TEXAS CAPITAL BANCSHARES INC/TX - (TCBI)
10-K Filing Date: February 13, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions and our information systems, the Company has implemented a comprehensive cybersecurity risk management program, which is a component of its overarching enterprise risk management program. Key components of the cybersecurity risk management program include:
•A risk assessment process that identifies and prioritizes material cybersecurity risks; defines and evaluates the effectiveness of controls to mitigate the risks; and reports results to executive management and the Board of Directors.
•A third-party Managed Detection and Response (“MDR”) service, which monitors the security of our information systems around-the-clock, including intrusion detection and alerting.
•A dedicated cybersecurity team covering all critical cyber defense functions such as engineering, data protection, identity and access management, insider risk management, security operations, threat emulation and threat intelligence.
•A training program that educates employees about cybersecurity risks and how to protect themselves from cyberattacks.
•An awareness program that keeps employees informed about cybersecurity threats and how to stay safe online.
•An incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident, which is tested on a periodic basis.
The Company engages reputable third-party assessors to conduct various independent risk assessments on a regular basis, including but not limited to maturity assessments and various testing. Following a defense-in-depth strategy, the Company leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks.
Our Third-Party Risk Management program is designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements.
The Company’s cybersecurity risk management program and strategy are designed to ensure the company's information and information systems are appropriately protected from a variety of threats, both natural and man-made. Periodic risk assessments are performed to validate control requirements and ensure that the Company’s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of Company information. These controls include, but are not limited to access control, data encryption, data loss prevention, incident response, security monitoring, third party risk management, and vulnerability management.
The Company's cybersecurity risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Company's business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards.
Material Effects of Cybersecurity Threats
While cybersecurity risks have the potential to materially affect the Company's business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A Risk Factors.
Governance
Board of Directors Oversight
The Company’s Board of Directors is charged with overseeing the establishment and execution of the Company’s risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility the Board has delegated primary oversight responsibility over the Company’s risk management framework, including oversight of cybersecurity risk and cybersecurity risk management, to the
31
Risk Committee of the Board of Directors. The Risk Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Information Security Officer (“CISO”) and the Head of Information Risk and provides periodic updates regarding cybersecurity risks and the cybersecurity program to the full Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Board on an annual basis.
Management's Role
The Information Security department is responsible for implementing and maintaining the Company’s cybersecurity risk management program. The Information Security department consists of cybersecurity and information risk professionals who assess, identify, and manage cybersecurity risks. Information Security is led by the CISO, who reports directly to the Chief Information Officer and the Board of Directors with dotted-line reporting to the Chief Risk Officer. The Company’s CISO has over 20 years of experience in cybersecurity across the financial services industry as well as experience working in a leading managed security services provider. Prior to joining the Company, the Company’s CISO served as leader of the Global Threat Management Center for a major global financial institution. The Information Risk department, led by the Head of Information Risk who reports directly to the Chief Risk Officer, is responsible for ensuring the protection of electronic and physical information through the identification and management of risk activities. As a governance and oversight function, the Information Risk department measures and reports on the quality of information and cyber risk management across all functions of the firm. Information security risk is reported by both the Information Security and Information Risk departments through monthly management metric reporting working groups and multiple layers of quarterly risk committees to achieve an appropriate flow of information risk reporting to the Board. The risk committees include the Operational Risk Management Committee, the Executive Risk Management Committee and the Risk Committee of the Board of Directors. These committees establish and oversee policies, programs, and other guidance to provide specific expectations for managing the cybersecurity risk.