BankUnited, Inc. - (BKU)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We are committed to maintaining robust governance, oversight and management of cybersecurity risks. We have established and implemented processes, supported by written policies and procedures, to detect, assess, classify, respond to, report, track, and resolve cybersecurity threats or incidents. We have implemented systems and controls to address the information technology risks to our organization, our business partners and our customers. We employ a layered security approach leveraging diverse strategies including data loss prevention, access and identity management, network security, vulnerability management, end-point security and information security education and awareness, among others. As a federally regulated institution, the Company strongly supports an environment that facilitates and abides by the Confidentiality, Integrity, and Availability security principles.
Our risk-based policies, procedures, and practices are integrated into our overall risk management program and have been implemented across the organization to manage and mitigate risks from cybersecurity threats. We continuously assess risks from cybersecurity threats and monitor our information systems for potential vulnerabilities. We conduct regular reviews and tests of our information security program including penetration and vulnerability testing, and other exercises to evaluate the effectiveness of our program and improve our cybersecurity posture. These evaluations provide the Company with an unbiased view of its environment and controls. All identified cybersecurity incidents or technology outages or failures and vulnerabilities identified during these assessments are inventoried in a centralized tracking system and reported to impacted users and to management on a regular basis. A multi-step approach is applied to identify, prioritize, report, and remediate these vulnerabilities. SLAs are established for remediation of any incidents or outages detected, depending on their nature and potential impact. Our cybersecurity policies, procedures and practices are integrated with our overall risk management program by inclusion of cybersecurity and information systems KRIs in our enterprise-wide comprehensive risk assessment process and risk appetite statement, the involvement of our Chief Risk Officer in the MAT and oversight of cybersecurity risk by our Enterprise Risk Management Committee and the Risk Committee of the Board of Directors.
We have engaged cybersecurity service provider experts and maintain an industry-leading incident response retainer to further enhance our cybersecurity safeguards and support our processes for assessing, identifying, and managing material risks from cybersecurity threats. Our third-party experts perform assessments that aid us in effectively detecting and responding to evolving cybersecurity attacks and, in the event of a cybersecurity incident, our experts will assist us with incident response support, digital forensics and incident remediation.
The Company’s third-party risk management framework and processes have been aligned with regulatory requirements and we believe with industry best practices to oversee and identify risks from cybersecurity threats associated with use of third-party service providers. We take a risk-based approach in performing cybersecurity assessments of third-party service providers at the time of onboarding, as part of regular ongoing monitoring, at the time of contract renewal, and upon detection of any increase in risk profile. Our information security division collaborates with our third-party risk management unit to evaluate the information technology and security programs of significant third party service providers. As applicable, these reviews evaluate the design and operational effectiveness of information technology and security related controls employed by service providers. In addition, the third party’s information technology and security policies and procedures are evaluated to form an overall opinion of the third party service provider's technology and information security posture.
The Company has developed a training program to educate employees about its cybersecurity policies and standards, best practices, and potential threats to instill a culture of cybersecurity awareness and compliance throughout the organization. The training program includes, but is not limited to, ongoing and targeted training on topics such as social engineering, mobile security, data handling and protection, password security and incident reporting. All employees are required to participate in the training.
25
In 2022, Clarium Managed Services, LLC (“Clarium”) conducted a Cybersecurity Assessment for the Bank. The assessment gauged the overall Cybersecurity Risk Posture of the Bank and resulted in a score of 4.8 on a scale of 0 to 5. In the last three fiscal years, the Company has not experienced any material cybersecurity incidents. No specific cybersecurity threats or incidents, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. See Item 1A "Risk Factors" for a discussion of our cybersecurity risks.
Cybersecurity Governance
The Risk Committee of the Board of Directors is ultimately responsible for oversight of risks from cybersecurity threats, the Company's information risk management function, and the effective implementation of its cybersecurity program. The CISO reports routinely, typically at each of its regularly scheduled meetings, to the Risk Committee on matters including the Company's cybersecurity program, cybersecurity threats and the cybersecurity threat environment. The Risk Committee formally approves the Company's cybersecurity policy and program annually, and more frequently if material changes are adopted.
At the management level, the CISO leads the ongoing technical and business functions that include cybersecurity, information assurance, network security, systems engineering, and information security management. A dedicated information security division reports to the CISO. The CISO has over 30 years of experience in information systems security including physical, cyber, and IT, disaster recovery, business continuity planning, secure software development, and cloud services and security, among others. The CISO holds multiple designations from the International Information System Security Certification Consortium, including Certified Information Systems Security Professional and has been a member of various boards including IT, Cybersecurity and Enterprise Risk Committees. Organizationally, the CISO reports to the CIO, but also provides reporting directly to and has access to the Risk Committee of the Board of Directors. The CIO has over 30 years of experience in financial services information technology.
The Company has designated the MAT to assess and oversee the management and reporting of identified potentially material cybersecurity threats or incidents. The MAT convenes when a qualifying cybersecurity threat is identified by the CIO, the CISO, or their designees in accordance with established processes and procedures. The MAT has the responsibility to determine whether a cybersecurity threat or incident is material and oversee appropriate reporting. The MAT is also responsible for communicating to the Risk Committee any material cybersecurity threats or incidents.
The CISO, CIO, CRO, CFO, CAO, and General Counsel comprise the MAT. Other SMEs or technical experts may advise, consult with and provide information to the MAT as needed. In addition to the specific subject matter expertise and experience of the CISO and CIO, these executives have broad financial, legal, risk management, industry, regulatory and SEC compliance, and general leadership experience, which enable the MAT to effectively carry out its responsibilities.