TRUSTMARK CORP - (TRMK)
10-K Filing Date: February 15, 2024
Trustmark recognizes the critical importance of identifying, assessing and managing material risks from cybersecurity threats. Trustmark is committed to implementing and maintaining a comprehensive information security program to manage such risks and safeguard its systems and data.
Trustmark’s Board of Directors has ultimate oversight of cybersecurity-related risks and it is assisted in this role by the Enterprise Risk Committee and the Audit Committee. Processes for identifying, assessing and managing cybersecurity-related risks are integrated into Trustmark’s overall enterprise risk management process, which is overseen by the Enterprise Risk Committee. The Enterprise Risk Committee is responsible for monitoring risks that are being taken by Trustmark, understanding the enterprise-wide effect of those risks and reporting such risks to the Board. In fulfilling this role, the Enterprise Risk Committee has primary oversight responsibility over management’s efforts to manage and mitigate cybersecurity-related risk and reviews and approves Trustmark’s cybersecurity strategy for protecting Trustmark’s information assets and technology platforms. The Audit Committee oversees Trustmark’s Internal Audit Department, which conducts reviews and assessments related to information security. Management provides periodic reports to the Enterprise Risk Committee and the Audit Committee, both of which provide reports of their meetings to the full Board. These reports to the Board and its Committees address the threat environment, vulnerability assessments, specific cyber incidents and management’s efforts to monitor, detect and prevent cyber threats.
Trustmark’s information security program is primarily administered at the management level by the Information Security Department, which is led by Trustmark’s Chief Information Security Officer (CISO), and is supported by the Information Technology Department, which is led by Trustmark’s Chief Information Officer (CIO). The CISO reports to the CIO, who in turn reports to Trustmark’s Chief Credit and Operations Officer. Trustmark’s Information Security Department is responsible for day-to-day management of Trustmark’s information security program, including data loss prevention, access control, threat monitoring, incident response and employee education and training. The Information Security Department also maintains policies related to cybersecurity and data security that provide the required governance for the information security program. Additionally, Trustmark’s Information Technology Department maintains policies that govern technical aspects of Trustmark’s information security program. Each policy is reviewed and approved by the Enterprise Risk Committee at least every three years and is mapped to applicable regulatory guidance. The Cybersecurity Operations team within the Information Technology Department maintains and runs Trustmark’s security operations center and is responsible for cybersecurity event management and maintaining security tooling. Trustmark also maintains an Information Security / Cybersecurity Management Committee, which is comprised of representatives from the Information Security, Information Technology, Enterprise Risk, Corporate Security, Internal Audit and Legal departments and members of executive management. This committee meets quarterly to discuss and review Trustmark’s information security program and receives qualitative and quantitative update reports from the Information Security Department, Internal Audit Department and Information Technology Department.
Trustmark engages third party assessors, consultants and auditors in connection with its information security program, including to conduct external penetration testing, independent audits and risk assessments. Trustmark also utilizes third party service providers in
28
the ordinary course of business. The Information Security Department performs information security assessments for third party service providers that store or process Trustmark confidential data. These information security assessments include a review of any systems and organization control reports, proof of the vendor’s independent testing of their data protection controls, as well as a review of any exceptions noted and assessment of management responses, results of vulnerability and penetration testing, incident response processes and third party data protection controls (which can include, but is not limited to: access reviews and controls, backups, monitoring, encryption standards and disaster recovery). The review of these areas is taken into account in order to provide an overall information security conclusion and risk rating for the vendor.
As a regulated financial institution, Trustmark is also subject to financial privacy laws and its cybersecurity practices are subject to oversight by the federal banking agencies. For additional information, see “Supervision and Regulation – Financial Privacy Laws and Cybersecurity” included in Part I. Item 1 – Business of this report.
Although Trustmark has not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected its business strategy, results of operations or financial condition, there can be no guarantee that Trustmark will not experience such an incident in the future. For additional information regarding the risk Trustmark faces from cybersecurity threats, please see the risk factors titled “Trustmark may experience disruptions of its operating systems or breaches in its information system security” and “Trustmark must utilize new technologies to deliver its products and services, which could require significant resources and expose Trustmark to additional risks, including cyber-security risks” included in Part I. Item 1A. – Risk Factors of this report.