Triumph Financial, Inc. - (TFIN)

10-K Filing Date: February 13, 2024
ITEM 1C. CYBERSECURITY.
We use people, process, and technology controls to manage and mitigate cybersecurity risk. The Risk and Compliance Committee, in consultation with and regular reporting to our full Board of Directors (the “Board”), has been delegated oversight for enterprise technology and its associated risks including cybersecurity. As a financial services and technology company, we face a range of cybersecurity risks that are inherent in our industry. Cybersecurity risk has been integrated into the Company’s overall Enterprise Risk Management framework as well as our Internal Audit plan.
The Company’s Chief Information Security Officer (“CISO”) is primarily responsible for developing, monitoring, and implementing our Information Security Program (the “ISP”). Our CISO has over twenty-five years of experience managing information security programs across banking and technology companies. Our CISO reports monthly on cybersecurity matters to the Board and The Risk and Compliance Committee in addition to full quarterly reports and an annual report. Our ISP team is organized around six key functions: (1) security operations and incident response, (2) security engineering and architecture, (3) threat and vulnerability management, (4) Information Technology/Information Security – governance, risk and controls, (5) security awareness and training, and (6) identity and access management. These functions are integrated into each of our business lines through coordination with a dedicated security business partner.
47

Our ISP operates as an enterprise-wide function that monitors external and internal threats to assess cybersecurity risk and drives risk-based remediation across all departments. The Company’s ISP is aligned to the Federal Financial Institutions Examination Council standards and is built on recognized best practices and standards for cybersecurity and information technology. We identify vulnerabilities and remediate based on risk and priority. Our ISP team conducts annual security awareness training, regular phishing exercises, sponsors Company-wide security awareness programs, and provides regular updates across the Company to keep employees engaged and informed on ways to mitigate cybersecurity risk.
The ISP also has a documented Information Security Incident Response Plan (the “ISIRP) to manage any high severity security incidents that may arise. The ISIRP establishes a framework for our information security team to escalate, contain, investigate, and remediate a potential cybersecurity event. The ISIRP is reviewed no less than annually and is integrated into the Company’s overall Crisis Management Plan, which is reviewed, led, and tested regularly by senior management.
We engage third-party services to conduct penetration testing as well as other regular evaluations of our security protocols and processes. Additionally, we assess and monitor the cybersecurity controls of third party service providers and partners. Ongoing and regular monitoring of our third parties is also managed through our ISP team’s protocols in partnership with the vendor management, enterprise risk management, and internal audit departments.
Notwithstanding the focus we place on cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company. As of the date of this Form 10-K, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion, please see Item 1A. “Risk Factors” for a discussion of cybersecurity risks.