ENTERPRISE FINANCIAL SERVICES CORP - (EFSC)
10-K Filing Date: February 26, 2024
ITEM 1C: CYBERSECURITY
Governance
Our Information Security (“IS”) Program consists of policies, procedures and guidelines to ensure the security, availability and confidentiality of client information. The IS Program is led by our Chief Information Security Officer (“CISO”) under the direction of the Chief Administrative Officer and is subject to additional management oversight by our Operations Technology Committee. The CISO has over 20 years of experience in cybersecurity and has a bachelor's, master's, and Juris Doctorate law degrees. He is a licensed attorney in both Missouri and Illinois. He currently holds multiple professional security certifications that include ISC2 Certified Information System Security Professional and Certified Cloud Security Professional, ISACA Certified Information Security Manager and EC-Council Certified Ethical Hacker. The Chief Administrative Officer has a bachelor’s degree and an MBA degree. He is also an active, licensed CPA in the state of Missouri. Prior to his appointment as Chief Administrative Officer, he served at Enterprise in senior finance roles within the Company, including Senior Vice President and Controller, and Chief Financial Officer of Enterprise Bank & Trust. The Operations Technology Committee is a management committee with overall responsibility for monitoring the systems, policies and procedures for our loan, deposit and wealth management business operations. This includes the framework used to identify and prevent cyberattacks or breaches. The Operations Technology Committee chair reports committee activities into the Risk Committee of the Board. Additionally, the CISO is a member of this committee, as well as the Risk Oversight and ESG Management Committees, and advises these committees on risks and opportunities related to information security, including data privacy.
The Risk Committee of the Board oversees the IS Program in the following ways: (a) monitors and oversees the Company’s business and information technology operations necessary for its business plan, including projected growth, technology capacity, planning, operational execution, product development and management capacity, (b) reviews the Company’s framework to prevent, detect, and respond to cyberattacks or breaches, as well as identifying areas of concern regarding possible vulnerabilities and best practices to secure points of vulnerability, and reviews policies pertaining to information security and cyber threats, taking into account the potential for external threats, internal threats, and threats arising from transactions with trusted third parties and vendors, and (c) reviews the Company’s incident response, business continuity and disaster recovery planning and preparedness including processes, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to the Company. As part of the Board’s oversight, the Board receives quarterly IS reports and updates from the Chief Information Officer (“CIO”) and CISO. At least annually, our Board also receives IS reports from the CISO which summarize new and emerging cybersecurity trends, trends in type, frequency and origination of attacks, and the effectiveness of our IS Program in mitigating cybersecurity threats. In the event of an information security incident, our Incident Response Plan clarifies the steps for escalation according to the severity of the attack
The IS team is staffed primarily with internal associates and we utilize third party service providers for extended coverage. We hire IS team members that have industry relevant information security or technology certifications and knowledge to implement and oversee the procedures and processes of our IS Program and to adequately manage and enforce our IS policies, procedures and guidelines. Further, management involved in the cybersecurity process possess the necessary skills and expertise to adequately manage and enforce our IS policies, procedures and guidelines.
26
While all vendors are subject to our vendor management due diligence process, those with access to our data and data centers are subject to more rigorous initial and more frequent ongoing due diligence. This includes reviews of Service Organization Control 2 reports, information security policies, vulnerability and penetration tests, human resource policies such as background checks and training, and business continuity plans.
We may face cybersecurity risks in connection with our normal business that could have a material adverse effect on our business strategy, results of operations, financial condition, or reputation. Although such risks have not materially affected us, we have experienced, and may continue to experience, cyber incidents during our normal course of business. For further discussion about these risks, see “Item 1A- Risk Factors - Technology and Cybersecurity Risks.”
Risk Management and Strategy
As part of the ongoing maintenance and development of our IS Program, we assess the various risks associated with the unauthorized access or loss of client information and the quality of security controls as prescribed by the Federal Financial Institutions Examinations Council and the National Institute of Standards and Technology Cybersecurity Framework. Our IS risk assessments are prepared in conjunction with our ERM framework, and the results are used to develop strategies to minimize risk to information assets.
Our systems are monitored 24/7 for cybersecurity threats, and we utilize a variety of tools to reduce the risk of data breaches. We maintain an Incident Response Plan which outlines the steps to be taken in the event of an information security incident, which could include a potential or actual data breach. The plan identifies a designated team, including associates and third-party experts responsible for the response, and summarizes the steps, including escalation protocol, for determining whether a breach has occurred and the nature and scope of the breach (if applicable). The plan also summarizes protocol for notifying impacted persons, which may include clients, as well as other applicable agencies or persons, including law enforcement and regulatory authorities.
The Incident Response Plan is led by our CISO, who is also a member of the Disclosure Committee. The Disclosure Committee is a cross-functional management group that is tasked with ensuring that external disclosures subject to SEC rules and regulations are accurate, complete, and timely. Members of the Disclosure Committee include leadership from accounting, credit, information security, information technology, legal, and operations. In conjunction with the working process of the Incident Response Plan, members of the Disclosure Committee evaluate cybersecurity incidents to determine whether disclosure is required.
At least annually, we conduct a third-party information security penetration audit focusing on internal and external network security protocols, as well as internally managed ad hoc testing as needed. Simulations and tabletop testing of our business continuity and Incident Response Plans are performed on a routine basis to test and assist with our associates’ familiarity and preparedness for a security event. Any gaps or improvement areas identified by routine testing are addressed in a timely manner to help improve future security testing.
The processes and controls related to data security are regularly tested by the IS department and Internal Audit. Additional internal security assessments may be performed at the request of the CISO, CIO, the Director of Internal Audit, Management or our Board. Audit and assessment results are presented to the Board, as well as the following committees: management’s Operations Technology Committee and the Audit and Risk Committees of the Board.
At least annually, the IS Program, including its effectiveness, is reviewed by the Board or a committee thereof. Annually, all associates participate in mandatory training on data privacy provisions and policies, including information security and its importance with respect to client and associate privacy.
All associates (including both full-time and part-time associates) are required to participate in monthly firmwide phishing tests.
27