HOME BANCSHARES INC - (HOMB)

10-K Filing Date: February 26, 2024
Item 1C. CYBERSECURITY
Cybersecurity Risk Management
Cybersecurity is critical to supporting our business and protecting our customers in an increasingly complex environment. We face a variety of cybersecurity threats including attacks that are common to most industries, such as ransomware and denial-of-service, as well as attacks from advanced and highly organized adversaries targeting financial services companies. Our information systems have from time to time experienced such attacks despite our best efforts to prevent them. Our customers, suppliers, and other third parties also face similar cybersecurity threats, and a cybersecurity incident impacting any party could have a material impact on our operations, performance, or operating results. None of these threats or incidents have to date materially affected our business strategy, results of operations, or financial condition. However, we cannot assure that any future security breaches will not occur or that any such events that have occurred or may occur in the future will not result in material harm to our business, operations, reputation or profitability. These threats and related risks highlight the importance of allocating resources to protect the Company and our customers.
The Company maintains a formal Information Security Program that includes risk assessments regularly conducted by internal resources as well as third-party experts. These assessments are used to evaluate potential security threats that may have a negative impact on the organization, detect potential vulnerabilities and mitigate any identified security risks. Our program leverages industry standards and frameworks and is designed to protect the confidentiality, integrity, and availability of our information assets and systems.
The Information Security Program is led by the Chief Information Security Officer ("CISO"), who reports to the Chief Risk Officer. The Chief Risk Officer has oversight of the Company’s risk management framework, which includes the Information Security Program. The CISO provides program oversight and direction, including adjustments in response to changes in technology, threats, business processes, and regulatory or statutory requirements. The CISO works collaboratively with information technology staff, operational management, and functional stakeholders to implement a program designed to protect our information systems from cybersecurity threats and promptly respond to potential cybersecurity incidents. The CISO has over 24 years of experience in the fields of information technology and cybersecurity, most at a Fortune 500 global technology company, and maintains multiple professional cybersecurity certifications.
Our Information Security Program consists of several elements including:
Incident Monitoring and Response. We have 24x7 security cybersecurity monitoring, which utilizes both third-party cybersecurity experts and leading tools to monitor activity in our information systems. We also maintain an incident response plan and playbooks that define our response to a cybersecurity incident, including a cross-functional incident response process that includes key stakeholders such as senior leaders and legal, and leverages our technological resources and third-party service providers. Through ongoing communication with these teams, the CISO monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents in real time, and reports such incidents to leadership when appropriate pursuant to internal guidelines governing the reporting of such events.
Threat and Vulnerability Management. We maintain a threat and vulnerability management program that leverages multiple data sources to proactively identify, assess, and mitigate changing cybersecurity risks. This program incorporates vulnerability scanning and threat intelligence capabilities, which are in place to help safeguard information assets. We also share and receive threat intelligence with government agencies, the Financial Services Information Sharing and Analysis Center ("FS-ISAC") and cybersecurity vendors and leaders in the cybersecurity industry.
Infrastructure and Data Protection. We have technical and organizational safeguards that are designed to protect our networks, systems, and data from cybersecurity threats, including: firewalls, intrusion prevention and detection systems, network and endpoint anti-malware protections, and access controls such as privileged access management. Our information security and information technology teams collaborate regularly to assess the security of current and future infrastructure changes.
Third-Party Risk Management. We run a third-party risk management program designed to identify and manage risks, including cybersecurity risks, involving our third-party providers. This includes performing due diligence and assessment of each provider’s cybersecurity posture as well as periodic re-assessments.
34

Security Training and Awareness. We provide ongoing education and training to employees regarding cybersecurity threats and the role they play in helping prevent and detect these threats. This includes regular phishing simulations, with training provided for any failures, as well as periodic communications via the internal company portal concerning threats, best practices, and technology changes to improve security. We also work with the Company marketing department to periodically publish articles on our website to raise security awareness with our customers.
While we maintain teams that specialize in cybersecurity and information technology, we also leverage third-party experts to provide objective feedback on our program and posture. These are accomplished via penetration tests, security posture assessments, and technology consulting. These independent evaluations help validate existing controls, identify potential focus areas, and aid in securely deploying technology in an increasingly complex environment.
Our cybersecurity program is evaluated regularly by both the internal audit function as well as third-party audit firms. These audits help ensure our program is appropriate to address the changing threat landscape and aligns to industry standards such as the National Institute of Standards and Technology Cybersecurity Framework, as well as other legal and regulatory guidance including the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool, Conference of State Bank Supervisors Ransomware Self-Assessment Tool, the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. Controls are reviewed for adequacy and design at least annually, and both internal and third-party audits aid in identifying areas for continued focus, providing assurance that controls are appropriately designed and operating effectively. Additionally, we meet regularly with examiners from the Federal Reserve and the Arkansas State Bank Department to review our cybersecurity program and discuss the changing threat landscape.
Our cybersecurity personnel maintain current knowledge through training, obtaining professional certifications, and participation in industry groups such as FS-ISAC, American Bankers Association and Mid-Sized Banking Coalition of America. Company cybersecurity personnel expand and test their knowledge of cyber threats and countermeasures through additional on-the-job training and periodic simulated exercises to practice their response to real-life threats. We maintain a training budget and personnel are encouraged to obtain formal training and industry-approved certifications as appropriate for their roles and responsibilities. Some of the certifications held by our information security personnel include CERT Insider Threat Program Manager, GIAC Information Security Professional, GIAC Security Leadership, GIAC Continuous Monitoring, GIAC Certified Forensic Analyst, CompTIA Security+ and ISC2 Certified Information Systems Security Professional.
Board Oversight and Governance
Our Board of Directors (the “Board”), in conjunction with management, is responsible for assessing which risks are warranted and acceptable, based on management’s ability to:
identify and understand such risks;
measure the degree of exposure to such risks;
monitor the changing nature of the risk and related exposure; and
develop and implement processes and procedures to control such risks.
The Board and management define risk tolerances in the policies of the Company. The Board maintains oversight of risks from cybersecurity related threats, through various committees including the Audit and Risk Committee and the bank's Executive Risk Committee. The CISO reports to the Executive Risk Committee. The CISO provides periodic reports to directors that permit them to measure management’s compliance with the defined risk limits and to gauge the changing nature of risk inherent in the Company’s chosen lines of business and operations and as a result of changing factors within the Company, such as management and personnel changes, and technology changes. This includes an annual program update to the Executive Risk Committee and the Board. All Board members undergo annual cybersecurity training by third-party cybersecurity experts on cybersecurity threats, industry trends, and other topics relevant to financial institutions. This training and their overall knowledge of the financial industry provides a solid foundation for understanding cyber risk and their oversight responsibility.
Executive Risk Committee. The Executive Risk Committee (“ERC”) is responsible for oversight of our bank subsidiary’s enterprise risk management framework and overall risk management practices and includes members of our Board, the board of directors of our bank subsidiary, and both executive and senior level management of the bank. The ERC oversees the policy review and approval program based upon the risk appetite of the Board, assists in the development and monitoring of risk identification and escalation processes, ensures that ongoing monitoring is in place to identify risks that could affect the achievement of the Company’s key strategic goals and objectives, and ensures that the Board has the proper information to adequately assess the risks facing the Company. Cybersecurity reports and issues are presented at least quarterly to the ERC.
35

Information Technology/Security Committee. The Information Technology/Security Committee (“ITSC”) is a management level committee that serves at the direction of the Board and provides oversight of the Company’s information technology and information security programs. The members of the ITSC include management and leaders with an expansive background in information technology and cybersecurity. The ITSC meets monthly to review information security and information technology reports and issues. It reports meeting minutes to the Board and ensures the Board has the proper information to adequately assess the risks facing the Company by maintaining oversight of:
effective strategic information technology and information security planning and performance;
major projects, priorities, and overall performance;
the adequacy and allocation of resources; and
the risks involved with the information technology and information security functions.