SIMMONS FIRST NATIONAL CORP - (SFNC)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
We maintain an information security program and governance structure for assessing, identifying, and managing material risks from cybersecurity threats.
Risk Management and Strategy
Our information security program is led by our chief information security officer (“CISO”), who has over 25 years of experience in technology management, has 8 years of banking experience, and is a certified information systems security professional. The CISO oversees our “information security team” within our information technology department, which includes our identity and access management group, our security operations center group, and our security engineering and security architecture groups. These groups develop, deploy, monitor, and manage multiple processes, systems, and controls, including embedded controls within the technology we use, designed to help identify, protect against, detect, respond to, and recover from cybersecurity threats and incidents.
In addition to our information security team, we also employ an IT risk and compliance director who has over 18 years of IT governance, risk, and compliance experience and is responsible for the development, monitoring, and reporting of IT-related key risk indicators (“KRIs”), including KRIs related to cyber risks. Both our CISO and our IT risk and compliance director report to our chief information officer (“CIO”), who has more than 25 years of technology leadership experience, including leadership experience at global financial institutions, and is responsible, among other things, for oversight of our information technology environment, strategy, and security risks.
As part of our information security program, we undertake efforts to monitor new and emerging risks and evaluate the effectiveness and maturity of our cyber defenses through various means, including internal audits, targeted testing (including penetration testing), incident response exercises, maturity assessments, and industry benchmarking. In connection with these efforts, we use, on an as-needed basis, certain third-parties, including auditors, consultants, and others, that have particular cyber expertise.
31
We also maintain multiple groups that help oversee risks associated with our third-party service providers. These groups include (1) our third-party risk management department, which facilitates reviews of certain third parties by our assurance providers, including our information security and business continuity teams, (2) our vendor council, which reviews contractual terms (including, at times, terms related to confidentiality and data protection) for certain third-party relationships, and (3) our architecture review board, which reviews certain new business initiatives that may impact the Company’s technical and/or security architecture.
Our information security program is one component of our broader enterprise risk management program. As such, KRIs related to cyber risk (which are a subset of operational risk KRIs) are reported to, and overseen and monitored by, our enterprise risk management committee, which is comprised of senior executives of the Company. Additionally, we maintain an incident response framework that details the applicable teams, their functions, and guidelines when a cybersecurity incident occurs. The framework is designed to cover significant aspects of the incident including detection, containment, remediation, and post incident analysis. Various groups of senior executives help oversee responses to security incidents, including the data loss prevention team, the core computer security incident response team, and the extended computer security incident response team.
While we do not believe that our business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are constant, and, like other financial institutions, we, as well as our customers, employees, and third-party service providers, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber-attacks. We continue to assess the risks and changes in the cyber environment, reasonably invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities. See the risk factor “Our business is heavily reliant on information technology systems, facilities, and processes; and a disruption in those systems, facilities, and processes, or a breach, including cyber-attacks, in the security of our systems, could have significant, negative impact on our business, result in the disclosure of confidential information, and create significant financial and legal exposure for us.” in “Item 1A. Risk Factors” of this Form 10-K for more information.
Governance
Our board of directors is aware of, and takes seriously, the importance of overseeing risks associated with cybersecurity threats. Senior management has provided the board of directors with cybersecurity information, as well as incident response training. Additionally, employees have received training related to cybersecurity. Cyber risks are incorporated into risk appetite metrics for operational risk and presented to and reviewed by the risk committee of the board of directors. Additionally, the audit committee of the board of directors receives and reviews internal audit reports concerning, among other things, matters related to information security. Furthermore, the board of directors of Simmons Bank, the Company’s primary operating subsidiary, has established an information technology committee (“IT Committee”) that receives regular reports from the CISO and CIO concerning our information security program and cybersecurity matters. The CIO also reports IT KRIs, including those related to cyber risks, to the IT Committee. Significant security incidents are also reported by senior management to the IT Committee or its chairman, when warranted. The IT Committee chairman provides reports of the committee’s activities to the board of directors of Simmons Bank. The Company’s board of directors, or the board of directors of Simmons Bank (as applicable), also approves information security-related policies, including the Acceptable Use Policy, Information Security Policy, IT Ransomware Policy, and Business Continuity Management Policy.
With respect to internal management, the CISO and CIO meet regularly to discuss the activities and operations of the information security team, and the CIO holds regular meetings with our chief executive officer to discuss cyber related matters, information technology issues, and cybersecurity threats. To enhance awareness, monitoring, and oversight of cybersecurity risks, management also uses the following internal committees (in addition to the enterprise risk management committee discussed above): (1) the IT strategy and investment committee, which is comprised of senior executives and helps provide oversight of the investment and strategic direction for the Company’s IT function, (2) the IT steering committee, which is comprised of leaders from various business units and helps provide oversight and direction for inter- and intra-departmental IT related initiatives, and (3) the vulnerability management working group, which is comprised of IT leaders and helps establish appropriate roles, responsibilities, and escalation paths to resolve department and enterprise vulnerabilities within service level agreements.
32