Midland States Bancorp, Inc. - (MSBI)
10-K Filing Date: February 23, 2024
ITEM 1C – CYBERSECURITY
We rely extensively on various information systems and other electronic resources to operate our business. In addition, nearly all of our customers, service providers and other business partners on whom we depend, including the providers of our online banking, mobile banking and accounting systems, use these systems and their own electronic information systems. Any of these systems can be compromised, including through the intentional acts or carelessness by employees, customers and other individuals who are authorized to use them, and by criminals, who often use sophisticated and constantly evolving set of software, tools and strategies to do so. The nature of our business, as a financial services provider, and our relative size, make us and our business partners high-value targets for these bad actors to pursue, and any intrusion into our systems could result in material financial losses and operational problems. See “Operational, Strategic and Reputational Risks.”
Accordingly, we have developed an informational security program and devoted resources for assessing, identifying and managing risks associated with cybersecurity threats, including:
•established a dedicated internal cybersecurity team that is responsible for conducting regular assessments of our information systems, existing controls, vulnerabilities and potential improvements;
27
•implemented continuous monitoring tools and a third-party Security Operations Center that can detect and respond to cybersecurity threats in real-time;
•perform ongoing due diligence with respect to our third-party service providers, including their cybersecurity practices, and requiring contractual commitments from our service providers to take certain measures to mitigate their cybersecurity risk;
•retain third-party cybersecurity consultants who conduct periodic penetration testing, vulnerability assessments and other procedures to identify potential weaknesses in our systems and processes;
•conduct frequent cybersecurity training and testing for our workforce;
•provide our board of directors with regular updates regarding threat levels, including analyses that demonstrate the overall cybersecurity posture and health of the organization;
•engage in periodic assessments of our cyber resilience with the Cybersecurity and Infrastructure Security Agency (CISA);
•conduct scheduled reviews of our Incident Response Plan to assess the responsiveness during a cybersecurity event or Ransomware attack; and
•maintain third party vendor management program, which includes requirements for how our partners transmit, store and use bank information.
This information security program is a key part of our overall risk management system, which is administered by our Chief Risk Officer and Chief Information Security Officer. The program includes administrative, technical and physical safeguards to help ensure the security, integrity and confidentiality of customer records and information, and prohibit unauthorized access to our critical operating systems. These security and privacy policies and procedures are in effect across all of our businesses and geographic locations.
From time-to-time, we have identified cybersecurity threats and cybersecurity incidents, including with respect to our commercial customers and vendors, that require us to make changes to our processes and implement additional safeguards. While none of these identified threats or incidents have materially affected us, it is possible that future threats and incidents could have a material adverse effect on our business strategy, results of operations and financial condition, even if the threat or incident is promptly identified and countermeasures are implemented. Such events could lead to direct financial loss or require the expenditure of significant amounts to obtain the release of critical data and/or restore our operating systems or those of our customers and/or vendors if the incident was the result of a security breach for which we are held legally responsible.
Our management team is responsible for the day-to-day management of risks we face, including our Chief Information Security Officer. Our Chief Information Security Officer has 20 years of information technology and information security experience, and before joining our Company has held the positions of Chief Technology Officer and Director of IT and Information Security Officer at his prior places of employment.
In addition, our board of directors, as a whole and through its Risk Policy & Compliance Committee (the “Risk Committee”), is responsible for the oversight of risk management. In that role, our board of directors and Risk Committee, with support from the Company’s cybersecurity advisors, are responsible for ensuring that the risk management processes designed and implemented by management are adequate and functioning as designed. To carry out those duties, both our board of directors and the Risk Committee receive quarterly reports from our management team, including from our Chief Risk Officer and our Chief Information Security Officer regarding cybersecurity risks, and the Company’s efforts to prevent, detect, mitigate and remediate any cybersecurity incidents.