SOUTHSIDE BANCSHARES INC - (SBSI)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management Strategy
Given the increasing reliance on technology and potential of cyber threats, we have integrated a cybersecurity component into our risk management program, which is designed to identify, assess and mitigate risks across various aspects of the Company. We have a dedicated Information Security Department, which is led by our Chief Information Security Officer. The Information Security Department serves to protect the security and confidentiality of customer information, protect against any threats or hazards to the security or integrity of Company information and protect against unauthorized access to, or use of, such information that could result in substantial harm or inconvenience to our customers.
Our information security program strives to protect the confidentiality, integrity and availability of information and information systems and is aligned to the Company’s business and risk management strategies. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk. Key elements of our cybersecurity risk management program include:
IT risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment;
Information Security Department responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to a cybersecurity incident;
Cybersecurity Assessment Toolkit (developed by the FFIEC) is assessed annually, tracks program maturity, changes in risk profile, and reviews security controls critical to reduce cybersecurity risk. Results are presented to and approved by the Board;
Ransomware Assessment Toolkit (developed by the Bankers Electronic Crimes Task Force, state bank regulators and the U.S. Secret Service) is assessed biannually to capture any gaps and address any potential control deficiencies;
training and awareness programs for employees that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
a cybersecurity incident response plan that includes procedures for responding to a cybersecurity incident; and
29



a third-party risk management process for service providers, suppliers, and vendors, including those external service providers we engage in our cybersecurity risk management processes.
Risks from cybersecurity threats are assessed with existing controls and residual risk is monitored. We have not experienced any material cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. We cannot provide full assurance that our cybersecurity risk management processes described will be fully implemented, complied with or effective in protecting our systems and information. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See “Part I - Item 1A. Risk Factors – Risks Related to Our Business” in this report for a discussion of risks related to cybersecurity.
Governance
Management’s Role
Our CISO leads our Information Security Department, is responsible for the information security program, which includes cybersecurity, and reports to the Chief Risk Officer. Our CISO joined the Company in 2012. He has 18 years of experience, involving both information technology and information security. He has a Master of Business Administration in Cybersecurity, graduate studies certificate in cybersecurity and has achieved four certifications, including Certified Information Security Manager, Certified Information Systems Auditor, Certified Data Privacy Solutions Engineer and Cisco Certified Network Associate. The CISO provides an annual report of the information security program and monthly reports to the Audit Committee, including any security incident or notable security event for the period. The CISO also reports to the Company’s Risk Committee on risk assessments annually and key risk indicators at least quarterly.
We also have a trained response team lead by the CISO, consisting of key individuals from our finance, operations, risk, compliance, communications, human resources, banking and information technology departments, that is engaged for cybersecurity related incidents where necessary and as appropriate.
Board Oversight of Cybersecurity
The Company’s Audit and Risk Committees oversee cybersecurity risk and the information security program which includes overseeing management’s actions to identify, assess, mitigate and remediate or prevent material cybersecurity risks. The Audit Committee receives an annual report of the information security program and monthly reports from the CISO on notable security events for the period. The notable security event briefings by the CISO are intended to create discussion that allows Board members to understand the impact, controls and risk. The Risk Committee receives annual reports from the CISO on risk assessments and reports on key risk indicators at least quarterly. The Company’s Risk Committee receives at least one annual training from the CISO on the information security program, cybersecurity controls or cybersecurity threats.
Both the Bank’s internal Risk Committee and the Company’s Risk Committee review all risk assessments and remediations annually. The information security program includes policies and standards that define the risk assessment procedures, reporting and an incident response plan. The incident response plan defines escalations to senior management and the Board, as well as required notifications and timeframes to customers and regulatory authorities.