SouthState Corp - (SSB)
10-K Filing Date: March 04, 2024
Cybersecurity risk management is an integral part of our overall enterprise risk management system. We have a cross-departmental approach to identifying, assessing, and managing cybersecurity risk, including input from employees and our Board of Directors (the "Board"). The Board and its Risk Committee and Audit Committee (respectively, the “Risk Committee” and the “Audit Committee”), as well as senior management in, among other areas, the information security, information technology, operations, and risk management (including enterprise and operational risk) areas, devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and to identify and respond to cybersecurity threats and incidents in a timely and effective manner. Our cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, identification, and remediation. Our information technology and information security areas review enterprise risk management-level cybersecurity risks continually, and key cybersecurity risks are incorporated into the Company’s Enterprise Risk Management Framework that supports its Risk Appetite Statement. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters , such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information, and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management. On an annual basis, the Board approves the Company’s Information Security Policy and Program which provides a layered approach to cybersecurity, and includes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of customer information in accordance with applicable law.
53
The Company’s Chief Information Security Officer (“CISO”) is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Company’s Chief Risk Officer (“CRO”), who oversees and supervises the risk function, including the information security, compliance, legal, operational (which includes business continuity, model risk, and third party risk functions) and enterprise risk areas. Our CISO has over 18 years of experience in information technology leadership, eight years of which is experience in leading information security oversight, and others on our information security team have various information security degrees and certifications within applicable disciplines. Our CISO receives reports from our information security team on a regular basis and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents.
Our information security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The team also regularly collects data on cybersecurity threats and risk areas and conducts an annual risk assessment. Further, we conduct periodic external and internal control validations to assess our processes and procedures and the threat landscape, and we maintain a vulnerability management program designed to identify vulnerabilities and coordinate remediation efforts for any identified vulnerabilities in the environment. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, and vendors. Results of these ongoing activities are reported quarterly to management through the Cyber and Information Technology Steering Committee. In addition, we periodically perform simulations and tabletop exercises at the management level and incorporate external resources and advisors as needed. All employees are required to complete information security training at least once every year, and we require employees in certain roles to complete additional role-based, specialized cybersecurity trainings.
We have continued to expand investments in information security and cybersecurity, including providing additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging third-party cybersecurity experts. For example, in 2023, the Bank engaged a third-party cybersecurity consultant to conduct a review of the Company’s information security and cybersecurity program in relation to overall threat trends and specific factors affecting the Bank’s cyber risk profile. The review assisted management in enhancing the Company’s cyber-risk reduction efforts, including updating Bank’s cybersecurity strategy and program. The Company also maintains cybersecurity insurance provided by carriers that can provide additional technical, legal, and consultation services in the event of a security event that requires additional staff or expertise, including attorneys, forensic accountants, and public relations professionals, among others.
In addition to assessing our own cybersecurity preparedness, we also identify, evaluate and manage cybersecurity risks associated with use of third-party vendors and service providers. Our third-party risk function conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. Our information security area regularly reviews third-party vendors and service providers, including their System and Organization Controls (SOC) 1 or SOC 2 report. If a third-party vendor or service provider is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess its cybersecurity preparedness and assess our relationship on that basis. The frequency and granularity of our review of third-party vendors and service providers is based on an assigned risk rating for each third-party vendor and service provider. Our assessment of risks associated with use of third-party vendors and service providers is part of our overall cybersecurity risk management framework.
54
The Board has ultimate oversight responsibility for the Company’s risk management and recognizes the importance of protecting the data provided by the Company’s customers and employees and devotes considerable time and attention to overseeing the strategies the Company employs to protect our data and systems and to mitigate against cybersecurity risk. A cybersecurity expert chairs the Risk Committee and provides technology-related insight and guidance to the Company. As part of the Risk Committee’s responsibility for monitoring key business and regulatory risks, the Risk Committee receives from our CISO quarterly reports and materials which include a review of cybersecurity and information technology key risk indicators, test results and related remediation, and any recent cybersecurity threats or incidents and how the Company is managing those threats or incidents. The Risk Committee also periodically reviews reports on the threat environment, vulnerability assessments, results of penetration testing, and potential cybersecurity and data privacy incidents, as well as information on ongoing employee training relating to data privacy and cybersecurity and how to protect data against cyber threats. Further, on a quarterly basis, our CRO presents to the Risk Committee updates from our Director of Enterprise and Operational Management on the Company’s business continuity program, which covers, among other things, outages and incidences and disaster recovery and business continuity testing. The Risk Committee also approves the annual risk assessment required by the Gramm-Leach-Bliley Act. Moreover, the CISO follows a risk-based escalation process to notify the Risk Committee outside of the cycle of regular updates when management has identified an emerging risk or material issue related to cybersecurity. The Risk Committee also reports material cybersecurity risks to the full Board, based on our CISO’s assessment of risk. In addition, the Audit Committee reviews reports of the Company’s internal audit department’s periodic audits of our information security area and various components thereof.
We face a number of cybersecurity risks in connection with our business and we have, from time to time, experienced threats to and incidents involving our data and systems. For more information about the cybersecurity risks we face, see the risk factors captioned “We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and cybersecurity, which could increase the cost of doing business, compliance risks and potential liability” and “We face cybersecurity risks from cyber-attacks, information security breaches and other similar incidents that could result in the disclosure of confidential and other information (including personal information), adversely affect our business or reputation, and create significant legal and financial exposure.” in Item 1A- Risk Factors.