S&T BANCORP INC - (STBA)

10-K Filing Date: February 27, 2024
Item 1C. CYBERSECURITY
Risk Management and Strategy
S&T’s Information Security Program provides policies, procedures, controls and technical measures to assess, identify and manage material cybersecurity risks. The Information Security Program is a part of S&T’s overall Enterprise Risk Management, or ERM Program. The Information Security Program is designed to achieve the following objectives:
a.Protecting data through the use of automated and manual processes;
b.Periodically assessing and updating the program to address an evolving threat environment;
c.Maintaining a team of IT security professionals that continually monitor, detect, analyze, investigate and report cybersecurity threats; and
d.Ensuring business continuity and disaster recovery.
We based and tailored our framework on the National Institute of Standards and Technology, or NIST, Cybersecurity Framework and the Center for Internet Security, or CIS, Critical Security Controls.
The S&T Information Security Program utilizes a defense in depth strategy that leverages multiple security measures to protect the bank's assets. We encrypt and leverage data loss prevention technology for sensitive data and use advanced transport
21

S&T BANCORP, INC. AND SUBSIDIARIES
layer security encryption for our applications. S&T employees are required to undergo annual information security awareness training, which includes information regarding evolving threats such as phishing, malware and social engineering testing.
S&T performs periodic risk assessments that seek to identify both technical and physical risks to information systems. The assessments incorporate cybersecurity-related principles from the Federal Financial Institutions Examination Council, or FFIEC, Information Technology Examination Handbook, regulatory guidance and concepts from other industry standards, including the NIST Cybersecurity Framework. An assessment typically includes:
a.Identifying reasonably foreseeable internal and external threats that could result in a cybersecurity incident;
b.Assessing the likelihood and potential impact of those threats; and
c.Assessing the sufficiency of policies, procedures, practices, and technical measures in place to manage risks.
In addition to periodic risk assessments, S&T evaluates changes to IT systems or physical systems for any information security impacts. S&T utilizes staff and independent third parties to conduct annual penetration testing and IT security health assessments. We engage third parties to facilitate tabletop incident response and business continuity exercises. Additionally, we participate in various cybersecurity industry forums and have access to law enforcement analysis regarding current threats.
Our third-party risk management program is integrated into our Information Security Program within our ERM Program. The policies, procedures and practices applicable to the cybersecurity components of the third-party risk management program were developed and are maintained consistent with the FFEIC IT Examination Handbook, as well as guidance from our prudential regulators. We perform a risk assessment, including cyber threats, associated with use of third-party vendors and exercise appropriate due diligence before entering into a vendor arrangement. We also engage a third-party to actively monitor our cybersecurity risks and gather threat intelligence of select vendors and their products and services. Additionally, we conduct information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties. Our contracts governing third party engagements require certain security and privacy protections where applicable. All third parties with access to our information systems must review and acknowledge our Acceptable Use Policy before access is granted.
When a cybersecurity incident occurs, whether detected internally or from third-party cybersecurity incidents, we evaluate the incident for criticality across a range of contributing indicators, including service availability, impact to operations, reputational impact, regulatory and legal considerations, data sensitivity and direct financial impact. The potential impact of the incident, individually or in aggregate, is evaluated by the Chief Security Officer, or CSO, continuously across these criteria. We have escalation procedures to notify members of senior and executive management, the Board (or an applicable subset) and regulators in a timely manner based on the criticality of the cybersecurity incident. S&T also has in place incident response and business continuity plans. The Incident Response Program outlines the policies, procedures and technical measures for identifying an incident, assessing its nature and scope, minimizing and containing the impact, investigating the root cause and reporting, as applicable. S&T uses data from incidents to reassess risk, evaluate and implement any additional controls deemed necessary and measure the success of the incident response team. The Incident Response Program also includes staff training, annual updates and testing. The Business Continuity Plan defines the policies, procedures and technical measures to restore systems and critical operations. S&T also maintains business continuity plans for critical systems and applications managed or hosted by third-party vendors.
To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. We may nevertheless be unsuccessful in the future in preventing or mitigating a cybersecurity incident that could have a material impact on our business, results of operations or financial condition. At December 31, 2023, management has assessed known cybersecurity incidents for potential materiality and disclosure using formal documented processes and has determined that there have been no material cybersecurity incidents, individually or in aggregate.
Governance
Board Oversight
The Risk Committee is appointed by the Board and is authorized to perform its functions in assisting the Board with fulfilling its fiduciary responsibilities with respect to its oversight and assessment of S&T’s enterprise-wide risk management framework. The Risk Committee oversees risk from cybersecurity threats as a part of its oversight of the ERM Program. The Risk Committee regularly reviews reports from, and has discussions with, S&T’s Chief Risk Officer, or CRO, Chief Operating Officer, or COO, CSO, Chief Information and Technology Officer and Director of Operational Risk Management regarding cybersecurity risks, the threat landscape, updates on incidents and reports on our investments in cybersecurity risk mitigation and governance. The Risk Committee chairperson reports activities and recommendations with respect to such matters to the Board as are relevant and deemed appropriate by the Risk Committee. In the event of a material cybersecurity event, the CSO is responsible for promptly reporting such incidents to the CRO, executive management and the Board. A special meeting of the Board will be held, as deemed necessary by the Chairperson of the Board in consultation with the Chair of the Risk Committee.
22

S&T BANCORP, INC. AND SUBSIDIARIES
Management’s Role
At the management level, the ERM Committee, CRO, COO, CSO, Chief Information and Technology Officer, Director of Information Technology and Director of Operational Risk Management are responsible for assessing and managing material risks from cybersecurity threats. The ERM Committee reports information to the Risk Committee on a quarterly basis, or more often as needed.
Risk Management leadership, which assists the ERM Committee in assessing and managing cybersecurity threats, include our CRO, COO, CSO, Chief Information and Technology Officer, Director of Information Technology and Director of Operational Risk Management. Our CRO who oversees the risk management information security program reports to our CEO, but has direct access to the Risk Committee. Our CRO is a Certified Public Accountant, holds a Certification in Risk Management Assurance and has over 25 years of financial services experience. Our COO has over 20 years of banking technology and operations experience, including serving as head of digital for a business unit at a large national bank. Our CSO reports to the CRO and has 17 years of information technology and cybersecurity experience, including prior roles as chief information officer, assistant director of information technology, chief information security officer and chief security officer in federal law enforcement and banking organizations. Our Chief Information and Technology Officer has nine years of information technology and cybersecurity experience. Our Director of Information Technology has 25 years of information technology and cybersecurity experience. Our Director of Operational Risk Management has 10 years of information technology and cybersecurity experience, including serving as a former chief information officer for a financial institution.
For more information regarding the risks associated with cybersecurity that may impact our business strategy, results of operations or financial condition, see “ Part I, “Item 1A. Risk Factors” of this Annual Report on Form10-K.