BANCFIRST CORP /OK/ - (BANF)
10-K Filing Date: February 27, 2024
The Company recognizes the critical importance of maintaining the safety and security of its systems to protect its customers, maintain its reputation, and preserve the value of the Company and data and therefore have an enterprise-wide risk management framework for overseeing and managing cybersecurity and related risks. The process is supported by both management and its Board of Directors.
The Company relies heavily on sensitive information to run daily operations and deliver products and services. To protect the availability, integrity, and confidentiality of sensitive information and sensitive infrastructure, the Board of Directors requires the Company develop and implement a comprehensive Information Security Program, which focuses on the confidentiality, availability and security of information and systems. The Information Security Program defines the strategy that the Company uses to protect and secure its systems and media that process and maintain sensitive information. The program details the governance, management, operations, and assurance of the program, and seeks to identify, prevent and mitigate cyber threats and to respond effectively to cyber threats when they occur.
The cybersecurity function, is led by the Company's Chief Information Officer ("CIO"), who reports to The Company's Chief Operating Officer ("COO"). The Chief Information Security Officer ("CISO") reports to the CIO and generally is responsible for management of cybersecurity risk and the protection and defense of the Company's networks and systems. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including threat assessments and detection, mitigation technologies, cybersecurity training, incident response, insider threats and regulatory compliance.
The Company has not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to its business or operations. Nevertheless, there are no assurances the Company will not experience such an incident in the future. Such incidents, whether or not successful, could result in the Company incurring significant costs related to, for example, rebuilding its internal systems, implementing additional threat protection measures, defending against litigation, responding to regulatory inquiries or actions, paying damages, risk of customers moving relationships with the Company to another institution, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm.
Board Oversight
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on the Company’s risk management process and the risk trends related to cybersecurity at least annually and receive reports on incidents that exceed certain thresholds and updates on responses thereto. The Information Security Committee is directly responsible for oversight of risks related to cybersecurity. The Board receives reports on information security and cybersecurity from the Information Security Committee at least four times a year.
Risk Management and Strategy
The Company continuously seeks to identify threats, vulnerabilities, and cybersecurity risks on information assets. Threats are identified through experience, regulatory requirements, information sharing, third party vendors, internal and external security assessments, and industry periodicals.
The risk assessment process identifies areas that are required to be protected and determine if adequate controls are used to safeguard the Company against threats and vulnerabilities. Adjustments required to adhere to regulatory changes are a regular function of the assessment process as well as changes to technologies, processes, and other factors. From the analyses, any additional controls are identified, prioritized and implemented.
Security Controls and Continuous Monitoring
Security controls and design are critical to mitigating risks. The Company works to protect its computing environments and products from cybersecurity threats through multi-layered defenses and applies lessons learned from its defense and monitoring efforts to help prevent future attacks. The Company utilizes data analytics to detect anomalies and monitor for possible cyber threats. The Company's Cybersecurity Operations Center provides comprehensive cyber threat detection and response capabilities and maintains a 24x7 monitoring system which complements the technology, processes and threat detection techniques the Company uses to monitor, manage and mitigate cybersecurity threats. From time to time, the Company engages third party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats. The Company's Internal Audit function also conducts information technology and cybersecurity reviews and assessments.
25
Threat Intelligence
The Company considers threat intelligence from third party sources to strengthen systems and network preparedness for cybersecurity risks. The Company uses associations, such as the Financial Services Information Sharing and Analysis Center ("FS-ISAC"), to stay informed of threat information.
Third Party Risk Assessments
The Company conducts information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, and its standard terms and conditions contain contractual provisions requiring certain security protections.
Incident Response and Recovery Planning
The Company has established comprehensive incident response and recovery plans and continues to regularly test and evaluate the effectiveness of those plans. The Company's incident response and recovery plans address and guide its employees, management and the Board on its response to a cybersecurity incident.
Training and Awareness
The Company provides awareness training to its employees to help identify, avoid and mitigate cybersecurity threats. All employees with network access participate annually in required training, including spear phishing and other awareness training. The Company also periodically hosts tabletop exercises with management and other employees to practice cyber incident response.