GERMAN AMERICAN BANCORP, INC. - (GABC)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our processes and policies related to cybersecurity are focused on: (i) developing organizational understanding to manage cybersecurity risks, (ii) applying safeguards to protect our systems, (iii) detecting the occurrence of a cybersecurity incident, (iv) responding to a cybersecurity incident, and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall enterprise risk management systems and processes. For example, all of our employees with network access are required to complete information security and privacy training on an annual basis. We are continuously working to improve our information technology systems and provide employee awareness training around phishing, malware, and other cyber risks to enhance our levels of protection.
Other aspects of our cyber and information security risk management program include:
•Monitoring external and internal threats and events, managing access, facilitating use of appropriate authentication options, validating controls and programs by internal teams and independent third parties and testing various compromise scenarios that are overseen by our information security team;
•Investing in threat intelligence platforms and participating in financial services industry and government forums which track and report on cyber and other information security threats;
•Identifying those third-party relationships that have the greatest potential to expose the Company to cybersecurity threats and, upon identification, conducting additional due diligence as a part of establishing those relationships;
•Routinely performing vulnerability tests;
•Engaging independent consultants and other third-parties to assist the Company in establishing and improving its policies; and
•Conducting “tabletop” exercises with outside consultants at least annually to test the Company’s processes and policies and using feedback from those exercises to further improve our processes.
The Company also maintains insurance coverage for cybersecurity incidents as part of its overall insurance portfolio.
In the event of a cybersecurity incident, the Company maintains incident response plans to investigate, classify, respond to, and manage cybersecurity incidents that may compromise the availability or integrity of our information systems, network resources, or data. In accordance with the incident response plans, cross-functional management teams assess and assign a threat level to each cybersecurity incident. A cybersecurity incident (or incidents, if aggregated together) assigned a critical threat level is escalated to a committee consisting of the Company’s executive and certain other officers (for such purpose, the “Critical Threat Committee”) for review.
The Company has not experienced any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, including its business strategy, results of operations, or financial condition. However, cybersecurity attacks and other threats to the systems, networks, products and services of the Company, its customers and vendors, and other third parties could materially affect the Company in the future. See Item 1A. Risk Factors – Unauthorized disclosure of sensitive or confidential client or customer information, whether through a cyber-attack, other breach of our computer systems or otherwise, could harm our business.
Governance
In exercising oversight over the Company’s information technology risks, including its cyber and information security program, our Board of Directors has established a Technology Committee that is led by the Company’s Chief Digital and Information Officer (“CDIO”) and is comprised of directors with technology industry backgrounds, all of the Company’s executive officers, the Company’s Information Security Officer (“ISO”) and the Company’s Chief Risk Officer. The Technology Committee
24
receives materials on a quarterly basis to address the identification and status of information technology cybersecurity risks. Each year, the full Board of Directors also receives a comprehensive update on the Company’s cyber and information security program.
Our CDIO leads the Company’s digital optimization and information technology initiatives. He is also responsible for driving the strategy, execution and integration of all banking and nonbanking technology, information and digital initiatives in alignment with the Company’s corporate business strategy. Our CDIO assumed his current role in January, 2022. Prior to that, he served as the Company’s Senior Vice President of Technology and Operations, where he lead the Company’s core processing and operations functions, and the development of technology-driven products and services. Our CDIO has over 20 years of technology and operations experience in the banking industry.
Our ISO oversees a team of employees dedicated to the prevention, detection, mitigation, and remediation of cybersecurity incidents. He joined the Company in September, 2022 with more than 20 years of technology and information security experience in banking and as a consultant, and holds a Certified Information Security Manager certification.
The Company’s Critical Threat Committee is responsible for evaluating the materiality of a cybersecurity incident based on criteria that has been reviewed with the Board of Directors, and for determining whether there are disclosure obligations under applicable securities laws. In the event that the Critical Threat Committee determines that a critical cybersecurity incident (or incidents, if aggregated together) is deemed to be material, the Critical Threat Committee will brief the Board of Directors and oversee the disclosure process. For all critical cybersecurity incidents that are not deemed to be material, the Critical Threat Committee will notify the Company’s Chairman and Chief Executive Officer to determine whether the Board of Directors will be notified of the critical incident during the next regularly-scheduled cybersecurity update to the Audit Committee, or sooner as circumstances warrant.