Independent Bank Group, Inc. - (IBTX)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity and Risk Management
The Company’s cybersecurity risk management processes are integrated into the overall risk management system through reporting of cyber risks to Technology and Information Security Oversight Committee, Operational Risk Committee, Enterprise Risk Committee, and Board Risk Oversight Committee. Risk Appetite statements are approved by the Board Risk Oversight Committee and the Board, and Key Risk Indicators are monitored on an ongoing basis by the Information Security team, and the Operational Risk and Enterprise Risk Committees . The Company performs regular Information Security focused Risk Assessments at the entity level, including but not limited to assessments based on the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT) and Ransomware Self-Assessment Tool (R-SAT), and National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Engagement of Third Parties
Information Security leverages third parties for cyber security services including but not limited to managed security services, external penetration testing, and tabletop exercises.
Oversight and Identification of Risks Associated with Third Parties
Information Security, in coordination with Third Party Risk Management, reviews new vendors at onboarding to oversee and identify potential risks and performs ongoing monitoring of emerging risks related to any third-party service providers. Third-party service provider reviews include completion of a standardized questionnaire and review of SOC reports. New technology projects are subject to a Security Architecture Review completed by Information Security. Information Security coordinates with Contract Management to perform contract reviews for security controls and notification processes. Information Security conducts annual IT Risk Assessments on Tier 1 applications, defined as those vendors of critical importance to the Company's core operations.
Risks from Cybersecurity Threats
In the last fiscal year, we have not experienced any material cybersecurity incidents. For a full discussion of cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, result of operations, or financial condition, see Item 1A. Risk Factors.
Board Oversight
Our Board Risk Oversight Committee is charged with overseeing the Company’s management of credit, market, liquidity, operational (including information technology and cybersecurity), compliance, reputational and strategic risks, including the annual approval and recommendation to the Board of Directors of the Company’s risk appetite statement and approval of the Company’s risk management framework.
Risks from cybersecurity threats are monitored on an ongoing basis by the Information Security team, engaging the Cyber Incident Response Team, Cyber Crisis Team, the Core Team, and Extended Core Team, as needed, and escalated to the extent that incidents rise to the level of notification to the relevant risk or board committee or on an ad hoc basis.
Additionally, quarterly cybersecurity updates are provided to risk and board committees including, but not limited to, the following materials: Annual GLBA Report, Information Security Metrics (including Key Performance and Key Risk Indicators), Penetration Testing and Tabletop Exercise updates, Cyber Maturity Assessments/Roadmap, Annual Threat Landscape Report, and additional cybersecurity education topics.
Management and Assessment of Risk
The Enterprise Risk Sub-Committee (ERC) (a management committee) assists executive management and the Board of Directors with providing oversight of the Bank’s enterprise risk management program.

34



The ERC and Board Risk Oversight Committee work together to facilitate effective risk management and timely escalation of substantive issues, including Operational Risk (which includes information technology and cybersecurity).
The Chief Information Security Officer (CISO), reporting to the Chief Risk Officer, is responsible for information security and cybersecurity risk management. The CISO has over 20 years of experience in cybersecurity in Financial Services and is a Certified Information Systems Security Professional (CISSP) and holds a SysAdmin, Audit, Network and Security Global Information Assurance Certification (SANS GCIA).
Incident and Risk Escalation Through Cyber Incident Response Plan
Information Security maintains processes for prevention, detection, and mitigation of cybersecurity incidents. The Company maintains a Cyber Incident Response Plan (CIRP) that covers response and remediation processes for managing cybersecurity incidents. The CIRP outlines the cross-functional responsibilities for the Cyber Crisis Team, the Core Team and Extended Core Team during a notification incident. The Core Team consists of the Chief Information Security Officer, Chief Legal Officer, Chief Information Officer, and Director Operational Risk Management to manage the incident. The Extended Core Team consists of other business area leaders who may need to be engaged based on the area of impact. All CIRP incidents are managed through an Incident Commander with communications being escalated to executive leadership as needed, who will then report to the Board. Key Performance Indicators and Key Risk Indicators related to monitoring and detection are presented to Technology and Information Security and Operational Risk Management Committees.
Incident and Risk Escalation to Board
The Board Risk Oversight Committee oversees the ERC and works directly with the ERC to facilitate effective risk management and timely escalation of substantive issues from ERC and ERC’s sub-committees, including Operational Risk (which includes information technology and cybersecurity). Quarterly, cybersecurity updates are provided to risk and board committees including, but not limited to, the following materials: Annual GLBA Report, Information Security Metrics (including Key Performance and Key Risk Indicators), Penetration Testing and Tabletop Exercise updates, Cyber Maturity Assessments/Roadmap, Annual Threat Landscape Report, and additional cybersecurity education topics.