Independent Bank Group, Inc. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

Independent Bank Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 17:04:26 EST.

Filings

10-K filed on 2024-02-20

Independent Bank Group, Inc. filed an 10-K at 2024-02-20 17:04:26 EST
Accession Number: 0001564618-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity and Risk Management The Company s cybersecurity risk management processes are integrated into the overall risk management system through reporting of cyber risks to Technology and Information Security Oversight Committee, Operational Risk Committee, Enterprise Risk Committee, and Board Risk Oversight Committee. Risk Appetite statements are approved by the Board Risk Oversight Committee and the Board , and Key Risk Indicators are monitored on an ongoing basis by the Information Security team, and the Operational Risk and Enterprise Risk Committees . The Company performs regular Information Security focused Risk Assessments at the entity level, including but not limited to assessments based on the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT) and Ransomware Self-Assessment Tool (R-SAT), and National Institute of Standards and Technology (NIST) Cybersecurity Framework. Engagement of Third Parties Information Security leverages third parties for cyber security services including but not limited to managed security services, external penetration testing, and tabletop exercises. Oversight and Identification of Risks Associated with Third Parties Information Security, in coordination with Third Party Risk Management, reviews new vendors at onboarding to oversee and identify potential risks and performs ongoing monitoring of emerging risks related to any third-party service providers. Third-party service provider reviews include completion of a standardized questionnaire and review of SOC reports. New technology projects are subject to a Security Architecture Review completed by Information Security. Information Security coordinates with Contract Management to perform contract reviews for security controls and notification processes. Information Security conducts annual IT Risk Assessments on Tier 1 applications, defined as those vendors of critical importance to the Company’s core operations. Risks from Cybersecurity Threats In the last fiscal year, we have not experienced any material cybersecurity incidents. For a full discussion of cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, result of operations, or financial condition, see Item 1A. Risk Factor s . Board Oversight Our Board Risk Oversight Committee is charged with overseeing the Company s management of credit, market, liquidity, operational (including information technology and cybersecurity), compliance, reputational and strategic risks, including the annual approval and recommendation to the Board of Directors of the Company s risk appetite statement and approval of the Company s risk management framework. Risks from cybersecurity threats are monitored on an ongoing basis by the Information Security team, engaging the Cyber Incident Response Team, Cyber Crisis Team, the Core Team, and Extended Core Team, as needed, and escalated to the extent that incidents rise to the level of notification to the relevant risk or board committee or on an ad hoc basis. Additionally, quarterly cybersecurity updates are provided to risk and board committees including, but not limited to, the following materials: Annual GLBA Report, Information Security Metrics (including Key Performance and Key Risk Indicators), Penetration Testing and Tabletop Exercise updates, Cyber Maturity Assessments/Roadmap, Annual Threat Landscape Report, and additional cybersecurity education topics. Management and Assessment of Risk The Enterprise Risk Sub-Committee (ERC) (a management committee) assists executive management and the Board of Directors with providing oversight of the Bank s enterprise risk management program. 34 Table of Contents The ERC and Board Risk Oversight Committee work together to facilitate effective risk management and timely escalation of substantive issues, including Operational Risk (which includes information technology and cybersecurity). The Chief Information Security Officer (CISO), reporting to the Chief Risk Officer, is responsible for information security and cybersecurity risk management. The CISO has over 20 years of experience in cybersecurity in Financial Services and is a Certified Information Systems Security Professional (CISSP) and holds a SysAdmin, Audit, Network and Security Global Information Assurance Certification (SANS GCIA). Incident and Risk Escalation Through Cyber Incident Response Plan Information Security maintains processes for prevention, detection, and mitigation of cybersecurity incidents. The Company maintains a Cyber Incident Response Plan (CIRP) that covers response and remediation processes for managing cybersecurity incidents. The CIRP outlines the cross-functional responsibilities for the Cyber Crisis Team, the Core Team and Extended Core Team during a notification incident. The Core Team consists of the Chief Information Security Officer, Chief Legal Officer, Chief Information Officer, and Director Operational Risk Management to manage the incident. The Extended Core Team consists of other business area leaders who may need to be engaged based on the area of impact. All CIRP incidents are managed through an Incident Commander with communications being escalated to executive leadership as needed, who will then report to the Board. Key Performance Indicators and Key Risk Indicators related to monitoring and detection are presented to Technology and Information Security and Operational Risk Management Committees. Incident and Risk Escalation to Board The Board Risk Oversight Committee oversees the ERC and works directly with the ERC to facilitate effective risk management and timely escalation of substantive issues from ERC and ERC s sub-committees, including Operational Risk (which includes information technology and cybersecurity). Quarterly, cybersecurity updates are provided to risk and board committees including, but not limited to, the following materials: Annual GLBA Report, Information Security Metrics (including Key Performance and Key Risk Indicators), Penetration Testing and Tabletop Exercise updates, Cyber Maturity Assessments/Roadmap, Annual Threat Landscape Report, and additional cybersecurity education topics.

Company Information