WILSON BANK HOLDING CO - (WBHC)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

 

Information Security and Risk Management Overview

The Company places a high priority and focus on securing the confidential information it receives and stores about its borrowers, depositors and other customers and employees as well as sensitive information regarding financial transactions and the Company's information systems. This priority and focus starts at the Company’s board of directors, which is ultimately responsible for risk oversight, establishing the Company’s risk appetite, understanding the Bank’s key risks and assuring the risk management strategy, processes and internal controls are appropriate to manage risk, in each case inclusive of cybersecurity risk. The Company’s board of directors approves an information security policy and program (the “Information Security Policy and Program”), which contains a statement of the Company’s risk appetite with respect to cybersecurity matters, on an annual basis. The Company’s risk appetite includes specific information security risk tolerance thresholds and limits established with the approval of the Company’s board of directors and executive management. Key risk indicators are monitored by the Risk Oversight Committee of the Company’s board of directors (the “Risk Oversight Committee”), which receives quarterly reports from the Company’s Chief Risk Officer, Information Security Officer and Enterprise Risk Management Committee regarding management’s efforts to protect the Company from cybersecurity threats and the general threat landscape facing companies with operational characteristics similar to the Company’s. The Risk Oversight Committee reports quarterly to the Company’s board of directors regarding the Company’s cybersecurity risk oversight processes as the board of directors seeks to ensure the Company is operating within its stated risk appetite.

 

The Company’s objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse the Company’s systems or information. A key part of the Company’s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of the Company’s processes and practices through auditing, security assessments, tabletop exercises, and other exercises focused on evaluating effectiveness of the Company’s processes and programs. The Company also deploys technical safeguards that are designed to protect its information systems from cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing disruptions to the Company’s business. The Company has also developed and periodically updates incident response plans that provide a documented framework for responding to actual or potential cybersecurity incidents, including timely notification and escalation to the appropriate management committees and to the Risk Oversight Committee of the board and full board of directors as appropriate. These incident response plans are coordinated through the Information Security Officer (“ISO”) and other key members of management, including the Chief Risk Officer.

The Company’s board of directors delegates authority to the Risk Oversight Committee to assist the board in carrying out its duties of risk oversight, including with respect to cybersecurity risk. The Risk Oversight Committee provides primary oversight of the Company’s enterprise-wide risk posture and the processes established to identify, measure, and monitor the Company’s risk level, including in regards to cybersecurity risk. This oversight includes reviewing and approving the Company’s risk appetite, including with respect to cybersecurity risk, risk related policies, and reviewing quarterly reporting from management on monitoring of performance of the Company against its risk appetite, including in regards to cybersecurity risk. The Risk Oversight Committee is responsible for the oversight, implementation, and maintenance of the Information Security Policy and Program and has delegated to it specific responsibility for the implementation of the program and reviewing management reports in this area. Quarterly reports are provided to the Company’s board of directors that describe the overall status of the Information Security Policy and Program, including, but not limited to:

Decisions about risk management and control;
Results of testing, including regular external and internal penetration testing;
Security breaches or violations and management’s responses; and
Recommendations for changes to the Information Security Policy and Program.

The Company’s Enterprise Risk Management Committee, which is a management committee consisting of key employees of the Company, including the Company’s Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Chief Credit Officer, Chief Administrative Officer, Chief Information Officer, and Chief Risk Officer, oversees implementation and monitoring of the Information Security Policy and Program. Testing of the Information Security Policy and Program is accomplished through the use of a comprehensive Information Systems Audit that is performed, at a minimum, on an annual basis by third-party expert consulting firms, the results of which are reviewed with the Risk Oversight Committee and Audit Committee. The company also conducts an internal and external penetration test, at a minimum, on an annual basis by outside expert consulting firms. In addition, in accordance with the Information Security Policy and Program, the Company’s Enterprise Risk Management Committee assesses information security risks on at least an annual basis, or

34


 

more often in response to changes in products or services that are offered, technological changes, changes in the threat landscape facing the Company, including as a result of cybersecurity incidents affecting financial institutions or their vendors generally or any change that may materially affect the Company’s risk environment.

The Company’s board of directors has appointed an Information Security Officer (the “ISO”), who has cybersecurity expertise primarily related to cybersecurity assurance, compliance, digital forensics, investigations, process design and collegiate instruction who holds various certifications in areas relevant to cybersecurity risk monitoring. The ISO, working together with the Company’s Chief Information Officer and Chief Risk Officer, handles the development and implementation of the Information Security Policy and Program and, together with the Company’s information technology staff and third-party vendors and other outside resources, the ISO monitors the Company’s information technology systems for threats and implements changes to those systems in an effort to protect the systems from attack. The ISO also coordinates the risk assessment process, facilitates annual employee training, and prepares an annual report to the Company’s board of directors that contains a summary of any cybersecurity incidents occurring during the report year, and an analysis of the results of the Information Systems Audit and the Company’s performance against the Information Security Policy and Program. The ISO reports directly to the Bank’s Chief Risk Officer, independent of the Company’s technology department, and the responsibilities of this role are in conjunction with security, fraud and other special projects concerning risk and operational issues identified. The Bank’s Chief Risk Officer reports directly to the Chief Executive Officer.

To date, no attempted cyber-attack or other attempted intrusion on the Company’s information technology networks has resulted in a material adverse impact on the operations or financial results of the Company or the Bank.

Information Security Training and Awareness

 

Information security awareness training is provided to all employees and bank business units no less often than annually and focuses on: new hire orientation, the Company’s overall information security program, roles and responsibilities of employees during an incident, how to report suspicious activity, and captures the Bank’s cybersecurity blog for consistent and relevant information.

Service Provider Arrangements

 

Management identifies, assesses, controls, monitors and reports on risks related to the Bank’s use of third parties per applicable laws, safe and sound business practices, and related supervisory guidance, particularly that of the Interagency Guidance on Third-Party Relationships: Risk Management.

It is the policy of the Company to ensure the internal controls and financial condition of a third-party vendor are carefully evaluated prior to the allowance of such support services to begin, and as an on-going condition of continuing support of such products or services. Vendors with access to customer information or direct access to the network are carefully reviewed to ensure that appropriate controls and mechanisms are in place to safeguard confidential information, and the Company’s contracts with such vendors include obligations on the part of the vendors to maintain the confidentiality of such information in compliance with applicable legal requirements.