GLACIER BANCORP, INC. - (GBCI)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity

Cybersecurity has become a significant issue for financial institutions around the globe, and the Company is no exception. The Company’s management has integrated cybersecurity issues into the Company’s overall risk management system by making cybersecurity risk a key focus of its internal Strategic Technology Committee, Enterprise Risk Management Committee, and Board Risk Oversight Committee. These committees are provided regular updates on the Bank’s cybersecurity risk management program.

The Company has implemented a variety of mechanisms that are designed to detect, identify, assess, manage, and respond to material risks from cybersecurity threats. The Company’s processes for identifying, assessing, and managing cybersecurity risks include:

a rigorous internal audit process to evaluate the Company’s cybersecurity strategies, with the Audit Committee apprised of risks or control failures that are identified during the audit;
participation in multiple peer-sharing networks to obtain industry-wide intelligence regarding specific cybersecurity threats and industry best practices to minimize cybersecurity risks;
participation in simulated cyber-event tabletop exercises designed to test the Company’s incident response capabilities and the robustness of its cybersecurity program;
an information security program that is regularly reviewed, tested, and updated, and includes vulnerability and patch management programs, incident response planning, security monitoring, employee training, and security awareness testing;
cybersecurity insurance to mitigate the financial impact of a cybersecurity incident on the Company’s business and financial condition; and
periodic regulatory examinations that include an assessment of the Company’s cybersecurity management, processes, and controls.
20


In addition to the internal programs outlined above, the Company engages with external cybersecurity experts to conduct thorough evaluations of the Company’s cybersecurity processes and controls. These third-party consultants conduct periodic comprehensive vulnerability and penetration testing, alongside audits of high-risk technology systems designed to evaluate the efficacy of the Company’s cybersecurity measures. The Company has also retained a third-party cybersecurity firm to assist with the Company’s response to any future cybersecurity breaches.

In order to identify material risks from cybersecurity threats associated with the use of third-party service providers, such as bank operations technology, payroll and benefits administrators, and professional service providers, the Company has established a dedicated department within its Enterprise Risk Management division. This department manages risks of third-parties and evaluates cybersecurity risks associated with the Company’s third-party service providers with the Bank’s Information Technology Department.

The Board's Risk Oversight Committee is responsible for oversight and monitoring of the Company’s cyber risk management profile and related programs. In an effort to ensure transparency and provide appropriate oversight and monitoring, the Chief Risk Officer and Chief Information Security Officer present detailed reports to the Risk Oversight Committee on a quarterly basis. These reports address the current landscape of cybersecurity threats, any notable recent incidents, and a summary of emerging cybersecurity trends. The Board is also regularly furnished with key risk indicators and defined risk parameters with respect to the Company’s cybersecurity program. The Board reviews and approves the Company’s cybersecurity policies at least annually.

Management's role in assessing and managing material risks from cybersecurity threats is an important and multifaceted component of the Company’s cybersecurity. Appropriate members of the Company’s senior management, including the Chief Information Security Officer (“CISO”), Chief Risk Officer (“CRO”) and Chief Information Officer (“CIO”), are responsible for assessing and managing cybersecurity risks, which involves an ongoing process of identifying, analyzing, evaluating, and addressing the Company's cybersecurity threats.

The Company employs management and staff members who hold top cybersecurity certifications and have acquired the expertise needed to manage the Company’s cybersecurity program, including a range of technical skills such as intrusion detection, network security control, security incident management, and risk assessment. These management and staff members also participate in structured ongoing training to keep current with industry trends and cybersecurity threats.

The CISO has a degree in Business Administration, Finance, and Risk Management from Washington State University. The CISO has over 23 years of experience in cybersecurity and information security. The CISO has maintained a Certified Information Systems Security Professional (CISSP) certification for over 18 years.

The CRO has a degree in Business Administration and Finance from the University of Montana. The CRO has over 20 years of combined experience with financial institution risk management, including prior experience as a bank regulator and a credit risk management consultant.

The CIO has dual degrees in Accounting and Computer Science from the University of Montana. The CIO has over 30 years of experience managing information technology at the Company.

The processes by which the relevant members of management are informed about and manage the prevention, detection, mitigation, and remediation of cybersecurity incidents include conducting cybersecurity risk assessments, establishing network access controls, creating a vulnerability management program, and continuous monitoring for threats.

The Company is not aware of any current cybersecurity threats that are reasonably likely to materially affect the Company’s business strategy, results of operations or financial condition.


See “Item 1A. Risk Factors” for additional information regarding the risks we face from cybersecurity threats.
21