BOK FINANCIAL CORP 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

BOK FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:45:36 EST.

Filings

10-K filed on 2024-02-21

BOK FINANCIAL CORP filed an 10-K at 2024-02-21 16:45:36 EST
Accession Number: 0000875357-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy BOK Financial is committed to safeguarding company and client information through protections integrated into all lines of business, support functions and third-party relationships. To effectively manage cybersecurity risks mentioned in Item 1A, our cybersecurity risk management program evaluates the likelihood and potential damage of internal and external threats. We also evaluate the adequacy of our policies, procedures, and capabilities in place to mitigate cyber risk at least annually. Each employee and contractor is responsible for the security and confidentiality of company and client information. This expectation is communicated at on boarding and through required annual data security and privacy trainings; frequent internal publications; and annual employee attestations to the Company s Standards of Conduct. BOK Financial regularly conducts risk assessments to evaluate internal controls implemented to prevent and detect data breaches. These controls are aligned with ISO 27001:2013 and the NIST Cybersecurity Framework and are frequently monitored to ensure their effectiveness. The controls are routinely tested via tabletop exercises and reviewed by internal auditors. Vulnerability and penetration assessments are also conducted at least annually by an independent third party. In addition to a strong set of internal controls, the company has implemented a robust due diligence process for third-party providers prior to executing an agreement. Risk assessments include evaluating the third-party s security posture through intelligence feeds, SOC reports, ISO certifications and self-attestation questionnaires. Third parties processing customer data are contractually required to meet all legal obligations for protecting against anticipated security threats to client data, protecting against unauthorized access to client data, and ensuring proper disposal of client data. An array of protective technologies have been implemented to detect and respond to indicators of malicious behavior before an incident ever takes place; however, should a cybersecurity incident occur, the Company has incident response and recovery procedures, which include determination of materiality and proper notification and reporting to the appropriate parties. These include legal and regulatory reporting requirements as well as notifications to impacted customers. The Company collaborates with peer financial institutions, local universities, threat intelligence organizations, third-party providers, law enforcement and our customers to share tactical threat intelligence and best practices in protecting against emerging threats. Results of cybersecurity risk assessments and tabletop exercises are reported to governance committees and aid in the development of our cybersecurity strategy, which takes into account the Company’s strategic objectives and our ability to navigate potential internal and external disruptions. The overarching objective of our cybersecurity strategy is to reduce risk and enhance the resilience of our assets. Four key components support this objective: enabling our cyber defense posture, creating and retaining cyber-aware customers, considering identities at system access, and preparing a cyber-resilient workforce. Our cybersecurity team operates under eight distinct programs, each led by a subject matter expert. Each program has its own strategy, projects, and initiatives designed to achieve the overall strategic objective and its key components. The collective framework, regulatory compliance requirements, and associated controls are collectively referred to as the ISMS. The ISMS provides a comprehensive structure that supports the Information Security Program designed to safeguard information technology resources, maintain the confidentiality, integrity and availability of data, and manage the resources used to provide technology and security services to the organization. To date, no cybersecurity threats or incidents have materially affected, or are reasonably likely to affect, the Company including its business strategy, results of operations, or financial condition. 21 Governance The Company s cybersecurity program is overseen by the Risk Committee of the Board, which is responsible for ensuring the program is well resourced and able to protect the security and confidentiality of our data and that of our clients. The program is managed by the CISO who reports to the chief risk officer and is reviewed by regulators, as well as internal auditors. The CISO provides quarterly information security updates to the Risk Committee as well as the Company s executive-level Risk Council on cybersecurity programs, policies and controls; efforts to improve security; and responses to cybersecurity events. Annually, the CISO meets with the Risk Committee of the Board of Directors to communicate the Board’s responsibilities for cybersecurity and privacy, as well as the cybersecurity program s strategy for addressing emerging risks and regulatory requirements. The Company s CISO has over 26 years of building and operating enterprise security functions, security engineering, and security governance and program management. Prior to joining the Company, the CISO managed an Information Security and Risk Management program within a Fortune 500 energy company that handled a wide variety of information security issues including industrial control system security. The CISO has also served on the board of several academic institutions, professional service organizations, and local non-profits and contributed on many special committees for cybersecurity initiatives.

Company Information