HEARTLAND FINANCIAL USA INC - (HTLF)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
HTLF Bank's Risk Management program is designed to identify, assess, monitor and mitigate risks based on various key risk factors we face including, but not limited to financial, operational, regulatory and legal. Cybersecurity is a critical component of our risk management framework given internal dependencies on technology, the evolving digital environment and the rapid acceleration of cyber-threats. HTLF’s cybersecurity risk management program is built on three lines of defense Risk Management framework. HTLF’s first line of defense provides frontline business, operational and technical controls and support to securely deliver access to HTLF applications and data to HTLF users. As part of the Risk Management function, HTLF’s second line of defense is primarily responsible for infrastructure defense and security controls, performing vulnerability assessments, identity access management, business continuity, third-party information security assessments, employee awareness and training programs, and security incident management. Internal Audit functions as HTLF’s third line of defense and independently provides assurance, via multiple audit and testing engagements to validate the effectiveness of HTLF's cybersecurity risk management practices, while measuring against regulatory requirements and HTLF’s Policies and Standards.
HTLF’s first line of defense is led by our Chief Operations Officer and our Chief Information Officer. HTLF’s second line of defense is led by our Chief Risk Officer ("CRO") and includes the Security function, led by our Chief Information Security Officer ("CISO") who is primarily responsible for the cybersecurity component. The primary responsibilities of the HTLF Security function are to protect HTLF assets including networks, systems, application, data, funds, and staff, and facilitate incident response and resolution. HTLF’s third line of defense is led by our Chief Audit Executive.
Our primary objectives for managing cybersecurity risk are to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt, exploit or misuse our information or systems. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. The NIST cybersecurity framework is a nationally recognized industry standard for mitigating organizational cybersecurity risks, which includes identifying risks, protecting assets, detecting threats, responding to incidents, and recovery from incidents. The NIST cybersecurity framework uses standards, procedures and best practices, and is integrated into the HTLF Security team’s overall risk management system and processes, including oversight of third-party service providers. Management of the HTLF's third parties, including vendors and service providers, is conducted through a risk-based approach and the level of due diligence is driven from risk factors established by Enterprise Risk Management through its Third Party Risk Management Program. The process provides awareness and collaboration across all internal teams including Information Security and Business Continuity. A technical requirements review process is conducted on new or significantly changed third parties, applications, or technology to ensure that systems or third parties meet certain security baseline requirements. Further, HTLF's Security program also provides for annual mandatory training for employees regarding security awareness and understanding of how to properly use and protect the company assets, including computing resources entrusted to them, and to communicate the company's information security policies, standards, processes and practices.
To address evolving cybersecurity risks and corresponding regulations, the HTLF Security team uses Federal Financial Institutions Examination Council ("FFIEC") booklets and Cybersecurity and Infrastructure Agency ("CISA") guidance; identifies and defines emerging risks using third-party research and subject matter expert consultants; executes strategic cyber threat assessments; performs new product and initiative reviews; performs data management risk oversight; and conducts cyber risk reviews as part of HTLF’s Third Party Risk Management process, which oversees and identifies risks, including cybersecurity threats, associated with our use of third-party service providers. The HTLF Security team conducts periodic tabletop exercises to test HTLF business units’ capabilities to respond to various security incidents, including cyber-attacks.
Governance
Our CISO is accountable for managing our enterprise information security department and delivering our information security program. The responsibilities of this department include cybersecurity governance (policies and procedures), risk assessment, defense operations, incident response, vulnerability monitoring, threat intelligence, identity access governance, information security/cyber related third-party risk management, and business continuity. Moreover, the Security function is responsible for assessing, managing and remediating material risks from cybersecurity threats. The Security management team has the
technical, management and project leadership experience in mid-sized or larger banks, maintains appropriate technical certifications, and stay abreast of industry, technical and regulatory best practices and requirements.
If a cybersecurity event occurs, the CISO leads the HTLF Incident Response Team as part of our Incident Response Plan designed to help reduce the risks related to security incidents by providing guidelines on responding to incidents by focusing on a roadmap for coordinating personnel, policies, and procedures to ensure incidents are detected, analyzed, and handled to mitigate material risks. The CISO and CRO work with key cross functional stakeholders, including members of executive leadership and provide updates to the HTLF Risk Committee on the status and impact of the cybersecurity event, as well as review the event with the Risk Committee following its ultimate resolution in order to share root cause and lessons learned from the incident.
HTLF has implemented a robust corporate governance framework comprised of the HTLF Board of Directors and its committees; which in turn delegate authority to management for implementation of the risk management program including cybersecurity as an integral component. The corporate governance framework is designed to provide transparency through routine reporting as provided by the CISO to facilitate effective oversight of cybersecurity risk by the Board and executive management. The management committee layer of the corporate governance framework is supported by an Operational Risk Committee which serves as a key forum for the CISO to report quarterly updates on HTLF's cybersecurity risk profile, key metrics and risk indicators used to monitor the operating environment, emerging risks and threats as well as any cybersecurity incidents or events. In addition, the CISO has a routine reporting cadence with the Executive Risk Management Committee and the HTLF Risk Committee on the status of the cyber security management program, including trending of key risk metrics, results of risk assessments, audits and regulatory examinations.
HTLF has not been materially affected by any cyber security incidents to date, nor are we aware of any cyber security incident which we believe would have a material impact on us in the future. Nevertheless, like all financial institutions, we are subject to the risk that cybersecurity threats will continue to evolve and may materially impact us in the future. These factors are further detailed in the "Risk Factors" section included under Item 1A of Part I of this Annual Report on Form 10-K, including under the caption “Security breaches, cyber-attacks or other similar incidents with respect to our or our vendors’ systems or network security, as well as the resulting theft or compromise of business and customer information, including personal information, could adversely affect our business or reputation, and create significant legal, regulatory or financial exposure.”