UNITED COMMUNITY BANKS INC - (UCBI)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY

Policy statements and regulations by state and federal bank regulators indicate that financial institutions should design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers accessing internet-based services of the financial institution. For example, a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution’s operations after a cyberattack involving destructive malware.

On April 1, 2022, a final rule issued by federal financial regulatory agencies became effective – that rule imposes upon banking organizations and their service providers notification requirements for significant cybersecurity incidents. Specifically, the rule requires banking organizations to notify their primary federal regulator as soon as possible and no later than 36 hours after the discovery of a “computer-security incident” that rises to the level of a “notification incident” as those terms are defined in the rule. Banks’ service providers are required under that rule to notify any affected bank to or on behalf of which the service provider provides services “as soon as possible” after determining that it has experienced an incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided to such bank for as much as four hours.

Additionally, effective December 9, 2022, amendments to the GLB Act’s Safeguards Rule went into effect. That rule requires financial institutions to: (i) appoint a qualified individual to oversee and implement their information security programs; (ii) implement additional criteria for information security risk assessments; (iii) implement safeguards identified by assessments, including access controls, data inventory, data disposal, change management, and monitoring, among other things; (iv) implement information system monitoring in the form of either “continuous monitoring” or “periodic penetration testing;” (v) implement additional controls including training for security personnel, periodic assessment of service providers, written incident response plans, and periodic reports from the qualified individual to the board of directors. Additionally, multiple states and Congress are considering laws or regulations which could create new individual privacy rights and impose increased obligations on companies handling personal data.

Risk management and strategy

The regulatory requirements referenced above recognize that, in the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and store sensitive data. “Information systems” means electronic information resources that we own or use, including physical or virtual infrastructure controlled by these information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the information necessary to maintain or support our operations. We face significant and persistent cybersecurity risks due to: the breadth of geographies, networks, and systems we must defend against cybersecurity attacks; the complexity, technical sophistication, value, and widespread use of our systems, products and processes; the attractiveness of our systems, products and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on us or our customers; the substantial level of harm that could occur to us and our customers were we to suffer impacts of a material cybersecurity incident; and our use of third-party products, services and components. Because cybersecurity threats continue to evolve, we have been required and may continue to be required to expend significant resources to continue to implement, modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. Financial expenditures may also be required to meet regulatory changes in the information security and cybersecurity domains. Risks and exposures related to cybersecurity attacks are expected to remain significant for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as the expanding use of internet banking, mobile banking and other technology-based products and services by us and our customers. See “Item 1A. – Risk Factors” in this Report for a further discussion of risks related to cybersecurity.

The underlying controls of our cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including frameworks such as the Center for Internet Security’s Critical Security Controls and the Federal Financial Institutions Examination Council’s Cybersecurity Assessment. We periodically engage third-parties to assess our cyber risk program and technical controls. To address cybersecurity threats (defined as potential unauthorized occurrences on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of those systems or any information residing in those systems therein), we have implemented an incident and event response program. That program, which is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats, is integrated within our overall enterprise risk management and business continuity frameworks. We employ an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity relative to our information systems, as well as to report on any suspected advanced persistent threats. An ongoing enterprise-wide security awareness training program is in place to help protect our data, systems, and networks from malicious attacks and cyber threats. The program is designed to allow for the detection and timely and efficient recovery from cybersecurity incidents (defined as unauthorized occurrences, or a series of related unauthorized occurrences, on or conducted through our information systems that jeopardize the confidentiality, integrity, or availability of those systems or any information residing therein) and events by providing a well-defined, organized approach for handling any potential threats to the confidentiality, integrity, and/or availability of our information systems.

36


In many instances we rely on third-party providers to facilitate providing products and services to our customers. As a part of our overall cybersecurity risk management framework and, in addition to assessing our own cybersecurity preparedness, we also have a process in place to manage cybersecurity risks associated with third-party service providers. To help mitigate adverse impacts from a cybersecurity incident, we assess third-party vendors as a part of our vendor onboarding and continued due diligence which includes processes to assess information security posture. Depending upon the level of perceived security risk, we may impose security requirements upon a supplier, including: maintaining an effective security management program; abiding by information handling and asset management requirements; and notifying us in the event of any known or suspected cyber incident. We periodically conduct (or engage a third party to conduct) reviews of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of hosted applications, depending upon the level of risk, are required to provide a report as to their controls (e.g., a System and Organization Controls (SOC) 2 or ISO 27001 (Information and Security Certification) or similar report).

Our information security team in combination with other third-party vendors monitor our information systems for suspicious activity, such as unauthorized intrusions. Suspected or confirmed threats, incidents, or events, however, also may be reported by bank employees, customers, intrusion detection systems, third-party servicers, or government entities. Once reported, cybersecurity incidents are to be brought to the attention of our Information Technology and Security Team. Depending upon the nature and perceived threat level of the reported event, our overall enterprise risk management process would require the involvement of other management and response teams representing other groups (e.g., Information Technology, Information Security, Legal/Compliance, Corporate Security, Internal Audit, Human Resources, Finance/Accounting, Corporate Communications, Designated Cyber Coach) within our organization.

Incident and risk event levels each vary from no (or low) risk to crisis (high) risk. The determination of the incident and risk level will dictate the level of personnel that will be responsible for addressing the incident, controlling the effects of the incident and formulating the response to the incident. Responses may include, when appropriate and/or required, notification to regulatory agencies (e.g., FDIC, FinCEN, SEC), authorities (e.g., F.B.I., Department of Justice), customers, third parties or internal personnel.

Each of the management and response teams, within its assigned level, is responsible for providing an orderly response to security incidents and risk events; preventing a serious loss of profits, public confidence, or information assets by providing an immediate, effective, and skillful response to any unexpected event which negatively impacts the confidentiality, integrity, and/or availability of our systems, network, or the non-public personal information of its customers, interruptions to customers’ experiences, or other anomalous situations; taking the steps it deems necessary to contain, mitigate, or resolve a security incident or risk event; and investigating suspected security incidents and risk events in a timely and cost effective manner, reporting findings to management, determining an appropriate course of action, and coordinating communications to customers, regulatory authorities, and law enforcement agencies as necessary.

Following a cybersecurity incident, and during its investigation and the formulation of a response, our processes also envision measures designed to contain and/or eradicate the incident and prevent further effects. Once it is determined that the incident has been resolved, we then work to establish appropriate controls (if applicable) to address similar future events and/or prevent another similar event from occurring in the future. We have experienced, and will continue to experience, cyber incidents in the normal course of business. To date, however, we have not experienced any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.

Governance

Our cybersecurity program is headed by our Chief Information Security Officer (CISO), who reports to our Chief Information Officer. Our CISO is informed about and monitors prevention, detection, mitigation and remediation efforts through regular communication and reporting from professionals in the information security team, several of whom have extensive records of service in financial institutions and cybersecurity. Our CISO has over 20 years of experience in IT operations/security roles in the financial services industry and holds a cybersecurity certification as a Certified Information Systems Security Professional (“CISSP”). Other members of his team also hold CISSP certifications as well as CompTIA Security+, SANS Institute Cloud Security Essentials, SANS Institute GIAC Certified Enterprise Defender, SANS Institute Security Awareness Professional, Certified Information Security Manager, GIAC Certified Incident Handler, Certified in Risk and Information Systems Control, and GIAC Cyber Threat Intelligence certifications.

As part of its oversight responsibilities over the Company risks and controls, the Board ultimately is responsible for overseeing our cyber and information security risks. The Board has delegated this responsibility to its Risk Committee. At each quarterly meeting of the Risk Committee, our CISO reports to the Risk Committee regarding security testing, training, audits, key cybersecurity metrics, and our efforts to identify, prepare for, prevent, and respond to critical threats. The Risk Committee receives regular updates on the status of our information security program, penetration testing results, infrastructure assessments, threat environment, security operations, operational events, vendor and supply chain security, and application/data security. On an annual basis, the CISO presents a cybersecurity program update to the Risk Committee.

37