SEACOAST BANKING CORP OF FLORIDA - (SBCF)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
The Company’s information security program is designed to protect sensitive information from unauthorized access, use, disclosure, alteration, or destruction, and to maintain the confidentiality, integrity, and availability of our information assets, including employee and customer non-public information, financial data, and internal operational information. Our Chief Information Security Officer (“CISO”) manages our information security strategy and development as overseen by our overarching Enterprise Risk Management (“ERM”) program.
The Company’s cybersecurity program, including our information security policies, is designed to align with regulatory guidance and industry practices. To protect our information systems, network, and information assets from cybersecurity threats, we use various security tools, products and processes that help identify, prevent, investigate, and remediate cybersecurity threats and security incidents.
27
The Company’s Information Security team monitors threat intelligence sources to research evolving threats, investigates the potential impact to financial services companies, examines company controls to detect and defend against those threats, and proactively adjusts company defenses against those threats. The Information Security team also actively monitors company networks and systems to detect suspicious or malicious events, including through penetration testing and routine vulnerability scans, and a managed security service provider supplements our efforts to provide 24 hours a day, seven days a week coverage.
We maintain policies and procedures for the safe storage, handling and secure disposal of customer information. Each employee is expected to be responsible for the security and confidentiality of customer information, and we communicate this responsibility to employees upon hiring and regularly throughout their employment. Annually, we provide employees with mandatory security awareness training. The curriculum includes the recognition and appropriate handling of potential phishing emails, which could, ultimately, place sensitive customer or employee information at risk. The Company employs a number of technical controls to mitigate the risk of phishing emails targeting employees. We test employees monthly to determine their susceptibility to phishing test emails, and we require susceptible employees to take additional training and provide regular reports to management.
As part of our information security program, we have adopted a Cyber Incident Response Plan (“Incident Response Plan”) which is administered by our CISO who closely coordinates with the Company’s Information Technology team. The Incident Response Plan describes the Company’s processes, procedures, and responsibilities for responding to cybersecurity incidents, and identifies those team members responsible for assessing potential security incidents, declaring an incident, and initiating a response. The Incident Response Plan outlines action steps for investigating, containing, and remediating a cybersecurity incident, and includes procedures for escalation and reporting of potentially significant cybersecurity incidents to the Company’s Senior Leadership Team, including the Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), Chief Risk Officer (“CRO”), Chief Legal Officer (“CLO”) and the Board of Directors. As necessary, the Company may retain a third-party firm to assist with forensic investigation and management of cybersecurity incidents. Annually, our incident response team performs exercises to simulate responses to cybersecurity events. Each exercise results in lessons learned and subsequent improvement to the Incident Response Plan.
The Company conducts due diligence prior to engaging third-party service providers which have access to the Company's networks, systems, and/or customer or employee data. Risk assessments are performed using Service Organization Controls (SOC) reports, self-attestation questionnaires, and other tools. Third-party service providers are required to comply with the Company’s policies regarding non-public personal information and information security. Third parties processing non-public personal information are contractually required to meet all legal and regulatory obligations to protect customer data against security threats or unauthorized access. After contract execution, Seacoast requires critical and high-risk providers to have an ongoing monitoring plan.
While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive, and cybersecurity risk has increased in recent years. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. See Item 1A. “Risk Factors” for further discussion of the material risks associated with an interruption or breach in our information systems or infrastructure.
Cybersecurity Governance
Our Board of Directors is responsible for overseeing the Company’s business and affairs, including risks associated with cybersecurity threats. The Board oversees the Company’s corporate risk governance processes primarily through its committees, and oversight of cybersecurity threats is delegated primarily to our Information Technology Committee (“ITC”).
The Enterprise Risk Management Committee (“ERMC”) of the Board has primary responsibility for overseeing the Company’s comprehensive Enterprise Risk Management program. The Enterprise Risk Management program assists senior management in identifying, assessing, monitoring, and managing risk, including cybersecurity risk, in a rapidly changing environment. Cybersecurity matters and assessments are regularly included in both ITC and ERMC meetings.
The Board’s oversight of cybersecurity risk is supported by our CISO. The CISO and CIO attend ITC and ERMC meetings and provide cybersecurity updates to these Board committees. The CISO also provides annual risk assessments and reports regarding the information security program summary report to the full Board of Directors. Our CRO, in conjunction with our CISO and CIO, facilitates the involvement of the ITC in oversight of potentially significant cybersecurity incidents.
28
The Company’s CISO directs the company’s information security program and our information technology risk management. In this role, in addition to the responsibilities discussed above, the CISO manages the Company’s information security and day-to-day cybersecurity operations and supports the information security risk oversight responsibilities of the Board and its committees. The CISO is also responsible for the Company’s information technology governance, risk, and compliance program and ensures that high level risks receive appropriate attention. Led by our CISO, the Information Security team examines risks to the Company’s information systems and assets, designs and implements security solutions, monitors the environment, and provides responses to threats. In 2023 our CISO reported to our CIO; however, for 2024 the CISO will report to our CRO, who in turn reports to our CEO.
Our CISO has cybersecurity experience spanning more than 20 years. Prior experience includes serving as the CISO at a mid-size regional financial institution and serving in manager roles at large professional services firms. He holds a degree in Computer Science and Mathematics and maintains several industry certifications.