SANDY SPRING BANCORP INC - (SASR)
10-K Filing Date: February 20, 2024
Item 1C. CYBERSECURITY RISK
Information security, which includes cybersecurity, is a significant operational risk facing our business. Cybersecurity risks result from intentional malicious attacks or unintentional acts that result in an impact to the confidentiality, integrity or availability of our or our clients’ or third parties' operations, systems or data.
Management assesses and manages material risks from cybersecurity threats through designated management positions and committees that are responsible for overseeing technology and information security. Our Chief Information Security Officer is responsible for information security and cybersecurity risk management. He has over 20 years of financial services related experience in cybersecurity program strategy, security architecture and security team leadership. Our Chief Technology Officer, among other duties, is responsible for the security and integrity of systems, applications and databases and coordinates security implementations, monitoring and enforcement in conjunction with the Chief Information Security Officer. He has over 25 years of experience building and leading technical organizations of various sizes, including in the banking industry.
We maintain a comprehensive information security policy that is intended to maintain the security and confidentiality of client information, protect against threats to the security or integrity of such information, and protect against unauthorized access to or use of such information. We have a written information security program that is aligned to our information security policy and designed to assess, identify and manage risks that result from cybersecurity threats. The program is overseen and executed by a team of experienced, certified cybersecurity professionals. Our information security program is centered on preparing for, preventing, detecting, mitigating, responding to and recovering from cyber threats and cyber incidents while ensuring our processes continue to operate effectively.
We use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool to help us identify our cybersecurity risks and determine our cybersecurity preparedness. This assessment tool incorporates regulatory guidance as well as concepts from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework. The results of the assessment are used to determine risk management practices and controls in order to align our cybersecurity preparedness to address the identified risks with our risk appetite. We engage a third-party to provide an annual risk assessment of our compliance with interagency guidelines for safeguarding confidential customer information. This risk assessment focuses on our information security program and the controls in place to protect client information. The results of the risk assessment are analyzed and used to improve our information security program where needed. Internal audits, regulatory examinations and third-party assessments of our processes in information technology and information security also help us assess our cybersecurity preparedness and whether risk management practices and controls need adjustment. Risk issues are identified through assessments, audits, examinations and security testing, and are tracked and reported.
We have contracted with various service providers (vendors) who provide a broad range of services, including core banking, communications, collaboration and infrastructure services. We have established a vendor management policy to establish the principles, framework, and guidance for the effective review, engagement, monitoring, and oversight of vendors to ensure that we adequately manage operational, strategic, reputational, and other related risks inherent in outsourcing of services or operations. We manage the cybersecurity risks posed by our use of third-party service providers by conducting periodic risk assessments.
The cybersecurity operations team is responsible for cyber threat detection, investigation and response. We leverage a managed security service provider to monitor key system and network activity on a 24/7/365 basis and to detect and alert the cyber security operations team of cyber threats and potential cybersecurity events of concern. In addition to monitoring for security events, cyber threat intelligence sources are analyzed in order to understand potential cyber threats and techniques that may be used in cyberattacks against us and to monitor for such threats. Examples of cyber threat intelligence sources include the Financial Services Information Sharing and Analysis Center, trade organizations, the Cybersecurity and Infrastructure Security Agency, security service providers, vendor alerts, and open-source intelligence sources.
29
Our cybersecurity risk management processes are integrated into our overall risk management system through our risk management committee structure. These committees have processes to help facilitate appropriate and effective oversight of cybersecurity risk, including tracking and reporting of cybersecurity risks and remediation plans. The Technology Risk Committee, which is a standing subcommittee of the Operational Risk Committee, is responsible for the oversight of policies and practices relating to the identification, assessment, measurement, monitoring and management of our technology and information security risks. The Technology Risk Committee is chaired by our Chief Technology Officer and members include our Chief Information Officer, Chief Information Security Officer, and administrators of key business systems. The Technology Risk Committee reports regularly to the Operational Risk Committee, which reports to the Executive Risk Committee, which includes our Chief Executive Officer and other executive officers. Through this committee reporting structure, management is informed about and monitors the information security program and its management of cybersecurity risks and incidents.
The Board of Directors, through the efforts of its Risk Committee, oversees our continuing efforts to strengthen our information security infrastructure and staffing, adhere to regulatory guidelines and enhance our processes, technology controls and cybersecurity defenses. As part of its oversight of operational risk, the Risk Committee is responsible for the oversight of information security and cybersecurity risk management. Our Chief Information Security Officer regularly reports to the Risk Committee on security events, testing, training, audits, new system assessments and the identification and remediation of cybersecurity risks. These reports also include topics such as the threat environment and vulnerability assessments, results of penetration testing, results of key cyber risk indicators and performance metrics, and our efforts to detect, prevent and respond to internal and external critical threats. The Risk Committee receives periodic updates on information security risk, the maturity of our information security program, and related investments and results. On an annual basis, the Risk Committee reviews and approves our information security program and information security policy.