PARK NATIONAL CORP /OH/ - (PRK)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Park assesses, identifies, and manages risks from cybersecurity threats consistent with its broader risk management and operations systems, processes, and controls. Park’s information security and cybersecurity operations teams have primary responsibility for guarding against cybersecurity threats. The teams employ numerous security tools such as for threat detection, alerting and monitoring, data loss prevention, vulnerability remediation, and including end-point protections, webproxy, anti-malware, and email security protections. Park uses multi-factor authentication for computer and mobile devices, encryption technology, and requires virtual private network access to Park’s network for all remote employees. Park engages in annual recovery and information security tabletop exercises to simulate threats and events. Park engages third parties on an annual basis to conduct and report on penetration testing exercises. Park administers mandatory security awareness training to all associates on a monthly basis, enhanced administrator access training for security-related positions on an annual basis, and routinely administers employee email phishing testing and training. Topics of training include escalating suspicious activity, malware, insider threats, and email security.
Park maintains a third-party risk management program that is designed to evaluate, monitor and control risks connected with third-party vendors, particularly those vendors with access to or possession of sensitive information. The third-party risk management program solicits diligence materials from vendors and conducts internal risk assessments for vendors, including with regard to information security policies, practices, testing, and reporting. Diligence and internal risk assessments for vendors include analysis specific to the vendor’s transmission and storage of information, encryption practices, security appliances, vulnerability testing, and past security incidents. Vendor contract negotiations involve data protection terms and responsibilities regarding information breach notifications and reporting.
In designing and carrying out cybersecurity controls, Park follows the National Institute of Standards and Technology Cyber Security Framework for measuring readiness to respond, Sarbanes Oxley for assessment of internal controls, the Gramm-Leach-Bliley Act regarding information security, the Office of Comptroller of the Currency’s Cybersecurity Supervision Work Program, Interagency Guidance on Third-Party Relationships: Risk Management, other applicable regulatory guidelines, and federal and state laws.
Park’s Board of Directors recognizes the importance of cybersecurity in safeguarding sensitive information. The Board Risk Committee is responsible for overseeing Park’s Enterprise Risk Management program which includes responsibility for cybersecurity. The Park information security and business continuity teams, both part of Park’s Enterprise Risk Management, manage and oversee the Incident Response Plan and Cybersecurity Response Playbook. The Incident Response Plan and Cybersecurity Response Playbook guide Park’s response to cybersecurity issues and events. The Board Executive Committee is engaged in the final determination of whether a cybersecurity issue or event is material, as discussed below. Park's Board of Directors is regularly apprised of cybersecurity risks. Park’s information security team prepares and issues a quarterly report to the full Board of Directors on the status of incidents, health of program, penetration testing results, and risk assessments. Park’s
-34-
cybersecurity operations team also prepares and issues a quarterly report to the full Board of Directors identifying cybersecurity trends, internal data, issues, events, and key-risk indicator metrics.
Park’s information security and cybersecurity operations teams have defined escalation paths for issues and events, which include engaging Park’s Incident Response Plan, and working issues and events through Park’s Cybersecurity Response Playbook. Evaluation of escalated events is performed first by the Information Security Officer and Chief Legal Officer, who track and log cybersecurity incidents across Park and Park’s vendors. Any incident assessed as potentially being or becoming material is further escalated to a leadership team that includes the Chief Financial Officer, Chief Operations Officer, Chief Risk Officer, Chief Information Officer, and Chief Accounting Officer. Events that leadership determines may be material are shared with the Board of Director’s Executive Committee for final review and evaluation. Park engages teams, including but not limited to information security, information technology, and fraud and security, to address and remediate cybersecurity events and issues as they arise. Park engages outside legal counsel for assistance in evaluating and remediating cybersecurity issues and events. Information regarding issues and events is also shared by Park leadership with both internal and external auditors.
Park’s business strategy, results of operations, and financial performance have not been materially affected by risks from cybersecurity threats. Park cannot provide assurance that business strategy, results of operations, or financial performance will not be materially affected in the future by such risks or any future incidents.