OLD NATIONAL BANCORP /IN/ - (ONB)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
CYBERSECURITY RISK MANAGEMENT AND STRATEGY
Old National’s enterprise risk management program is designed to identify, assess, and mitigate various financial, operational, regulatory, legal, and reputational risks. Cybersecurity is a critical component of that program, especially in light of the significant, persistent, and ever-evolving cybersecurity risks facing us and other financial institutions. For further discussion of such risks, see the section entitled “Risk Factors” in Item 1A of this Form 10-K under the heading “Operational Risks.” Our objective is to maintain a robust cybersecurity program designed to protect the confidentiality, integrity and availability of our information systems and critical operational processes, including through identification of material information assets and systems, deployment of controls designed to protect against known cybersecurity threats, prompt detection of any cybersecurity threats that make it past our defenses, maintenance of documented, tested approaches for responding to cybersecurity threats and establishment of recovery techniques and technologies to promote resilience from any cybersecurity incidents.
As a result, the Company has developed and maintains an Information Security Program (“ISP”) and various related policies, standards, guidelines, and procedures, as a core part of its enterprise risk management program. The ISP establishes control requirements for addressing cybersecurity risks, defines stakeholder roles and responsibilities, and sets the foundation for the program’s importance within the Company. We structure our ISP around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. In alignment with recommendations from NIST and other relevant industry guidelines, the Company maintains a layered cybersecurity strategy based on prevention, detection, and response/mitigation. Internal and third-party contracted technical and procedural controls include, among others, the following types: preventative (including firewalls, end-point detection and response, data loss prevention, access controls, internal/external penetration testing); detective (such as security monitoring and event management); and responsive (including through business continuity plans and an enterprise-wide Cybersecurity Incident Response Program that is integrated into an overall enterprise incident response/crisis management program).
We continually review and seek enhancements to our cybersecurity programs and processes. The ISP is periodically reviewed by internal Company stakeholders and modified to respond to changing cybersecurity threats and conditions. We regularly test our layered defenses by performing simulations and tabletop exercises (including at a management level) and drills at both a technical level (including through penetration tests) and by review of our information security policies, practices and procedures with third-party consultants. Our ISP team monitors alerts and meets with business managers to discuss threat levels, emerging threats or trends, and available mitigation or remediation approaches and tools. The team also regularly collects and communicates to management relevant data
31
on cybersecurity threats and risks, including through monthly cybersecurity scorecards on the status of and potential risks to key initiatives and controls, and conducts an enterprise-wide cybersecurity risk assessment at least annually.
In addition, we obtain inputs from industry and government associations, third-party benchmarking, and threat intelligence resources and updates. We leverage internal auditors and third-party consultants to periodically review the processes, systems, and controls underlying our ISP and assess their design, operating efficacy, and program maturity, as well as to make recommendations to enhance their currency and effectiveness.
The Company also maintains a Third-Party Risk Management (“TPRM”) program designed to identify, assess, and manage enterprise risks, including cybersecurity risks, inherent in or potentially associated with the Company’s external service providers and other third parties in its supply chain. TPRM leaders report into and operate under the supervision of our Corporate Risk Management department. The TPRM program seeks to build into the Company’s business processes an appropriate level of cybersecurity due diligence prior to engagement of, and during the relationship lifecycle with, third parties. We generally seek security-related confirmations from our third-party suppliers, including as to their adherence to appropriate information handling and asset management requirements and their provision to us of notifications in the event of any known or suspected cybersecurity incidents.
While we have no knowledge that we have experienced a cybersecurity incident that has had or is reasonably likely to have a material adverse impact on our operations or financial results as of the date of this Form 10-K, there can be no assurance that we will not encounter such an incident in the future, notwithstanding the cybersecurity measures and processes we have undertaken. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, remediating or restoring our internal systems or information, implementing additional threat protection measures, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. Cybersecurity threats are expected to continue to be persistent and severe. For further discussion of such risks, see the section entitled “Risk Factors” in Item 1A of this Form 10-K under the heading “Operational Risks.”
CYBERSECURITY GOVERNANCE
The Company’s enterprise Information Security department is primarily responsible for monitoring and managing the Company’s ISP, under the supervision of Old National’s Chief Information Security Officer (“CISO”). The Information Security department’s responsibilities generally include cybersecurity risk assessment, identification and implementation of preventive measures, incident response, vulnerability assessment, threat intelligence, identity access governance, and business continuity and resilience.
Old National has adopted an enterprise risk strategy, including for cybersecurity risks, premised on three lines of defense. While the Company expects the responsibilities described in the prior paragraph to be performed, monitored, and managed on a day-to-day basis by a “first line of defense” vested in the responsible business or function, the CISO and Information Security department representatives, as a key part of the Company’s Enterprise Risk Management department, serve as a “second line of defense” on cybersecurity matters, providing guidance, oversight, separate monitoring, and testing confirmation or challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through our organizational structure, with the CISO and other Information Security department personnel reporting into the Company’s Chief Risk Officer (the “CRO”). The Company’s Internal Audit function provides a “third line of defense,” in terms of periodically auditing overall program controls and effectiveness, using internal auditors with experience in auditing information technology matters. Our Chief Audit Executive and Ethics Officer supervises our Internal Audit department and reports to the Company’s Chief Executive Officer, while also maintaining a direct reporting relationship with the Chair of the Audit Committee of the Company’s Board of Directors.
Old National’s Information Security Department includes information security professionals with a range of varying cybersecurity experience and education, many of whom have substantial experience assessing and managing cybersecurity initiatives and hold certain cybersecurity certifications. The Company’s CISO has extensive experience managing cybersecurity programs and assessing cybersecurity risks, with more than 30 years of experience in developing, managing, and testing information security and technology risk management programs. That includes over 13 years of experience in building and managing cybersecurity and technology risk programs for multi-national, Fortune 500 financial services firms, and over 10 years of experience building and managing information security consultancies specializing in cybersecurity program development and cybersecurity control
32
testing. He is a frequent lecturer and author on information security and technology risk topics and maintains his Certified Information Security Manager (CISM) and Certified Data Privacy Solutions Engineer (CDPSE) certifications through the Information Systems Audit and Control Association, Inc. (ISACA).
Cybersecurity risks and updates are reported and discussed on a regular basis within various Old National and Old National Bank management committees that have operational business or information technology oversight or day-to-day implementation, monitoring, and governance responsibility for information security matters. Those include Old National Bank-level committees such as the Information Security and Technology Risk Management Committee (the “ISTRM”), the Risk Executive Committee, the Security Technology Council and the Cyber Threat Management Council. The ISTRM has direct oversight of the ISP. It is chaired by the CISO and meets regularly (generally monthly and no less than ten times per year) to review the ISP and related cybersecurity matters as outlined in its charter. Members of the ISTRM and the other referenced management committees include the CRO, the CISO, the Chief Information Officer, key senior business operating managers and functional leaders, and other representatives from the Company’s Information Security department. Coordination among these committees, and with other business management committees operating outside the auspice of the Company’s Information Security or Enterprise Risk departments, is intended to help Old National address information security questions in a consistent, coordinated fashion, maintain front-line visibility of the ISP, and promote compliance with Old National security policies and standards.
The Enterprise Risk Committee of the Company’s Board of Directors (the “Risk Committee”) is responsible for oversight of the Company’s enterprise-wide risks as set forth in its charter. That includes oversight of management’s actions designed to identify, assess, mitigate, and prevent or remediate material cybersecurity issues and risks, through the ISP and other activities. The CISO provides quarterly (or more frequent, as appropriate) reports to the Risk Committee and the Risk Executive Committee, along with periodic reporting to the full Board of Directors on the ISP, the ISTRM’s activities, key enterprise cybersecurity initiatives, and other matters relating to the Company’s cybersecurity profile and risks. The Risk Committee provides a report to the full Board of Directors at each regular Board meeting regarding the Risk Committee’s risk oversight activities, including those relating to cybersecurity, and the Company maintains procedures for the CRO and/or CISO to escalate significant cybersecurity matters to the Risk Committee, Executive Committee, and/or the full Board of Directors, as appropriate.