Stock Yards Bancorp, Inc. - (SYBT)
10-K Filing Date: February 27, 2024
Risk Management and Strategy
Bancorp has established an Information Security (IS) program, which is overseen by the Director of Information Security and the Information Security Officer. Both of these roles report to the Chief Risk Officer. The IS program is structured upon and informed by the Center for Internet Security Risk Assessment Method (CIS RAM), which aligns with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The primary objectives of the IS program are to protect the confidentiality, integrity and availability of our information assets, comply with applicable laws, regulations, contractual obligations and manage significant risks arising from cybersecurity threats. These processes are integrated into the institution’s overall risk management system, ensuring a unified approach to risk mitigation.
The IS program includes several key processes and functions such as access control monitoring, threat detection, vulnerability management, understanding the implications of technological changes, managing third-party relationships, and mandating employee awareness and education among other components. These activities aim to prevent avoidable errors, raise awareness, identify potential vulnerabilities, protect systems, detect security incidents and recover from any incidents that occur. These processes are continually updated and enhanced to keep pace with the evolving cybersecurity landscape.
To ensure effective risk management, Bancorp adopts the three lines of defense model, which consists of the following elements:
● | The first line of defense is operational management, which is responsible for implementing and maintaining the IS program, as well as identifying and mitigating cybersecurity risks on a day-to-day basis. |
● | The second line of defense consists of the risk management and compliance functions, which provide oversight, guidance, and support to the first line of defense, as well as monitoring and reporting on the institution’s cybersecurity posture and performance. |
● | The third line of defense is the internal audit function, which provides independent assurance of the effectiveness and adequacy of the IS program, as well as compliance with relevant policies, standards and regulations. |
When necessary, the institution engages external assessors, consultants, and auditors with expertise in cybersecurity to evaluate and enhance its systems, policies and procedures. These external parties provide valuable insights into emerging threats and best practices, enhancing Bancorp’s ability to adapt and respond effectively. Bancorp also undergoes reoccurring regulatory examinations, and any issues that are identified are actively tracked and monitored for remediation.
In addition to external entities, Bancorp has internal oversight mechanisms to identify cybersecurity risks, including those associated with its use of third-party service providers and related downstream service providers. This includes thorough due diligence during vendor selection, ongoing monitoring, setting clear contractual obligations to uphold cybersecurity standards and other interventions necessary to address risk such as those addressed in Part I Item 1A “Risk Factors.”
In the event of a security incident, Bancorp has developed an Incident Response Plan (IRP) to guide necessary actions. The IRP is a well-established document that is updated at least annually. It provides guidance before, during and after a confirmed or suspected security incident, outlining how to minimize the duration and damage of an incident, identifying a response team and streamlining actions to reduce recovery time.
While Bancorp has not experienced any cybersecurity incidents that have materially affected its operations, it acknowledges the potential impact such risks could have on business strategy, financial condition and operational resilience. The institution remains vigilant, continuously evaluating and enhancing its cybersecurity measures to preemptively address any potential risks that could impact its operations or financial condition in the future. This approach aligns with the institution’s commitment to maintaining the trust and security of its stakeholders in an increasingly digital world.
Governance
Bancorp’s Credit and Risk Committee, which includes board of director representation, maintains a robust oversight framework for evaluating and managing risks associated with cybersecurity threats. The committee convened six times during the year ended December 31, 2023 in order carry out its oversight responsibilities, engaging directly in discussions about cybersecurity risks to ensure they are comprehensively addressed within the institution’s risk management framework. This included, but was not limited to, vulnerability trends, identified or potential third-party risks, risks precipitated by technological changes, confirmed or potential security incidents, policy and procedure changes, the organization’s risk appetite, the FFIEC’s Cybersecurity Assessment Tool, conclusions from the risk assessment, audit and regulatory reports, routine quarterly and annual reporting, as well as other notable key risk indicators.
The entire board of directors of Bancorp is actively involved in the oversight of the institution’s cybersecurity risks. The Chair of the Credit and Risk Committee regularly reports the committee’s activities to the board of directors. In addition, management reports to the board of directors on an as-needed basis concerning high-priority information security-related topics, such as cybersecurity incidents. This ensures that the board of directors is always informed and can provide strategic direction on significant cybersecurity matters.
A dedicated committee, the Information Security Steering Group (ISSG), is specifically responsible for overseeing cybersecurity threats and informing the decisions of the Credit and Risk Committee. The ISSG, comprising individuals with diverse expertise in technology, risk management and cybersecurity, meets monthly. They discuss a range of strategic topics, including vulnerability trends, identified or potential third-party risks, risks precipitated by technological changes, confirmed or potential security incidents and other items related to the institution’s preparedness measures. The ISSG’s purpose is to provide strategic direction for the IS program and to evaluate known risks based on Bancorp’s existing controls and risk appetite.
Management also plays a crucial role in assessing and managing Bancorp’s cybersecurity risks. Specific roles, such as the Information Security Officer (ISO) and Director of Information Security (DIS), are tasked with monitoring, evaluating, and mitigating these risks in coordination with the ISSG. Both the ISO and DIS possess relevant expertise and experience in cybersecurity, enabling them to effectively navigate and respond to emerging threats. The ISO, who holds a Bachelor’s degree in Computer Science and a Master’s degree in Information Systems Security, along with several relevant industry certifications, has been with Bancorp for three years and has additional experience working in technology outside of the organization. The DIS, who also holds several relevant certifications, has been with Bancorp’s Information Security department for 19 years and brings extensive experience with technology.
To keep the ISSG and Credit and Risk Committee informed, management ensures consistent and structured reporting mechanisms are in place. They regularly update these governing bodies on the prevention, detection and mitigation of cybersecurity incidents. This reporting includes detailed insights into the institution’s cybersecurity posture, ongoing initiatives and any necessary adjustments or enhancements to existing measures.
The communication between management, the ISSG, and the Credit and Risk Committee facilitates a holistic understanding of cybersecurity risks, ensuring proactive measures are in place to safeguard Bancorp's operations, preserve its financial stability, and maintain the trust of its stakeholders.