UMB FINANCIAL CORP - (UMBF)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY

Information security and privacy are an important part of the Company’s culture and foundational to its goal of delivering safe, secure and quality products and services. This philosophy is emphasized throughout the organization by its board of directors, senior leaders, officers, managers and associates to help promote a Company-wide culture of cybersecurity risk management.

Further, the Company operates within the highly regulated financial services industry, which is focused on the security, confidentiality, integrity, availability and privacy of information and information systems. The standards of the SEC, the GLBA, the General Data Protection Regulation (GDPR), and the Federal Financial Institution Examination Council (FFIEC) outline specific requirements regarding cybersecurity and data privacy for publicly traded and financial services companies. The Company has established information security and privacy policies focused on protecting the security, confidentiality, integrity, availability and privacy of information, which policies are designed to be compliant with SEC, GLBA, GDPR, state privacy regulations and FFIEC guidance, as applicable, and incorporate principles from the National Institute of Standards and Technology (NIST) and other industry best-practices where appropriate. The Company’s security and privacy practices are also subject to ongoing independent oversight by multiple regulatory bodies including the OCC and the Federal Reserve, independent audits such as SOC I and SOC II, independent penetration testing of internal and external systems, independent security attestations of compliance with the requirements of the Society of Worldwide Interbank Financial

20


 

Telecommunications (SWIFT) and the Federal Reserve (FedLine), and independent assessments in connection with the Company’s Payment Card Industry Data Security Standard (PCI DSS) obligations, as applicable.

As a financial institution, the Company collects, stores, and transmits sensitive, confidential, and proprietary data and other information, including intellectual property, business information, funds-transfer instructions, payment card data, and the personally identifiable information of its customers and employees (Sensitive Information). Sensitive Information can be of significant value to criminal actors, and, as described in the Company’s Risk Factors, cyber incidents and other security breaches involving this information at the Company, at the Company’s service providers or counterparties, or in the business community or markets, may negatively impact the Company’s business or performance.

The board of directors of the Company has oversight responsibility for the risk management policies of the Company’s global operations and the operation of the Company’s global risk management framework. The Board Risk Committee, comprised entirely of independent directors, assists the board of directors with this responsibility by, among other things, approving and periodically reviewing the risk management policies of the Company’s global operations, including statements of risk appetite, and adapting the Enterprise Risk Management Policy, when and as appropriate, to changes in the Company’s structure, risk profile, complexity, activities, or size. The combined Chief Information Security Officer and Chief Privacy Officer (CISO/CPO) supplies the Board, directly or through the Board Risk Committee, with regular reports on the operation of the information security and privacy components of this program, the related evolving risks to the Company’s businesses, and the controls and other mitigants utilized to manage those risks. Membership in the Board Risk Committee includes directors experienced at managing risk in various environments, including cybersecurity. Their expertise helps inform the Company’s cybersecurity and privacy program.

Management is responsible for the daily assessment and management of cybersecurity risks. This is accomplished through a variety of tools and mechanisms. The Company has strategically integrated cybersecurity and privacy risk management into its broader risk management framework. This integration ensures that cybersecurity and privacy considerations are an integral part of the Company's decision-making processes at multiple levels. The Company has appointed a qualified CISO/CPO, who reports to the Chief Risk Officer (CRO) as part of independent risk management, who is responsible for establishing strategy and overseeing implementation of an effective, integrated, and proactive information security and privacy program. The CISO/CPO is also responsible for advising and partnering with the board of directors, management team, and lines of business to guide the management of cybersecurity, business continuity and resilience, physical information security, data privacy, third party and information governance risks. The CISO/CPO has more than two decades of global experience within the information security and privacy fields, a relevant bachelor’s degree from an accredited institution, and holds the National Association of Corporate Directors Directorship Certification (NACD.DC), Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional (CIPP/US) designations. The CISO/CPO manages a team of qualified professionals with relevant cybersecurity and privacy experience and expertise. The Company has also established a Security, Technology, and Privacy Committee (STP) to oversee security, technology, and privacy capabilities and risks of the Company and its business. The STP includes the CRO, CISO/CPO, leadership across the lines of business, and a cross-functional team of risk, technology, privacy and legal experts to ensure an appropriate focus on information security, technology and privacy matters. The STP serves as a sub-committee of the Company’s Enterprise Risk Committee (ERC), which is a sub-committee of the Board Risk Committee. The ERC is chaired by the CRO, and includes members of executive management and a cross-functional team of leaders experienced in managing risk. The STP and ERC receive quarterly briefings from the CISO/CPO on a variety of topics, including material changes in information security or privacy laws, the Company’s ongoing information security posture and compliance, and emerging risks. Company management and its committees may also engage with the CISO/CPO to discuss and receive additional reports regarding cybersecurity and privacy risks on a more frequent basis as appropriate.

Key Program Components

The Company has a vulnerability management program designed to assess and manage risk associated with vulnerabilities in its information systems from multiple perspectives, including: (i) an adversarial cyber risk assessment that aims to identify threats, vulnerabilities and controls and (ii) the scanning of external and internal information systems to identify software vulnerabilities. The vulnerability management program also assesses emerging and potential threats through dedicated threat intelligence capabilities that monitor attacks and breaches associated with financial institutions and key third-party service providers. The CISO/CPO utilizes the data to understand potential exposure to the Company and to take preventative action where appropriate.

21


 

The Company has an Incident Response Program (IRP) to support management of cybersecurity or privacy incidents, impact assessment (i.e., type and quantity of data impacted, materiality, etc.), and response coordination including with law enforcement and government agencies, and impacted parties. Notification procedures are aligned with applicable laws, regulatory and contractual requirements, including rules promulgated by the SEC, the GLBA, the GDPR and state privacy regulations. The Company’s IRP, led by the CISO/CPO, includes a cross-functional group of risk, technology, privacy and legal experts supplemented by third-party service providers, where necessary, to support the Company’s response to potential cybersecurity or privacy incidents. The IRP sets forth the framework to elevate cybersecurity or privacy issues to the CISO/CPO and when and how incidents are escalated and reported beyond the CISO/CPO, including to executive management and the Board Risk Committee. Depending on the incident, escalation to the full board of directors may also occur.

The Company has also implemented a third-party risk program to oversee and manage information security and privacy risks associated with third-party relationships. The program includes the assessment of third parties that provide key services or will access, store, process, or transmit Sensitive Information during initial onboarding and throughout the lifecycle of the relationship, and management of applicable contractual provisions relating to confidentiality, integrity, availability and privacy obligations, including notification of incidents. The Company also leverages third-party services for advice, assessments, auditing, testing and support related to cybersecurity and information technology processes and services, where appropriate, that are also subject to the third-party risk program.

Notwithstanding the breadth of the Company’s information security and privacy program, it may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse impact. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see Item 1A “Risk Factors”, which is incorporated by reference into this Item 1C.