1ST SOURCE CORP - (SRCE)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Our Board of Directors has delegated primary responsibility for oversight of cybersecurity risk management to the Audit, Finance & Risk Committee of the Board. The Committee receives quarterly reports from the Chief Information Security Officer (CISO) and Chief Risk Officer (CRO), respectively, and reviews them with such officers. These reports are made available to all board members concurrently. The CRO’s report includes evaluation of the level of cybersecurity risks and strength of mitigating controls. All board members are invited to attend the portion of the Committee’s meetings for review of reports received on risk management from management (e.g., the CRO, CISO, Chief Compliance Officer).
Our processes for assessing, identifying, and managing material risks from cybersecurity threats are based on examination guidance published by the Federal Financial Institution Examination Council (FFIEC), an interagency body established under the Financial Institutions Regulatory and Interest Rate Control Act of 1978. Consistent with FFIEC guidance, 1st Source selected and adheres to the risk management framework established by the Cybersecurity Risk Institute known as the “CRI Profile.” The CRI Profile is based primarily on the well-known National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity” and is tailored to ensure expectations of financial institution regulators are met. Our processes are designed to meet standards for all seven CRI Profile functions – governance, identification, detection, protection, response, recovery, and supply chain dependency management. In addition, we adhere to security standards set by the PCI Security Standards Council which are designed to ensure secure payments globally.
13

Risks from cybersecurity threats, including risks identified from previous cybersecurity incidents, have required significant investments over time in maturing our Information Security Program and attracting and retaining the personnel with requisite experience and expertise. In particular, the CISO has substantial relevant expertise in the financial services industry and formal training in the areas of information security and cybersecurity risk management. We will need to continue to make meaningful investments in cybersecurity controls for continuous improvement and maturation in response to constantly evolving cybersecurity threats. Cybersecurity threats will continue to be endemic to the financial services industry for the foreseeable future.
Governance
Our Board and senior management oversee our processes for management of cybersecurity risks consistent with the foregoing standards. Such oversight includes regular reporting by management to the Board on the adequacy of such processes and potential material issues identified. Before escalation to the Board, issues are generally identified and assessed through our risk governance structure established under our Enterprise Risk Management Program. The risk governance structure includes three distinct components: management oversight, third-party professional assessment, and separate oversight and review by our Internal Audit Department. Management oversight is maintained through several committees that serve as forums for further assessment, remediation, and escalation. These management oversight committees include the Information Security Committee, co-chaired by the CISO and CRO, the Operational and Compliance Risk Committee, chaired by the CFO, vice chaired by the CISO and Chief Compliance Officer, the IT Steering Committee, chaired by the Chief Information Officer, the Enterprise Risk Management Committee, chaired by the CRO and the executive management committee known as the Strategic Deployment Committee, chaired by the CEO.
We regularly engage third-party assessors, consultants, and auditors to test and evaluate our controls for managing cybersecurity threats. These include third-party engagements by management and by our Internal Audit Department for (i) regular penetration testing of our cyber defenses, including an annual PCI-certified penetration test, (ii) third-party “health checks” on supporting technology, including our security incident and event management system (SIEM) and vulnerability management program, and (iii) third-party social engineering tests of the effectiveness of our employee training for detection of invasive attempts by malevolent actors. In addition, the Federal Reserve and DFI examine our control environment for managing cybersecurity risks each year.
Our risk governance structure includes a Third-Party Risk Management Program with first-level oversight by management’s Third-Party Risk Management Committee and conforms to bank regulatory guidance. This program includes due diligence and periodic monitoring of the information security controls such providers have in place to protect our confidential data received, processed and/or stored by such providers.
The measures summarized above are intended to help ensure that 1st Source does not suffer a material adverse impact from security breaches, but, as cybersecurity risks evolve and increase in sophistication, we can provide no assurance that our financial condition or results of operations will not be adversely impacted. See “Item 1A. Risk Factors - Operational Risks - Technology Security Breaches.”