INTERNATIONAL BANCSHARES CORP - (IBOC)
10-K Filing Date: February 26, 2024
Risk Management and Strategy
As a financial institution in today’s digital landscape, we understand that cybersecurity and data protection are of paramount importance to our business, our customers, and our reputation. With the proliferation of online banking and the digitalization of financial services, we recognize that our policies and procedures for safeguarding sensitive customer data must be as sophisticated as the cyber threats we are defending against. Accordingly, cybersecurity is a high-priority component of our overall risk-management system and risk-control infrastructure. We have implemented robust, multi-layer security procedures and defense strategies that aim to proactively mitigate cyber risks, enable our early detection and prevention of security incidents, minimize our vulnerability to attacks, and protect us from both internal and external cybersecurity threats.
Commensurate with the risks we face and the sensitivity of the data and systems we are protecting, our Information Systems Security Program (ISSP) includes layers of administrative and technical safeguards designed to protect the confidentiality and integrity of sensitive information belonging to us and our employees, partners, and
31
customers, to guard against the unauthorized access, alteration, disclosure, or destruction of that information, and to defend that information from potential, known, emerging, and evolving security risks. We have established multiple control points within our security infrastructure to reduce the risks associated with embedded technologies that could fail or be manipulated by nefarious actors, to prevent the intentional and unintentional infiltration of cybersecurity threats, and to maximize their separation from our sensitive information systems and assets. In developing our ISSP, our policies, standards, and procedures were heavily informed by and incorporated provisions from various sources of statutory and regulatory guidance as well as numerous leading industry frameworks, including the NIST Cybersecurity Framework, various NIST special publications, the Fair Information Practice Principles established by the Federal Privacy Council, the Privacy Management Framework developed by the American Institute of Certified Public Accountants, and the Center for Internet Security’s Critical Security Controls.
As part of our ISSP and strategy for managing cybersecurity risks, we have adopted the following cybersecurity policies:
· | Enterprise Information Systems Security Policy, which, among other objectives, prescribes a comprehensive framework for creating a practice-based Information Security Management System; protecting the confidentiality, integrity, and availability of our data and systems; providing for the development, review, maintenance, and ability to ensure the effectiveness of minimum security controls required to protect our data and systems; and recognizing the highly-networked nature of the current computing environment to provide effective company-wide management and oversight of related cybersecurity risks; |
· | Corporate Account Takeover Policy, which serves to mitigate the risks of corporate account takeover crimes and to document our compliance with the Texas Department of Banking’s Supervisory Memorandum 1029 on “Risk Management of Account Takeovers,” dated September 30, 2019, and the FFIEC’s guidance on “Authentication and Access to Financial Institution Services and Systems,” dated August 11, 2021; |
· | Vendor Management Policy, which provides a risk-based process for identifying, measuring, monitoring, and managing third-party relationships with new and existing vendors by requiring an assessment, categorization, and ranking of the risks associated with each third-party vendor and implements a third-party risk-management process that focuses on risk assessment, due diligence in selecting third-party vendors, contract structuring and review, and ongoing oversight of the operational and financial performance of the third-party vendor’s products and services; |
· | Service Center Physical Security for Data and Computing Equipment Policy, which provides directives for implementing appropriate physical security controls to protect the hardware, infrastructure, and systems that store and transmit our sensitive information and data from damage, unauthorized access, and loss of availability; to monitor, analyze, and properly disclose security alerts and information; and to administer other administrative and technical operational security procedures; and |
· | Security Incident Response Policy, which establishes the steps necessary to ensure a timely and adequate response to security incidents impacting our security systems or infrastructure. |
Some of the steps we have taken and processes we have implemented to assess, identify, and manage material risks from cybersecurity threats include the following:
· | Forming an IT Cybersecurity Committee (ITCC), which consists primarily of members of our management team and IT department, to develop and oversee our cybersecurity policies and infrastructure and establishing a multi-tiered reporting and governance system pursuant to which our ITCC reports to our Service Center Board, which reports to our Risk Committee, which reports to our Board; |
· | Implementing heightened safety measures, physical-security controls, and controlled-access requirements to protect the Service Center that houses the hardware and infrastructure used to store and transmit sensitive and confidential bank, customer, and employee information in accordance with the FFIEC IT Examination Handbook on Information Security and designating a specialized Service Center Board within the Service Center Department to oversee the protection of the Service Center’s physical integrity; |
32
· | Maintaining a clearly defined ISSP, which prescribes measures to establish and enforce our security program, addresses each component of our information security (IS) position, and advances our objectives of protecting and managing risks to our data and security systems by establishing policies, standards, controls, procedures, and guidelines that address topics such as security and privacy governance, statutory, regulatory, and contractual compliance, business and disaster recovery, change management, identification and authentication processes, expectations for continuous monitoring, asset management, third-party provider management, endpoint security, and incident responses, among others; |
● | Conducting an annual self-assessment using the Cyber Risk Institute (based on the NIST Cybersecurity Framework) to review our cyber risk-management strategy and framework, assess the effectiveness and legal and regulatory compliance of our organizational cybersecurity policy, and evaluate our policies and procedures for identifying risks, protecting information, detecting security threats, responding to cyber incidents, executing recovery plans, and managing levels of external dependence and resiliency; |
· | Conducting regular cybersecurity training for our employees regarding security awareness, the proper use and handling of sensitive information, and the protocols in place to identify, assess, and manage any cybersecurity threats and periodically testing employees’ cybersecurity knowledge, policy compliance, and response rates by engaging with third-party providers to conduct internal social engineering campaigns; |
· | Engaging in security-incident preparedness simulations and completing disaster recovery and resilience tests designed to test and strengthen any vulnerabilities in our cybersecurity infrastructure; |
· | Employing robust encryption and anonymization technologies and other cybersecurity monitoring and auditing systems to fortify our cybersecurity framework, including through our Online Banking Enhanced Security Program, which requires the authorized users on a customer’s account to be validated and employs multi-factor authentication (MFA), which requires each of our retail and commercial customers to authenticate their identities by entering a secure access code that our MFA system automatically generates and sends to the customer each time there is an attempted login to the customer’s online banking account; |
· | Implementing MFA protections for our treasury customers by prohibiting their initiation of ACH transactions or wire transfers until they authenticate their identities using a security token that is generated and sent by our online-banking MFA system; |
● | Monitoring electronic mail and other network intrusion attempts with various tools to identify and stop intrusion and malware threats; |
● | Scanning and assessing vulnerabilities arising from software and hardware on our network infrastructure, ATMs, software applications, computers, copiers and other electronic assets to ensure that vulnerabilities are identified and resolved timely; |
· | Establishing a risk-appetite profile, which we review at least annually to regularly assess our cybersecurity infrastructure and software systems in a manner that ensures we capture their current state and identify emerging risks that would require changes in our cyber environment; |
· | Leveraging internal and external auditors as well as security consultants to review the procedures, systems, and controls that comprise our ISSP to evaluate their design and operational effectiveness and to address any operational deficiencies or security weaknesses; and |
· | Maintaining an Incident Response Plan that establishes our procedures and standards for responding to actual or potential cybersecurity threats or incidents, which we review at least annually. |
33
Furthermore, our IT security infrastructure and cybersecurity policies are designed to monitor and manage security risks associated with any third-party service providers, suppliers, software and hardware vendors, contractors, and consultants we collaborate with (hereinafter, collectively, Vendors) who might store, process, collect, share, create, transmit, destroy, or access any of our sensitive data. Our Vendor Management Policy establishes clearly defined requirements of engagements with Vendors and requires them to uphold similar security standards to those we internally require. Depending on their risk level, we may subject certain Vendors to heightened security requirements, such as enhanced risk assessments, ongoing monitoring, or additional contractual controls to restrict their levels of information access.
Governance
IT Cybersecurity Committee. As part of our cybersecurity governance framework and for purposes of establishing and maintaining our ISSP, we have established an IT Cybersecurity Committee (ITCC), which consists predominantly of members of our management team and IT department. The ITCC is subject to oversight by the Service Center Board, the Risk Committee, and the Board. The Risk Committee of the Board works directly with the ITCC to develop and implement our policies and procedures concerning cybersecurity and data protection. As stated in the Risk Committee Charter, our Risk Committee reviews management reports on the adequacy of our data-governance activities and IT security program; evaluates risks related to customer information, significant outsourcing with third parties or Vendors, and operational outsourcing arrangements; reviews, evaluates, and updates our data-governance framework, processes, and systems for identifying, assessing, and managing data risks that impact critical business operations; and reviews and evaluates our overall risk-management framework.
The ITCC meets at least quarterly to discuss its oversight of our cybersecurity policies and procedures, risk-management practices and controls, and efforts to mitigate and prevent cybersecurity risks. The ITCC may meet more frequently if required by our Incident Response Plan to facilitate timely response, monitoring, risk-management, and recovery efforts. The ITCC is also charged with periodically reporting to management, the Board, and the Risk Committee, the status and results of our compliance with our security program, results of security assessments, and effectiveness of remediation activities.
Other Committees. In addition to the ITCC and Risk Committees, we have established a Technology Committee, a Senior Management Committee, and a Business Continuity and Disaster Recovery (BC/DR) Committee. Each oversees aspects of our ISSP and coordinates with the ITCC to implement various cybersecurity procedures.
Chief Information Security Officer. In addition to establishing the ITCC and other committees, we designated a Chief Information Security Officer (CISO) to oversee all aspects of our IS policies, procedures, and controls. Our CISO reports to our Senior Management Committee, the ITCC, the Risk Committee, and the Chairman of the Board. At least annually, the CISO presents all of our IS policies to the Board. The CISO is also tasked with maintaining an effective Security Awareness Program and providing training to our management, Board, and employees on an annual basis. Additionally, the CISO meets with our Audit Committee on a quarterly basis to inform them of material cybersecurity-related regulatory updates and with our full Board on a monthly basis to discuss and provide pertinent regulatory information.
Procedures Governing our Cybersecurity Incident Responses. Our multi-layered, cross-functional approach to cybersecurity governance provides adequate checks and balances on the implementation of our cybersecurity protocols, enables us to effectively monitor both internal and external cyber risks, and allows for the swift escalation of any potential cybersecurity incidents to the appropriate levels of management so that assessments concerning materiality, potential disclosure, and possible responsive actions can be timely made. Our approach to cybersecurity governance is modeled in the Incident Response Team (IRT) that we have established to timely address cybersecurity incidents and minimize any disruptions to our business operations and customer activities caused by cyber threats or attacks. Designated IRT personnel are available 24 hours per day, seven days per week to respond to potential incidents. Having an integrated team for incident response facilitates information sharing, which allows organizational personnel, including developers, implementers, and operators, to leverage the team knowledge of the threat in order to implement defensive measures that
34
will deter intrusions more effectively. In the event of a potential cybersecurity incident, our IRT is responsible for implementing our Security Incident Response Policy, in accordance with which the following steps occur:
· | After becoming aware of a potential cybersecurity incident, our IT Service Desk reports the incident and any pertinent information to our CISO. Our IT Service Desk is the central point of contact for reporting computer incidents or intrusions. |
· | The CISO then conducts a preliminary analysis of the incident and determines whether activating the full IRT is warranted. Types of incidents that would generally require the activation of our IRT include but are not limited to a breach of personal information, a denial-of-service (DoS) or distributed DoS attack, excessive port scans, a firewall breach, or a virus or malware outbreak. |
· | If the type of incident or the threat created by the incident necessitates a full-scale response by the IRT, the CISO notifies a team of network and security engineers, security analysts, and Windows / Unix / Linux systems administrators (collectively, the IT Security and Engineering Teams). |
· | At the CISO’s direction, the IT Security and Engineering Teams gather intel regarding the incident and take pre-planned steps to mitigate harm, address system weaknesses, and block ongoing threats. For example, our network engineers analyze network traffic for external attacks, search for signs of a firewall breach, and take action to block a suspected intruder’s network traffic; our security analysts and engineers look for indications of an attack or suspicious activity by monitoring and reviewing the network activity of our business applications and the audit logs of our mission-critical servers; and our systems administrators examine system logs of our critical systems for any abnormal activity, confirm our mission-critical computers are up to date on all service packs and patches, and ensure backups have been created for our critical systems. |
· | The CISO reports the incident to our executive management team, Service Center Board, and ITCC. |
· | Our CISO, executive management team, Service Center Board, and ITCC evaluate the type and severity of the incident, review applicable legal and regulatory requirements for disclosing cybersecurity incidents, and determine whether, when, and to whom the incident must be reported. |
Procedures Governing our Third-Party Vendor Relationships. Similar to our governance approach with respect to responding to cybersecurity incidents, we have implemented a layered, collaborative governance system to manage our third-party Vendor relationships and to implement our Vendor Management Policy. Prior to working with any Vendor, we conduct a comprehensive security screening to evaluate the Vendor’s security protocols and identify any potential vulnerabilities that could compromise our sensitive data. At least annually, we also perform a security assessment of the Vendor to identify any change in the Vendor’s security posture that may negatively impact the security of our information systems. Our CISO or other designated IS personnel oversees and makes a final recommendation regarding the Vendor security assessments, determines the necessity of Vendor site visits, and coordinates and provides a final report on any site visit that occurs. Our Vendor relationships are monitored by our Vendor Management Department, the day-to-day operations of which are led by our Vendor Manager. In coordination with the applicable Business Unit Manager, the Vendor Manager categorizes and ranks the risks presented by our Vendors, performs Vendor due diligence, and provides periodic reports to our Board and Risk Committee concerning Vendor risk management. Before entering into any Vendor contract, the Business Unit Manager that will be contracting for the Vendor’s service or product must perform a thorough risk evaluation. In addition to working alongside the Vendor Manager to categorize and rank Vendor risks, the Business Unit Manager participates in contract review and negotiations, establishes performance-monitoring controls, and completes Vendor reviews. The CISO or other designated IS personnel may participate with the Business Unit Manager in contract negotiations as needed.
Procedures Governing our Corporate Account Takeover Responses. Like our approaches to responding to cybersecurity incidents and managing our Vendor relationships, our strategy for managing corporate account takeover (CATO) threats integrates organizational operations at multiple governance levels involving our Board, executive management team, members of our Senior Management of Electronic Banking Services (EBS Management Team), an Electronic Banking Services Manager (EBS Manager), and our CISO. Our Board reviews our CATO Policy for
35
compliance with the Texas Department of Banking standards for the risk management of CATOs and charges our EBS Management Team with the responsibility of determining necessary courses of action to ensure adherence to applicable guidance and regulations. Our EBS Management Team also ensures that our CATO Policy is understood and complied with across all of our operational divisions. Some of the responsibilities of our EBS Manager include developing, implementing, and maintaining policies and procedures to comply with our CATO Policy, coordinating the performance of period risk assessments of IBC Link, our online banking product, establishing trainings for IBC Link customers regarding security controls that mitigate CATO risks, reporting CATO incidents to executive management, and coordinating with our management team and IBC Link customers if an actual or threatened CATO attack is identified. Our CISO is responsible for ensuring appropriate security controls are implemented to prevent, detect, and respond to CATOs, establishing incident-response procedures to be employed if a CATO threat is in progress, and timely notifying our primary federal regulator of any CATO incidents that are required to be disclosed to comply with applicable laws, regulations, and CATO Policy procedures.
Notwithstanding the robust nature of our defensive measures and security processes and the multi-layered governance system that we have established to mitigate, monitor, analyze, and respond to incidents, cybersecurity threats are increasingly difficult to detect, and the risk of a data breach or cyber-attack is pervasive and severe. While we do not believe our business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity threats or incidents, there is no assurance that we will not be materially affected by such threats or incidents in the future. We will continue to monitor cybersecurity risks, stay apprised of changes in the cyber environment, and invest in strengthening our cybersecurity infrastructure. For additional information on our risks related to cybersecurity, please see “Risk Factors—Risks Related to Our Business—Our information systems may experience an interruption or breach in security.”