FIRST FINANCIAL BANCORP /OH/ - (FFBC)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Cybersecurity (cyber) risk is differentiated from information technology risk by threat interactions that yield high impact consequences and ever-increasing probability. While standard security operations address most day-to-day incidents, cyber risk includes motivated threat actors who often use advanced tools, techniques and processes to evade detection or inflict maximum damage to an organization's information assets. Cyber threats and attacks adapt and evolve rapidly, so First Financial works to continuously enhance controls and processes to protect its networks, applications, and data from attack, damage or unauthorized access. Critical components to the Company’s cyber risk control structure include corporate governance, threat intelligence, security operations, security awareness training and patch management programs. Cyber risk mitigation includes effectively identifying, protecting against, detecting, responding to and recovering from cyber threats.
The Company’s cybersecurity program is overseen by its Chief Information Security and Privacy Officer (the “CISO”). The Company’s CISO has over 20 years’ experience in the information security industry, including a previous CISO position at a large global conglomerate based internationally, and as head of product security for a US-based large global conglomerate. The Company’s CISO also has previous financial services experiences as head of cyber defense for a large regional bank. The CISO meets quarterly with and chairs the Cyber ERM Committee, which consists of representatives from the officer of enterprise security, information technology, risk, compliance, and other internal stakeholders, and presents quarterly to the Enterprise Risk Management Committee (“ERMC”), which includes executive and senior leadership of the Company, and the Risk and Compliance Committee of the Board of Directors (“Board Risk Committee”). The management of risk from cybersecurity threats is one of the risks that is continuously assessed, monitored and managed by the Company under the Company’s ERM framework which is described more fully in the Company’s Annual Report to Shareholders. The CISO maintains a scorecard which monitors and measures various cyber risks, including:
a.Operational capability, including cyber defense, vulnerability management, and third-party risk management.
b.Risk assessments, including GLBA assessments and attack simulations.
c.Program maturity, including MITRE and the Federal Financial Institutions Examination’s Council’s maturity framework.
d.Internal and External Audit, including external assessments, internal audit results, and regulator exam results.
The Company uses a variety of tools to monitor and mitigate cybersecurity risks, including employee training, phishing simulators, incident response tabletops, cybersecurity insurance and business continuity planning for the protection of the Company’s assets. Additionally, the Company’s cybersecurity function is audited on an annual basis by a third party using the MITRE ATTACK framework.
The Company maintains an ad hoc committee comprised of senior management with responsibility for third party (vendor) risk management, including the CISO, the Chief Risk Officer, the Chief Compliance Officer, representatives from vendor management, and enterprise risk management associates. The ad hoc committee reviews diligence regarding vendors, including cyber diligence, and monitors any incidents or cybersecurity threats involving those third parties. Cyber diligence of critical vendors (vendors which store or interact with customers’ personally identifiable information) includes an annual review of the technology and data interfaces with the vendor, an annual review of the vendor’s cyber security controls, and monthly monitoring of the vendor’s outward-facing security posture.
No risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition.
Governance
First Financial’s board of directors is responsible for overseeing the Company’s cybersecurity risk management objectives and risk tolerance as part of its oversight of the Company’s compliance and risk management activities. Specific oversight of the cybersecurity function is delegated to the Board Risk Committee. The Chair of the Board Risk Committee has extensive cybersecurity experience, including both experience as a chief information security officer of a publicly traded financial
24
institution and as an outside cybersecurity consultant. The committee chairperson maintains CISSP and CRISC certifications. Through the Board Risk Committee, the Board’s oversight responsibilities include:
a.establishing and guiding the Company’s cybersecurity risk tolerance, including the determination of the aggregate risk appetite and identifying the senior managers who have the responsibility for managing risk;
b.ensuring that the Company implements sound fundamental principles that facilitate the identification, measurement, monitoring and control of risk;
c.ensuring that adequate resources are dedicated to cybersecurity risk management; and
d.confirming that awareness of cybersecurity risk management activities is evident throughout the organization.
The Company has developed and documented an incident response plan that includes various levels of escalation in the event of a cyber incident. All incidents begin with information security and information technology associates, with escalation to a crisis management team comprised of the CISO, the Chief Risk Officer and certain designated members of executive management in the event the situation is severe. The crisis management team communicates with the full executive team and the Board of Directors in case of more severe incidents. More complete reporting is then provided to the ERMC and the Board Risk Committee during regularly scheduled quarterly meetings.