RENASANT CORP - (RNST)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
General. The Company’s information security program, including its processes with respect to cybersecurity, is focused on protecting our systems, networks and data from unauthorized access by a third party. Concerns about cybersecurity risks impact, at some level, every facet of the Company’s operations, from the way we structure the services we offer, to how we communicate with our customers, to our interactions with and training of employees, and to the expenditures we make when expanding and enhancing our technological infrastructure. We expect this continue to be the case as cybersecurity threats, and the means to respond to those threats, continue to evolve.
The Company has adopted a defense-in-depth philosophy that relies on multiple systems and processes to reasonably provide for the confidentiality, integrity and availability of our systems, networks and data. Features of our information security include:
•Documentation: We have written policies and procedures that delineate the roles and responsibilities of the Company’s Board of Directors, executive management and other employees, as well as outside parties, with respect to the various aspects of the information security program. This documentation helps to align the entire information security program with our efforts to maintain the integrity of the Company’s cybersecurity. These policies and procedures are reviewed and updated at least annually.
•Separation of duties: Separation of duties means that, where appropriate, a task is designed to ensure that more than one person or group is responsible for its completion. We believe that separation of duties helps to prevent fraud, misuse or other security compromise, and we apply this concept when we delegate administrative and oversight responsibilities to multiple groups for certain aspects of the information security program, including identity and access management, network management, system administration, policy oversight, monitoring and alerting.
•The principle of least privilege: Access approval for the Company’s employees is coordinated between an employee’s manager, the Company’s human resources department and the information systems administrator. The goal is to give an employee access rights to our data, applications and other information resources only to the extent necessary for the employee to perform the functions of the particular job. Any change in employment responsibilities that requires access changes is implemented using the same access approval procedures. Finally, all remote access into the Company’s networks must include approval by the Chief Information Security Officer (which we refer to as the “CISO”).
•Vulnerability and patch management: The Company’s vulnerability management program includes internal and external scanning using third-party tools and services. Software patches are deployed based on criticality of vulnerability. Further, we track our performance in implementing patches, and if implementation timing falls below performance expectations, management will take steps to identify and remediate the root causes of implementation delays.
•Risk assessments: At least annually, management conducts risk assessments to assess the existence, severity and trends of cybersecurity risks and other risks that the Company’s information security program faces. The scope of an individual risk assessment can be the whole organization, parts of the organization, an individual information system, specific system components, or services.
•Log management: System security logs are consolidated by the Company’s Security Incident and Event Management system and are reviewed via both automatic and manual processes for anomalous behavior.
•Incident response: The incident response process is designed to, among other things, promptly elevate a cybersecurity threat or incident to the parties responsible for leading our efforts to identify, contain and mitigate the threat or incident, notify impacted customers or other third parties and comply with applicable law, regulations and regulatory expectations.
•Employee training: Information security is an integral component of our employee training program. Training includes efforts to maintain security awareness among employees at all times by means of company-wide communications of cybersecurity risks or incidents affecting third parties, internal testing and similar efforts.
28
The information security program applies to all of the Company’s business lines and employees as well as to vendors and other third parties with access to the Company’s information systems or its confidential and proprietary information. Whenever we consider a new product or service to offer to its clients, or a new means of offering or providing an existing product or service, or a new back-office process or procedure, the implications to the Company’s information security are required to be considered.
Our CISO, a Certified Information Systems Security Professional, leads the Company’s information security team, which has over 50 years’ combined experience in providing solutions to manage information security, compliance, privacy and technology management. The Board of Directors’ Technology Committee and its Enterprise Risk Management Committee oversee our information security team, receiving regular updates related to the material features of the information security program, our success and failures in maintaining information security and emerging threats and management’s proposed response thereto.
Strategy and Testing. As mentioned above, the Company employs a layered, defense-in-depth approach that leverages people, processes and technology to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools to monitor, block and provide alerts regarding suspicious activity and to report on any suspected threats. These controls include appropriate access controls based on least privilege, multifactor authentication for remote and privilege access, and encryption to protect data. The information security program is designed to comply with applicable laws and regulations and is driven by industry standards for financial institutions, including the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool, as well as by the guidance promulgated by the National Institute of Standards and Technology (“NIST”). We work closely with government and industry associations to stay abreast of developments and share best practices with respect to cybersecurity. The following paragraphs describe how we test, or otherwise obtain feedback about, the Company’s cybersecurity and other information security. The feedback we develop through testing and assessment, in addition to information about cybersecurity threats or incidents impacting other entities, is incorporated into the Company’s information security program to enhance our cybersecurity; in certain circumstances a new or emerging cybersecurity threat may require modifications to how we conduct business.
The Company’s information security team utilizes the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security version of the FFIEC Cybersecurity Assessment Tool to perform an annual assessment of our information security program. The assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The assessment incorporates cybersecurity-related principles from the FFIEC Information Technology Examination Handbook and regulatory guidance, and concepts from other industry standards, including the NIST Cybersecurity Framework.
The assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Cybersecurity Maturity aspect of the assessment is designed to help management measure the institution’s level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes tests to determine whether an institution’s behaviors, practices and processes can support cybersecurity preparedness within the following five domains:
•Cyber risk management and oversight
•Threat intelligence and collaboration
•Cybersecurity controls
•External dependency management
•Cyber incident management and resilience
We also retain third parties to test the effectiveness of our cybersecurity efforts. Annually, we obtain independent third party audits of the information security program, including program maturity and overall control effectiveness. In addition, multiple times over the course of each year we engage third party security firms to conduct both external and internal penetration tests. The goal of these assessments is to discover vulnerabilities in the Company’s in-scope corporate networks. When testing reveals potential vulnerabilities in the Company’s security, management works to develop appropriate mitigation plans to resolve any outstanding issues; we also consider other recommendations to enhance our cybersecurity that these security firms may offer, implementing those that management concludes are appropriate within the context of the Company’s information security program and processes.
In addition to audits and testing by third party security firms, our information security program and infrastructure is subject to continuous supervision by the FDIC and the DBCF, including an annual in-depth examination by subject-matter experts from the FDIC and DBCF. The laws and regulations that these regulators administer impose very high expectations on the Company with respect to its information security policies, procedures, processes and controls. In particular, the Interagency Guidelines
29
Establishing Information Security Standards (the “Guidelines”) require us to implement a comprehensive written information security program that includes administrative, technical and physical safeguards designed to (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and (4) ensure the proper disposal of customer information and consumer information. We also must comply with the information sharing requirements and restrictions enacted pursuant to the GLBA. The regulators’ continuous supervision of the Company is designed to ensure, among other things, that our information security program meets all the standards set forth in the Guidelines and that we operate in compliance with the GLBA and all other applicable information security laws and regulations. Finally, in addition to external scrutiny, our internal audit department reviews our compliance with the Guidelines, the GLBA and other laws and regulations, including those related to information security. If any of these examinations identify deficiencies or areas for improvement, the Company’s information security team works with management to act as promptly as reasonably possible to address the action item resulting from any such examination or review.
Diligence of Vendors and Other Third Parties. As noted above, the Company’s information security program applies to our vendors and other third parties (referred to collectively as “vendors”) with access to our information systems and networks and/or confidential and proprietary information. Before we grant access to the Company’s systems or a vendor otherwise obtains access to the Company’s confidential and proprietary information, our information security team assesses the vendor’s information security program. We review the vendor’s information security policy (to the extent the third party is willing to provide a copy of such policy), information security audits, service organization reports and similar information as well as examination reports of the vendor if available from the banking regulators or other governmental entities; the team will also investigate the background, reputation and history of prior cybersecurity incidents of such vendor or other third party. If the information security team is not satisfied that the vendor’s information security infrastructure is adequate to reasonably protect the Company’s systems and confidential and proprietary information from unauthorized access, and there are no suitable solution to address the information security team’s concerns, then we will not engage such vendor.
The vendors we retain are also categorized by the level of risk that the vendor presents to us, of which information security risk is a component. The information security team annually reviews those vendors in the “high risk” category and periodically reviews other vendors. This review includes obtaining updated information security audits and service organization reports, where available, and otherwise analyzing whether the vendor’s cybersecurity risk profile has materially changed.
The information security team’s review process does not, and cannot, guarantee that a Company vendor will not suffer a cybersecurity incident that impacts us. Due to the possibility that a vendor’s information security may be breached, we also negotiate provisions in vendor contracts that address cybersecurity incidents. In addition to including provisions that address the parties’ relative responsibility for damages resulting from a cybersecurity incident at a vendor, these contracts also typically include provisions to ensure that the Company receives timely and complete notification of a cybersecurity incident and cooperation in responding thereto so that we can assess the extent of the incident’s impact on the Company’s systems or information, mitigate any adverse effects arising therefrom and comply with any customer or regulation notification requirements and other legal, regulator or contractual obligations.
Incident Response. For those situations where a cybersecurity threat or incident arises, whether internal to the Company or relating to one of its vendors, we have also organized an incident response team. The incident response team includes representatives from the information technology, operations, risk management, legal (including securities law counsel), privacy and finance departments, among others. In addition to meeting quarterly, the incident response team (or a subset of the team) gathers whenever there is a threatened or actual breach of the Company’s information security (whether involving an external actor or an internal party) to determine the nature and extent of the threatened or actual breach and, if appropriate, the steps to take in response thereto to protect the Company’s information security and mitigate any harm that has already occurred. The team is also responsible for ensuring the Company complies with legal and regulatory requirements (including notifying affected customers and regulators and making any filings required by the securities laws). The activities of our incident response team are reported to the Board’s Enterprise Risk Management Committee.
The Company also maintains a cyber insurance policy that provides cyber liability coverage.
Employee Training and Security Awareness. All employees are required to complete an annual security awareness training program. Courses within the training program include general cybersecurity best practices as well as a course specifically related to social engineering, email and social media security. The Company also conducts routine internally-focused exercises to help raise employee awareness of the risks associated with cybersecurity. For example, over the course of 2023, employees received at least one email per quarter designed to test employees’ ability to identify and avoid potential “phishing” emails, and those employees that fail this phishing test are assigned additional training. In addition, annually the Company’s incident response team engages in a cyber attack tabletop exercise designed by the Financial Services Information Sharing and Analysis
30
Center that helps to train the incident response team in overcoming a simulated attack against Renasant’s payment systems and processes.
Governance and Oversight
Management Role. The Company takes a layered approach to the governance of its cybersecurity risk management. The first line of defense against cybersecurity risk is the company’s information security team, led by the CISO. This team is primarily responsible for promptly identifying cybersecurity risks associated with our existing and anticipated operations and, once identified, assessing as to the level that each cybersecurity risk poses to us, and then controlling or mitigating to the extent reasonably possible (in the context the Company’s operations and resources, and competitive factors affecting how banks and other financial services companies conduct operations, among other things).
The efforts of our information security team to address cybersecurity risk are reviewed by the Company’s Risk Department, which oversees our enterprise risk management program. The department focuses on the quality of the Company’s risk management process in order to manage risks within acceptable tolerance levels. As it pertains to cybersecurity risk, the Risk Department challenges the processes that the information security team has implemented to identify, assess, control and mitigate cybersecurity risk. The department collaborates with the CISO and other business unit owners impacted by our cybersecurity risk management practices to develop and monitor controls and other processes that mitigate identified risks. In addition, the Risk Department conducts independent risk evaluations related to cybersecurity risk.
The primary means by which the Risk Department evaluates cybersecurity risk is the development, in conjunction with the information security team, of risk metrics related to cybersecurity as well as risk tolerances with respect to each such metric. Risk tolerances are set such that the overall cybersecurity risk presented to us is consistent with the risk appetite statement adopted by our Board annually. Management believes these metrics provide a holistic picture of the Company’s cybersecurity risk profile, but at the same time, we recognize that, given the continual evolution of cybersecurity risks, including the tools and vectors that bad actors take to compromise a company’s information security, our risk metrics cannot remain static. At least annually, the Risk Department meets with the CISO to assess whether the risk metrics, and the tolerances for each metric, remain appropriate in light of the Company’s operations and the cybersecurity threat environment.
As the third line of defense against cybersecurity risk, our Internal Audit Department, with the assistance of outside experts, annually reviews and tests the Company’s processes, including its policies, procedures and controls, with respect to cybersecurity risk. The Internal Audit Department reports the results of its review, including the steps management intends to take to address any findings, to the Audit Committee of the Board of Directors.
Finally, as a means to ensure that our senior executive management has an integrated understanding of the cybersecurity and other risks facing the company at any particular time, the Company has organized a Management Enterprise Risk Management Committee (the “management ERM committee”). Our Chief Risk Officer leads this committee, whose membership includes the Company’s President and the leaders of our major business lines and back-office functions. Among other things, the management ERM committee reviews the Company’s cybersecurity and other risk metrics and the direction in which each risk is trending (increasing risk or decreasing risk), both in isolation and in the context of other existing and emerging risks facing the company, and the status of risk mitigants therefor. We believe that this committee helps management better focus its efforts to minimize cybersecurity risk and that it assists in more focused reporting of cybersecurity risks to the Board of Directors.
Board Oversight. The Company’s Board of Directors primarily oversees the risks related to our technological infrastructure, information security, cybersecurity, business continuity and disaster recovery programs through its Technology Committee and its Enterprise Risk Management Committee (the “ERM Committee”). These committees meet quarterly, and their activities are reported to the full Board of Directors.
The Technology Committee is responsible for the oversight of Renasant’s strategies and operations with respect to information technology. Although this committee’s focus is broader than just information security and cybersecurity risk, at each meeting the CISO reports to the committee on, among other topics, the status of any cybersecurity and network security initiatives designed to enhance the Company’s cybersecurity, emerging cybersecurity risks that may not yet be addressed by the existing risk metrics and management’s plans to mitigate such risks, and employee training on cybersecurity and related issues.
The ERM Committee incorporates the assessment, monitoring and mitigation of cybersecurity risk into its monitoring of the Company’s broader enterprise risk management function. At each meeting of the ERM Committee, the Chief Risk Officer reports on the status within established tolerances of each risk metric as well as the assessment of the direction such metric is trending. These metric reports give the ERM Committee a broad view of the aggregate cybersecurity risk that the Company faces at any particular time, insight into any particular areas of risk as well as an opportunity for the ERM Committee to discuss with management the steps taken or to be taken to address risks that are out of tolerance or trending in that direction. In addition to this report, the CISO’s report to the Technology Committee is included the materials for ERM meetings. The chair of the
31
Technology Committee is a member of the ERM Committee, enabling the chair to convey to the ERM Committee details of the discussions with respect to the CISO’s report as well as other matters related to our technological infrastructure and the impact thereof on matters within the ERM Committee’s focus. Finally, at each ERM Committee meeting our Chief Technology Officer addresses various information technology topics with the ERM Committee.