FB Financial Corp - (FBK)
10-K Filing Date: February 27, 2024
ITEM 1C- Cybersecurity
Strategy and program oversight
We recognize the critical importance of developing, implementing, assessing and maintaining appropriate cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity and availability of our data. The Risk Committee of the Board of Directors oversees management's processes for identifying and mitigating risks, including cybersecurity risks. Our Chief Information Security Officer is primarily responsible for the implementation of risk mitigation strategies. Our CISO has over 35 years of information technology and cybersecurity experience. He has held the title of CISO and has been in this role since 2018. The CISO is supported by his direct reports and their teams, many of whom hold cybersecurity-related certifications. Our CISO regularly briefs the Risk Committee of the Board of Directors on our cybersecurity and information security posture. Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts in addition to our experienced information security team. These external experts include cybersecurity assessors, consultants and auditors in evaluating and testing our cybersecurity risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry and best practices. Our collaboration with these entities includes regular audits, threat assessments and consultation on security enhancements.
Integrated risk management
We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Key Risk Indicators, established in conjunction with Board approved Statement of Risk Appetite, are reported to the Information Technology Steering Committee, Risk Management Committee and the Risk Committee of the Board of Directors on at least a quarterly basis. The Board’s Risk Committee is provided an information security update on an annual basis. This escalation process provides for communication of any needed mitigation and remediation efforts related to cybersecurity risks.
We have implemented a comprehensive set of information security policies, standards, and related trainings to promote awareness for prevention and detection of cybersecurity risk. Every employee is required to review, acknowledge, and/or complete the information security framework in connection with the employee’s onboarding process at the time they are hired. Additionally, each employee is required to formally review and understand any changes to these policies and standards and complete additional training on at least an annual basis. These policies, standards, and trainings address, but are not limited to, the following topics: data privacy and security, password protection, internet use, computer equipment and software use, e-mail use, risks associated with social engineering, and best-practices and safety. Our internal audit team and bank examiners audit and review our information security program and risk mitigations on an annual basis. Additionally, external auditors audit specific components of the information security program as part of the annual financial statements audit. We adhere to and implement NIST guidelines and utilize the American Banker's Association recommended Cyber Risk Institute Profile to annually evaluate our information security practices.
Because we are aware of the risks associated with third-party service providers, we implement processes to oversee and manage these risks. We conduct thorough security assessments of third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The Third-Party Risk Management department reports to our CISO.
The Company also maintains coverage under a cyber security insurance policy. Levels of coverage are reviewed periodically to ensure alignment with the organization’s risk appetite.
To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see "Item 1A - Risk Factors - Technology and Operational Risks."
32