FIRST FINANCIAL BANKSHARES INC - (FFIN)
10-K Filing Date: February 23, 2024
Risk Management and Strategy
The Company’s Information Security Program (“Program”) uses a variety of safeguards to protect the confidentiality, integrity, and availability of information. The Program is designed to identify, prevent, or mitigate the risks from cybersecurity threats. The Program leverages recognized security frameworks, such as National Institute of Standards and Technology (NIST) and Federal Financial Institutions Examination Council (FFEIC), to organize, improve, and assess the program and to better manage and reduce cybersecurity risk. The Program is assessed and updated annually and as needed.
The Program is integrated into the Company’s enterprise risk management program. The Company regularly assesses the threats and vulnerabilities to its environment so it can update and maintain its systems and controls to effectively mitigate these risks. Layered security controls are designed to complement each other to protect customer information and transactions. The Company periodically engages third-party experts and consultants to conduct evaluations of our security controls, whether through penetration testing, audits, assessments, or consulting on best practices to address new challenges. Results are used to help drive priorities and initiatives to improve the Program. Additionally, as a regulated entity, bank regulators assess the quality of our information security program during their regular examinations of the Company and its compliance with federal regulations and requirements.
The Company’s third-party risk management program is designed to oversee and identify the cybersecurity threats associated with the use of third-party service providers. While the optics into a third-party’s operation are limited, the Company performs risk-based evaluations of third-party service providers. These evaluations including reviewing information including, but not limited to, security assessment questionnaires, security testing summaries, audit reports performed under the SSAE 18 Audit Standard, and information security policies.
We view security awareness as a continuous program. All Company employees receive cybersecurity and fraud training at required new employee orientation and subsequently receive information security tips via email each business day. Employees also receive monthly security awareness video training and are required to complete annual computer-based training. The Company also provides information security awareness training to business customers and individuals in our communities.
During the fiscal year of this Report, the Company has not identified risks from cybersecurity threats that individually or in the aggregate have materially affected or are reasonably anticipated to materially affect the organization. Nevertheless, the Company recognizes cybersecurity threats are ongoing and evolving, and we continue to remain vigilant.
Governance
The Company’s system of internal controls also incorporates a protocol for the appropriate reporting and escalation of information and cyber security matters to management and the Board of Directors for resolution and, if necessary, disclosure of any material incidents. The Board of Directors is actively engaged in the oversight of the Company’s continuous efforts to reinforce and enhance its operational resilience and receives education to enhance their oversight efforts accommodate for the ever-evolving information and cyber security threat landscape. The Chief Information Security Officer (“CISO”) regularly updates these committees on the information and cyber security risks, threats, exposures, and mitigation measures. The Company’s incident response process is periodically tested and includes cybersecurity scenarios.
The Program is included in the Company’s enterprise risk management program. The CISO is responsible for developing and implementing our Program and reporting on cybersecurity matters to the Board. Our CISO has over 20 years of related experience, and others on our Corporate Information Security team have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed.
The Program is overseen by the Company’s Risk Committee, First Technology Services Board of Directors, Technology Risk Committee, and Security Advisory Committee. Additionally, the First Financial Trust and Asset Management Board of Directors oversee the Program as it relates to the trust subsidiary. Operational committees that manage risks associated with cybersecurity are Change Control Committee and Patch Management Committee.
The Company’s Board of Directors and subsidiary technology and trust companies’ Boards of Directors monitor the Program including policies and practices. The Company’s Risk Committee and technology company’s Board of Directors oversees areas of operational risk such as information technology activities; risks associated with development, infrastructure, and cybersecurity; oversight of information security risk assessments, strategies, policies, and programs; and disaster recovery, business continuity, and incident response process. The CISO also provides periodic cybersecurity updates to the Audit Committee and the Audit Committee Chairman is member of the Risk Committee. The management-level Technology Risk Committee and Security Advisory Committee oversee management of the Program and related assessments. Operational committees that manage risks associated with cybersecurity are Change Control Committee and Patch Management Committee.
29
We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. For more information about the cybersecurity risks we face, see the risk factor entitled “Disruptions in our information technology systems or a compromise of security with respect to our systems could adversely affect our operating results by limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, implement strategic initiatives or support our customer transactions” and “Our business may be adversely affected by security breaches at third-parties.” in Item 1A- Risk Factors.