Hilltop Holdings Inc. - (HTH)

10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

Hilltop recognizes the critical importance of protecting company data and the information systems that collect, process and maintain data, and we have developed an enterprise-wide program for assessing, identifying and managing material cybersecurity risks and threats. The systems we utilize include safeguards to protect against or mitigate possible threats, as well as controls designed to ensure accountability, availability, integrity and confidentiality of the data. Security measures are implemented to guard against unauthorized access, alteration, disclosure or destruction of data and systems, including accidental loss and destruction. Our program is supported by management and the board of directors.

Organizational Model

Our Information Security Department is comprised of three primary functions:

Information Technology (“IT”) Risk assesses technology risks and controls, evaluates application systems’ conformance to internally defined and approved security standards, coordinates audits and examinations for IT and IT security, as well as tracks open risk issues and exceptions.
IT Security defines security policies and standards, conducts security awareness and training, evaluates security configuration and assesses vulnerability risk.
Security Operations utilizes security solutions to detect and respond to security threats and supports the end-user security needs. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity and availability of our data.

Supporting these core information security functions is an Information Security Engineering team within our Engineering organization. This team is charged with the configuration, implementation and ongoing maintenance of the solutions that enhance our security posture.

51

Managing Material Cybersecurity Risks

As a part of our overall risk management strategy, IT Risk conducts risk assessments on the technology environment as well as application systems implemented to support the various business functions of Hilltop based on the Gramm-Leach-Bliley Act guidance. Risks are identified from the Enterprise Risk Management and Internal Audit assessments of IT and Information Security. IT then quantifies the incidents and risks that have been identified and reports to the Operations & Strategy Committee, which is comprised of executives from across the enterprise representing disciplines including compliance, regulatory, information technology, risk, finance and operations, if they meet certain thresholds. The necessary controls are identified to address the risk and this control evaluation contributes to the assessment of the residual risk value. In 2023, additional assessments were completed utilizing the FFIEC Cybersecurity Assessment Tool and the Ransomware Self-Assessment Tool for the enterprise.

Engage Third-Parties on Risk Management

Recognizing the complexity and evolving nature of cybersecurity threats, Hilltop engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements. In particular, each year we engage a firm to perform penetration testing. We do not allow the same firm to be engaged for more than three years in an effort to obtain diversity in methods of testing. Additionally, at least every two years, we engage a firm to perform a red-team exercise for a simulated cybersecurity event.

Service Provider Oversight

HTH Procurement processes contract requests, contract renewals and onboard of vendors. Such process creates a single point of entry for all sourcing and contract requests. Vendors who match certain inherent risk levels are then sent to Vendor Risk Management (“VRM”) for further review and due diligence. Vendors who host Non-Public Personally Identifiable Information or vendors who we deem materially critical, regardless of risk, are managed by VRM. The VRM’s due diligence process is risk-based and serves as a verification and analysis tool to assist in the evaluation of risk associated with new vendor relationships and ongoing reviews of inherently high-risk and vital vendors. VRM also is tasked with monitoring managed vendors business continuity and disaster recovery processes.

VRM considers specific factors in performing their due diligence based on the risk profile of the high-risk and vital vendor and services being performed. The specific factors include, but are not limited to, a review of the vendor’s:

Information security and related controls (third-party audit);
Existence of disaster recovery and business continuity program and testing;
Financial status, including reviews of financial statements; and
Geographic location (country risk).

Material findings are reported to the Operations & Strategy Committee. A report of these vendors also is provided to the Risk Committee of the board of directors, which provides updates to the full board of directors.

Risks from Cybersecurity Threats

We face a number of cybersecurity risks in connection with our business. We do not currently believe that any current cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, Hilltop, including its business strategy, results of operations or financial condition. For more information about the cybersecurity risks we face, see Item 1A., “Risk Factors — Our operational systems and networks have been, and will continue to be, subject to an increasing risk of continually evolving cybersecurity or other technological risks, which could result in a loss of customer business, financial liability, regulatory penalties, damage to our reputation or the disclosure of confidential information.”

52

Governance

The board of directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. To address the significance of these threats to our operations, customers and stockholders, we have established oversight mechanisms to ensure effective management, oversight and governance in managing risks associated with cybersecurity threats.

Board of Directors Oversight

Our board of directors and the Risk Committee of the board of directors oversee an enterprise-wide approach to risk management, including cybersecurity risks, intended to support the achievement of organizational objectives, including strategic objectives, to improve long-term organizational performance and enhance stockholder value. The Risk Committee is central to the board of directors’ oversight of cybersecurity risks and bears the primary responsibility for this function. The Risk Committee is composed of board members with diverse expertise including, risk management assisting them to oversee cybersecurity risks. The Risk Committee receives regular reports from our Chief Information Officer (“CIO”) and provides updates to the full board of directors at each regular meeting of the board of directors, The Risk Committee also reviews all information security plans and policies, which are then recommended to the full board of directors for its review and approval.

Management’s Role Managing Risk

Our CIO plays a pivotal role in informing the Risk Committee on cybersecurity risks and developments. Our CIO provides comprehensive briefings to the Risk Committee on a regular basis, with a minimum frequency of four times per year. These briefings encompass a broad range of topics, including:

Current cybersecurity landscape and emerging threats;
Status of ongoing cybersecurity initiatives and strategies;
Incident reports and learnings from any cybersecurity events;
Vulnerability management, including software patching, reviews of risk accepted vulnerabilities (remediated, renewed and top risks) and trends related thereto; and
Compliance with regulatory requirements and industry standards.

In addition to Risk Committee meetings, our CIO generally meets with executive management weekly to provide updates regarding current activities and areas of focus. In the event of a potential or actual cybersecurity event, the CIO immediately notifies the General Counsel at which point the information security incident response plan is activated if warranted. The information security incident response plan provides the procedures for responding, including personnel required to be informed and updated. The board of directors is informed promptly in the event such incident is, or is reasonably expected to have, a material impact on operations or financial condition. We also conduct cybersecurity tabletop exercises each year to ensure our processes and procedures align with our technical controls, and to ensure that the organization is prepared for a security-related event.

Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CIO. With over twenty years of experience in the field of cybersecurity, our CIO brings a wealth of expertise to his role. His background includes extensive experience in all facets of information technology and information security and is well-recognized within the industry. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies.

Our CIO is responsible for our Information Security Program and our information security leaders report directly to our CIO. In order to maintain a separate reporting line for our information security leaders, we also maintain a standing committee, the Information Security Governance Committee, which consists of certain members of executive management and the information security leaders. Our Information Security Governance Committee allows for direct management reporting for IT Risk management, audit/examination report(s) review, and oversight of our IT Security strategy and daily Security Operations.

53

Monitor Cybersecurity Incidents

Our CIO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. To assist our information security team in such knowledge acquisition, we subscribe to certain services that provide us alerts on security incidents and threats. Our CIO oversees the implementation of, and the processes for, the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. As previously noted, in the event of a cybersecurity incident, the information security incident response plan is enacted. This plan includes immediate actions to mitigate the impact of and remediate the incident.