BANNER CORP - (BANR)

10-K Filing Date: February 23, 2024
Item 1C – Cybersecurity

Risk Management and Strategy

Our cybersecurity risk management and strategy are integrated into our enterprise-wide risk management program, which leverages a “three lines of defense” model to manage risk within the organization. Technology risk (including cybersecurity risk) is identified as a key risk area for the Company, and Management measures inherent risk, mitigating controls, and residual risk on a quarterly basis.

The ability to mitigate cybersecurity risks is dependent upon an effective risk assessment process that identifies, measures, controls, and monitors material risks stemming from cybersecurity threats. These threats include any potential unauthorized activities occurring through the Company’s information systems that could adversely affect the confidentiality, integrity, or availability of the Company’s information systems or the data contained therein. The Company’s Information Security Program includes a comprehensive information security risk assessment process that incorporates the following elements:

Identifying threats, measuring risk, defining information security requirements, and implementing controls to reduce risk.
Identifying reasonably foreseeable internal and external threats that may lead to unauthorized disclosure, misuse, alteration, or destruction of sensitive information or information systems.
Assessing the likelihood and potential damage posed by these threats, considering the degree of information sensitivity and the Company’s operations, inclusive of substantive changes to people, processes and technology.
Aligning the Information Security Program with the Company’s enterprise-wide risk management program, which identifies, measures, mitigates, and monitors risk.
Evaluating the adequacy of policies, procedures, information systems, and other arrangements designed to control identified risks, considering the Company’s operations, inclusive of substantive changes to people, processes and technology.
Providing input for internal and external auditors and independent third-party engagements, including in relation to internal and external (i.e., third-party operated) penetration tests.
Exercising risk oversight to conduct appropriate, risk-based due diligence and monitoring to understand risks associated with our third-party vendors and outsourced services.

The risk assessment process is designed to identify assets requiring risk reduction strategies and includes an evaluation of the key factors applicable to the operation. The Company conducts a variety of information security assessments throughout the year, both internally and through third-party specialists.

In designing our Information Security Program, we refer to established industry frameworks – in particular, the Federal Financial Institutions Examination Council (FFIEC) and guidance from the International Organization for Standardization (ISO). The FFIEC framework offers a set of guidelines to help financial institutions effectively manage and mitigate cybersecurity risks. The framework focuses on ensuring the confidentiality, integrity, and availability of sensitive information and systems. ISO/IEC 27001 is an international standard developed by the ISO specifically for Information Security, Cybersecurity and Privacy Protection (ISCPP). The ISO/IEC 27001 requirements provide a systematic and risk-based approach to managing sensitive information, ensuring its confidentiality, integrity, and availability. The requirements reflect best practices that organizations can use to guide an information security program. The Company considers these frameworks to be aspirational benchmarks to help inform the design of our Information Security Program, including risk mitigation controls and processes. While we believe our information security program is well-designed and appropriate for our organization, the sophistication of cyber threats continues to increase and the Company’s cybersecurity risk management and strategy may be insufficient and may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it may not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A, Risk Factors — Risks Related to Cybersecurity, Data and Fraud.

The Company uses a cross-functional approach to identify, prevent, and mitigate cybersecurity threats and incidents, and we have adopted controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. We have developed a formal cybersecurity incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident.

While cybersecurity risks have the potential to materially affect the Company’s business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including our business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A, Risk Factors — Risks Related to Cybersecurity, Data and Fraud.

Governance

Our Board of Directors has adopted, and reviews annually, a Risk Appetite Statement that articulates the Company’s attitude towards risk. The Company’s Risk Appetite Statement identifies key risk categories and establishes a risk appetite for each, as well as specific associated risk metrics that are monitored quarterly by Management and reported to the Risk Committee. Management measures and reports inherent risk, mitigating controls, and residual risk for each key risk category and also identifies and regularly discusses emerging risks with the Risk Committee.

34


The Company's governance and oversight of cybersecurity risks are facilitated through our Information Security Program, which establishes administrative, technical, and physical safeguards designed to protect the confidential information and records of all the Bank’s clients in accordance with FDIC regulations. Our Information Security Program, along with its associated policies and guidelines, takes into account FDIC and FFIEC regulations and guidance on sensitive information protection as well as information system and domain name security. It is tailored to align with the Company’s size and complexity and the nature and scope of our activities.

We maintain relevant expertise within the Bank’s management team to manage cybersecurity risks. In particular, the Bank’s Chief Information Officer (CIO) provides direction and oversight for information technology and security across the Company, including existing and emerging initiatives. In this role, she leverages more than 25 years of information technology experience. In addition, the Bank’s Chief Information Security Officer (CISO) has been with the Company for more than 12 years and has maintained various applicable cybersecurity and IT audit certifications. Prior to joining the Bank, he worked for a Fortune 500 company and had 15 years of information technology experience working in networking, information security and information technology auditing. The CIO and the CISO are supported by a team of information technology and information security specialists.

Our Information Technology (IT) Management team, among other things, is responsible for conducting risk assessments, designing the Information Security Program to manage identified risks based on information sensitivity and the Company’s operational complexity, overseeing service provider arrangements, establishing risk-based response programs for incidents of unauthorized access, providing staff training, conducting testing of key controls, systems, and procedures, and adjusting the program in response to changes in people, processes, technology, sensitive information, threats, and the business environment (e.g., mergers, acquisitions, alliances, joint ventures, or outsourcing arrangements).

Our IT Management team reports annually to the Risk Committee regarding the overall status of the Information Security Program. This reporting encompasses various aspects, such as risk assessment, risk management and control decisions, service provider arrangements, results of independent testing, cybersecurity incidents or violations and Management’s responses, and recommendations for changes to the Information Security Program. Quarterly status updates are also provided to the Risk Committee.

The Board of Directors plays a crucial role, annually reviewing and approving our Information Security Program. The Board oversees efforts to develop, implement, and maintain an effective Information Security Program, including reviewing Management’s reporting on program effectiveness. Additionally, the Board of Directors’ Corporate Governance/Nominating Committee considers information technology and cybersecurity expertise when assessing potential director candidates, to help ensure the Board of Directors has the capability to appropriately oversee Management’s activities in these areas.

We maintain a Cybersecurity Incident Response Team (CIRT), which is responsible for addressing the technical aspects of the Company’s response to cybersecurity events. Additionally, our cross-functional Executive Cybersecurity Event Evaluation Team (ECEET) is responsible for assessing the potential business impacts and disclosure requirements related to cybersecurity events. Both the CIRT and the ECEET may consult cybersecurity legal counsel and other external experts in connection with their respective activities. An escalation process has been established for engaging other governance groups, which may include the Company’s Disclosure Committee and/or the Board of Directors’ Audit Committee, each of which also receive a quarterly report from the chair of the ECEET.