COMMERCE BANCSHARES INC /MO/ - (CBSH)

10-K Filing Date: February 22, 2024
Item 1c. CYBERSECURITY
Cybersecurity Program and Management Oversight
The Company has established an Information and Cybersecurity program. The program is directed by the Company’s Information Security Strategy Board (“ISSB”). The purpose of the ISSB is to (i) provide management direction and support for information security risk oversight for the Company’s information security program and (ii) to engage Company leaders to promote information security risk awareness and sound information security risk management practices across the organization. The ISSB has been delegated authority from the Company’s Enterprise Risk Management Committee (“ERM Committee”) to advance and monitor the overall effectiveness of the Company’s information security program and risk management activities. The ISSB also has the authority to direct effective and timely implementation of actions to address emerging information security risks and information security risk management deficiencies. The ISSB meets at least quarterly.

The ISSB is responsible for identifying, evaluating and monitoring information security risk across the Company. In order to fulfill this role, the ISSB engages in a variety of activities, including, but not limited to, the following:
a.Review current status of the Company’s overall information security program.
b.Review and monitor impacts, outcomes and remediation plans or mitigation activities related to internal and external security incidents, vulnerability scans or assessments.
c.Review and monitor significant information security related projects and regulatory initiatives.
d.Monitor metrics related to the Company’s information security program.
e.Review and approve new, and modifications to existing, information security policies for which the ISSB has been designated approval authority by the ERM Committee. Existing information security policies are reviewed at least annually.
f.Review information security examination reports and other significant communications from regulatory agencies and the status of any outstanding information security related regulatory findings.
g.Monitor and discuss emerging industry information security risk issues including applicable frameworks, rules and regulations.
h.Identify and analyze significant changes affecting information security risk management such as changes in the external environment, business model and leadership.
i.Review new, expanded or modified software and applications that process, transmit, or store sensitive information to ensure appropriate information security risk management is embedded in the development and implementation processes.

The ISSB is comprised of the following:
a.Chief Information Security Officer – Chair
b.Chief Information Officer
c.Executive Director, Consumer Segment & Strategic Services
d.Managing Counsel
e.Director, Bank Operations
f.Executive Director, Retail
g.Chief Risk Officer
h.Commerce Trust Chief Operating Officer
i.IT General Manager
j.Director, Commercial LOB Products & Operations
k.Director, Audit
15

The Chief Information Security Officer (“CISO”) is responsible for the Company’s enterprise-wide Information and Cybersecurity Program. Responsibilities include the Information and Cybersecurity program, Security Architecture, Application Security, IT Risk Management, Operational Security, Security Consulting, Awareness and Training, Policies and Standards development, Incident Response and Information Security defense / mitigation strategy, strategic planning, and Vendor and Service Provider monitoring. The CISO has 25 years of experience with Information Security Program development, Application Security program development, IT Risk Management program development, Incident Response preparation, planning, and testing, Operational and Technical Security Architecture, and Creating Zero-Day defense strategies. The CISO is a Certified Information Systems Security Professional, is a member of the Information Systems Security Association and Infragard, and participates in local and national Security consortiums. CISO demonstrates expertise in Graham-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Payment Card Industry, International Organization for Standardization27001, National Institute of Standards and Technology, Open Worldwide Application Security Project, and other programs to provide strategic consulting across a variety of industry sectors.

Governance
The Company’s Board of Directors (the “Board”) is responsible for the oversight of all risk management activities, including cybersecurity risk. The Board has delegated that oversight responsibility to the Audit and Risk Committee. The Audit and Risk Committee has delegated the responsibility to advance and monitor the overall effectiveness of the Company’s risk management activities, including cybersecurity risk, to the ERM Committee. The ERM Committee also has the authority to direct effective and timely implementation of actions to address emerging cybersecurity risks. The ISSB provides quarterly reports to the Operational Risk Management Committee and ERM Committee. Through reports received from the ERM Committee, the Audit and Risk Committee notifies the Board of Directors about new policies and policy changes, changes in standards applied, and key risk metrics to evaluate ongoing cybersecurity threats and security risk exposure (the “Governance Model”). In addition, the ISSB provides a full report on the Company’s cybersecurity framework, risks, initiatives, and significant incidents to the Audit and Risk Committee or the Company’s Board of Directors not less than annually.

Cybersecurity Risk Assessment Strategy, Policies and Standards
The Company’s cybersecurity program is primarily structured based upon national and international security protocols and frameworks. The Company has implemented a strategy to address threats to Company assets. The Company’s Information Security program balances security risks with business goals and provides appropriate protections for the confidentiality, integrity and availability of Company and customer information. The Company conducts benchmark reports of its Information Security program to assess its strength as measured against recommended industry security best practice entities.

The Company has a process to prioritize and manage security related projects. The ISSB provides oversight of program changes, security awareness updates, exposures from new exploits, and risks to information, data and systems. Policies and standards are regularly reviewed within the Governance Model and presented to the Board.

The Company utilizes a risk assessment approach to oversee and identify material risks from cyber threats, which includes information gathering, analysis, and prioritization of mitigation strategies. This approach was designed following security industry standard processes, models and guidelines. Risk assessments are a key component of the overall risk management process. The objectives of the risk assessment process are as follows:
a.Provide assurance that management has implemented appropriate controls to mitigate risk.
b.Identify applications, vendors, service providers, and/or business units that process, transmit, or store sensitive information.
c.Comply with the various regulations addressing data security.
d.Comply with the Company’s information security policies and standards.

The scope of the risk assessment process includes but is not limited to the following asset types:
a.Applications
b.Business units
c.Service providers
d.Servers
e.Databases
f.Data centers
g.Network infrastructure
16

h.Security infrastructure
i.Storage/recovery
j.Mobile devices
k.Workstations
l.Authentication directory services
m.Cloud.

The Company conducts detailed due diligence (as described below), contract reviews and ongoing monitoring of high-risk third-party service providers. Third-party service providers hosting an application or providing a service that processes, analyzes, transmits, stores, or reports the Company’s sensitive information must complete a control questionnaire. Vendors are subject to rigorous review of the vendor’s internal control policies, procedures, data security and contingency capabilities. Ongoing monitoring is also performed annually on selected service providers. The program requires service providers on the ongoing monitoring list to provide the Company with a third-party security penetration assessment, and other artifacts based on the type of information processed, transmitted, or stored, annually.

The Company has also developed a comprehensive set of key risk metrics to evaluate ongoing cybersecurity threats and the security risk exposure. These metrics are used for threat trending, identifying attack vectors, and determining the effectiveness of controls. Key risk metrics are provided to management monthly and reported through the Governance Model to the Board.

Security event monitoring and detection
The Company formally tracks and reports on major identified risks and vulnerabilities and the results of their analysis and evaluation. These details can then be used to track and monitor their successful management as part of the activity to deliver the required, anticipated results. Security risks are categorized by Practice or Vulnerability (exploitable). The information is reported in the monthly security metrics report along with quarterly reporting to the ISSB.

The Company actively monitors alerts and shared intelligence from a variety of industry-standard sources and takes appropriate actions when warranted. As new threats and vulnerabilities emerge that threaten its systems and data, the Company continues to evaluate and address these threats through a layered security approach.

The Company performs network and application penetration testing on external high-risk applications as well as network penetration testing across its production, test, and disaster recovery networks. The Company also performs tests on its operational defense and response to assess the ability to detect and respond to a threat actor. This allows the Company to test lateral movement, exploitation, data exfiltration, and evaluate its security posture around three primary security functions: detection, prevention, and response. The Company regularly participates in desktop exercises to help demonstrate incident preparedness and regulatory compliance. All testing results are reported to the Board quarterly through the Governance Model.

Incident materiality
The Commerce Bank Cybersecurity Incident Investigation and Response Plan is a component of the Information Security policy and sets forth the severity categories and processes required to assess the impact of a cyber-related incident to the Company. The impact is categorized in one of five severity levels and is expressed in terms of financial loss, strategic objectives, customer, legal and regulatory, reputation, and service interruption. The incident response plan includes timely notification of a material cybersecurity incident to the Board of Directors and other members of senior management.

Like other financial institutions, the Company experiences malicious cyber activity on an ongoing basis directed at its websites, computer systems, software, networks and users. This malicious activity includes attempts at unauthorized access, implantation of computer viruses or malware, and denial of service attacks. The Company also experiences large volumes of phishing and other forms of social engineering attempted for the purpose of perpetuating fraud. While, to date, malicious cyber activity, cyberattacks and other information security breaches have not had a material adverse impact on the Company, risk to its systems remains significant. See Technology Risk "A successful cyber attack or other computer system breach could significantly harm the Company, its reputation and its customers" within Risk Factors Item 1a.
17