COLUMBIA BANKING SYSTEM, INC. - (COLB)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY.
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. We believe these risks include, among other things, operational risks resulting in system disruption; intellectual property theft; fraud; extortion; harm to associates or customers including by way of inadvertent release of information; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. We have invested in data security and privacy protections, and we follow what we believe to be industry-standard recommendations for data security. However, if we fail to properly assess and identify cybersecurity threats, we may become increasingly vulnerable to such risks.
To identify and assess material risks from cybersecurity threats, our corporate risk management program considers cybersecurity threat risks alongside other Company risks as part of our overall risk assessment process. Our corporate risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, including programs across identity and access management, training and awareness, threat management, cybersecurity operations, cybersecurity enablement, and cybersecurity data, host, and network security. This includes regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to inform our professionals’ risk identification and assessment.
We also have a cybersecurity-specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our processes to standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool. These standards are aligned to the National Institute of Standards and Technology (“NIST”), International Organization for Standardization, Center for Internet Security, and experts are engaged by us to evaluate the integrity of our information systems, as such term is defined in Item 106(a) of Regulation S-K.
To help us preserve the availability of critical data and systems, maintain regulatory compliance, and achieve our goal of managing our material risks from cybersecurity threats, and with an aim to protect against, detect, and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we undertake the below listed activities:
• Closely monitor emerging data protection laws and implement changes to our processes designed to comply with such data protection laws;
• Undertake regular reviews of our policies and standards related to cybersecurity;
• Proactively inform our customers of substantive changes related to customer data handling;
• Conduct annual customer data handling and use requirements training for associates;
• Conduct annual cybersecurity management and incident training for associates involved in our systems and processes that handle sensitive data;
• Conduct regular cybersecurity training and awareness for all associates and all contractors with access to corporate systems;
• Through policy, practice, and contract (as applicable) require associates, as well as third-parties who provide services on our behalf, to treat customer information and data with care;
• Run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
• Leverage the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and
• Maintain what we believe to be customary and appropriate third-party information security coverage for incident loss mitigation.
35
We also maintain an incident response plan designed to coordinate the activities we take with a goal to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we regularly engage with regulatory examiners, internal and external auditors, and other third-parties, as well as a regular review by both our technology risk management team and corporate risk management team to help identify areas for continued focus, improvement and/or compliance.
Our processes also aim to address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
As disclosed above, we have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. However, any failure in, or unauthorized access to, our information systems, as such term is defined in Item 106(a) of Regulation S-K, could disrupt our business, result in unintentional disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses, and have a material adverse effect on our business, financial condition, results of operations and prospects. Failures, interruptions, or data breaches involving our information systems, or the information systems of our vendors, could damage our reputation, result in a loss of customer business, result in a violation of privacy or other laws, or expose us to civil litigation, regulatory fines or losses not covered by insurance, all of which could have a material adverse impact on our business, financial condition, results of operations and prospects.
As of the date of this Annual Report on Form 10-K, we do not believe that any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. The expenses we have incurred from cybersecurity incidents, including the Vendor Incident have been immaterial to date. Nevertheless, we also believe risks from certain cybersecurity threats, including as a result of our previously disclosed Vendor Incident could potentially result in charges, settlements or other potential liabilities that could materially affect our business strategy, results of operations, and financial condition, depending on the outcome of pending lawsuits as discussed further below.
As previously disclosed, on June 21, 2023, our wholly-owned subsidiary Umpqua Bank was informed by one of its technology service providers (the "Vendor") that a widely reported security incident involving MOVEit, a filesharing software used globally by government agencies, enterprise corporations, and financial institutions, resulted in the unauthorized acquisition by a third-party of the names and social security numbers or tax identification numbers of certain of Umpqua Bank’s consumer and small business customers (the "Vendor Incident"). Other than the information described above, no Umpqua Bank account information was compromised as a result of the Vendor Incident, and no information from Umpqua Bank’s commercial customers was involved in the Vendor Incident. On June 22, 2023, Umpqua Bank sent an email to potentially affected consumer and small business customers informing them of the Vendor Incident. In August 2023, the Vendor, on behalf of Umpqua Bank, also sent notice via U.S. mail to the 429,252 Umpqua Bank customers whose information was involved in the Vendor Incident.
36
As previously disclosed, beginning on August 18, 2023, some of the notified individuals filed lawsuits against Umpqua Bank in various federal and state courts seeking monetary recovery and other relief on behalf of themselves and one or more putative classes of other individuals similarly situated. The cases collectively allege claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of third-party beneficiary contract, breach of fiduciary duty, invasion of privacy, breach of the covenant of good faith and fair dealing, unjust enrichment and violation of certain statutes, namely the Washington Consumer Protection Act, the California Consumer Legal Remedies Act, the California Consumer Privacy Act, and the California Unfair Competition Law. Umpqua Bank has engaged defense counsel and intends to vigorously defend against these suits and any similar or related suits or claims. Umpqua Bank has notified relevant insurance carriers and business counterparties and continues to reserve all of its relevant rights to indemnity, defense, contribution, and other relief in connection with these matters. We cannot predict or determine the timing or outcome of these lawsuits or the impact they may have, if any, on our financial condition, results of operations or cash flows. We believe that if one or more outcomes that are determined in favor of the plaintiffs in the litigation arising from the Vendor Incident it could have a material adverse effect on our business, operations, or financial results.
Separately and as previously disclosed, Umpqua Bank experienced an on-premises MOVEit security incident in May 2023. The on-premises instance was removed from the network immediately and decommissioned, and the unauthorized actor did not obtain any customer information or Umpqua Bank data. An independent forensics firm was engaged and confirmed our assessment of this on-premises MOVEit incident, which did not cause any interruption of business operations. We do not currently believe the on-premises incident will have a material adverse effect on our business, operations, or financial results.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
Our Board of Director’s Enterprise Risk Management Committee (the "ERMC") is responsible for the oversight of risks from cybersecurity threats. At least annually, the ERMC receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as anticipated emerging threats, cybersecurity posture, progress towards predetermined risk-mitigation-related goals, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the ERMC generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing the Company’s ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer, Chief Information Officer, and Chief Privacy and Information Risk Officer. Members of the ERMC are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Security Officer and Chief Privacy and Information Risk Officer. Such individuals have collectively over 40 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. They also have several relevant degrees and certifications, including Certified Information Security Manager, Certified Information Systems Auditor, Certified Information Systems Security Professional, Global Information Assurance Certification, and Certified Professional Hacker.
These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these members of management report to the ERMC about cybersecurity threat risks, among other cybersecurity related matters, at least annually.
37