conducting extensive control reviews of identified high-risk vendors.
Because the Company is a bank holding company, its information security program is regularly evaluated by banking examiners and regulators. In addition, the Company undergoes annual Service Organization Controls Type II audits to evaluate information security controls related to specific services offered by the Company.
While the Company continues to face a number of cybersecurity risks in connection with the business, Cass has not experienced any cyber incidents that materially affected business strategy, results of operations or financial condition over the past fiscal year. The Company commits to transparently communicating with stakeholders, including shareholders, regulatory bodies, and law enforcement agencies, as required. To mitigate financial risks associated with cybersecurity incidents, Cass maintains a comprehensive cyber insurance policy. This policy covers various costs, including legal expenses, investigation costs, business interruption, and potential liabilities.
Governance
As described above, the Company's cybersecurity program is led by the CISO, who ultimately reports to the Executive Vice President and CIO. The CISO is supported by an information security team, made up of two security analysts and one IT audit and compliance analyst. The security analysts monitor the Company’s security solutions and security event logs and responds to incidents and events when they occur. The IT audit and compliance analyst tracks remediation efforts, manages the Company’s third party risk program and works with internal and external auditors on all IT compliance activities. Members of the information security team hold cybersecurity certifications, such as a Certified Information Systems Security Professional ("CISSP") or Certified Information Security Manager certifications. The CIO oversees all IT departments within the Company, including security and risk, and is the primary liaison between IT and the Board of Directors.
Both the CISO and CIO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. The CIO has a bachelor’s degree in Management Information Systems and an MBA from Oakland University, and was previously the Domain CIO at Comerica Bank. The CISO has a bachelor’s degree in Computer Science from the University of Illinois, holds the CISSP, Certified in Risk and Information Systems Control and Certified Chief Information Security Officer certifications, and has been active in the management of the Company’s security programs for more than a decade, serving in the CISO role since early 2023.
The CISO and CIO provide monthly updates to the Executive IT Council on security incidents, compliance and patching metrics, as well as security related industry updates that might affect the Company’s business. The Executive IT Council approves all security related project expenditures and all members are a part of the Company’s incident response team.
The Audit and Risk Committee, together with the full Board of Directors, actively oversees the Company’s cybersecurity program. The Audit and Risk Committee receives reports on evolving cybersecurity standards and key metrics, including the number of incidents, response times, and effectiveness of safety controls, from the CIO on a quarterly basis, and more
20
frequently when necessary. These reports include updates on the activities of the Executive IT Council. Changes to the Company’s information security policies and programs are approved by the Audit and Risk Committee. This information is reported to the full Board of Directors which, together with the Audit and Risk Committee, evaluates and considers the effectiveness of the Company’s risk management policies and controls relating to cybersecurity that are described in the section above.
The Company believes that by layering cybersecurity practices and risk management oversight in a way that involves various individuals, teams, and ultimately, the Board of Directors, it fosters a culture of accountability and helps enable Cass to prioritize the safety and security of its and its clients’ data.