HERITAGE FINANCIAL CORP /WA/ - (HFWA)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Enterprise Risk Management and Technology Risk Management. Within the Company's Enterprise Risk Management program, Technology Risk Management plays a pivotal role in overseeing the organization's risk posture, specifically focusing on the assessment of information and cybersecurity risks. Evaluated risks are subject to rigorous controls, ensuring both design and operational effectiveness and adherence to regulatory requirements. In instances where a risk is identified as inadequately controlled, prompt remediation measures are implemented to reduce the risk to an acceptable level.
Identification of risks is a multifaceted process, encompassing diverse activities such as management self-disclosure, monitoring of regulatory and interagency authorities, engagement with professional and industry forums, internal and external audits, collaboration with third-party professional services, policy reviews and walkthroughs, adherence to best practice frameworks, leveraging subject matter expertise and industry experience, and maintaining a collaborative relationship with third-party service providers/vendors. The Technology Risk Management practice operates as a continuous model assessment, utilizing information gathered daily, weekly, monthly, and annually to provide insights into the state of controlled risk within the organization. Security testing and assurance activities may be outsourced to independent audit and security firms based on factors such as resource capacity, subject matter expertise, regulatory requirements, and the prevailing rate and condition of risk.
Daily operational activities are in place to ensure the achievement and implementation of security requirements, including the management of security architecture, monitoring for potential security events or incidents, and the reporting and response to detected threats in our technology environments. The Information and Cyber Security Policy and Program establish policies and standards required to be implemented in support of these practices and processes. Additionally, we maintain a compliant and comprehensive Security Incident Response Plan, incorporating accessible resources such as insurance providers, digital and cyber forensic experts, law enforcement, along with documentation of regulatory notification. Our practices are interdependent with service providers/vendors, and we collaborate appropriately with these partners on notification and investigation processes to ensure complete visibility into security risks and events.
As of the reporting period, the Company has not experienced any material cybersecurity events or incidents. Although third-party service providers have encountered cybersecurity events or incidents, these occurrences have not resulted in a material impact on our systems, computing environments, customers, or data.
Governance
Board Oversight: The Company’s Board of Directors ("Board") provides active oversight of cybersecurity threats in accordance with the Board-approved Information and Cyber Security Policy and Program. These policies and programs aim to achieve a controlled risk environment while meeting regulatory, legislative, and compliance requirements, including but not limited to the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Information Technology Sarbanes-Oxley Act (IT SOX) Compliance, and Payment Card Industry Data Security Standard (PCI-DSS) Compliance.
Direct oversight of cybersecurity risks is delegated to the Board's Risk and Technology Committee. The Committee meets at least quarterly and receives reports detailing current risks, the maturity and functioning of associated processes and controls, and emerging or anticipated risks and threats. Additionally, the Risk and Technology Committee Chair provides a verbal summarized report to the full Board. All Committee reports are available to the full Board for review. In the event of critical matters arising between scheduled meetings, the Chief Risk Officer promptly notifies the Board and Risk and Technology Committee.
To further ensure independence and effectiveness, the Board has delegated authority for the conduct of the cybersecurity program, including the referenced reports, to the Technology Risk Management Director. This position fulfills the role and responsibilities of a Chief Information Security Officer and reports to the Chief Risk Officer who in turn reports independently to the Chair of the Board's Risk and Technology Committee. Additional layers of oversight are integrated into the program through the Director of Internal Audit, who conducts independent audits of critical information technology and cybersecurity activities. The results of these audits are reported to the Board's Audit and Finance Committee, providing an extra layer of assurance and accountability. The Director of Internal Audit reports independently to the Chair of the Board's Audit and Finance Committee.
Management's Role in Assessing and Managing Cybersecurity Risks. Management's role in assessing and managing material risks from cybersecurity threats is integral to the Company's governance framework. The Board-approved Information and Cyber Security Policy and Program outline specific roles and responsibilities delegated to management and the Enterprise Risk Management program, which includes Technology Risk Management.
The Technology Risk Management Director, a seasoned information and cyber security expert with significant experience in financial institutions, oversees Technology Risk Management. This expert conducts comprehensive assessments of cybersecurity risks inherent in the industry and the Company's business activities, evaluating controls implemented to address identified risks.
25
The Technology Risk Management Director is responsible for maintaining the Company's information and cyber security risk management framework. This framework establishes standards and processes for the continuous assessment of material cybersecurity risks, covering identification, measurement, mitigation activities, monitoring, and reporting of the risk posture at any given time. Additionally, the Director ensures oversight and compliance with the Security Incident Response Plan, providing guidance during security incidents, whether within the Company or involving service provider/vendor engagements.
The Company’s information technology department, including a dedicated security operations group, plays a crucial role in implementing practices aligned with the Information and Cyber Security Policy and Program requirements. Responsibilities include the maintenance and monitoring of systems, network(s), and application access and error logs, identification of unauthorized access attempts, adherence to access controls standards, configuration management, and the implementation of controls to mitigate risks related to information availability, integrity, and confidentiality.
Business activities, products, and services are managed by experts in their respective fields, with employees receiving training to detect and prevent material cybersecurity threats. Business leaders are expected to understand specific threats within their areas of responsibility and adhere to established processes and standards to control such threats.
To facilitate a transparent and collaborative approach to managing cybersecurity risk, an executive management level committee has been established. Chaired by the Chief Risk Officer and administered by the Technology and Risk Management Director, the committee ensures continual awareness of the information and cybersecurity risk posture, emerging threats, known threat actors, and vulnerabilities. Its purpose is to foster a security culture within the Company through active participation in planning and managing threat and security risk activities.
All committee activities are reported to the Board's Risk and Technology Committee through committee minutes and formal activity reports provided by the Technology and Risk Management Director.