GLACIER BANCORP, INC. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

GLACIER BANCORP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:35:18 EST.

Filings

10-K filed on 2024-02-23

GLACIER BANCORP, INC. filed an 10-K at 2024-02-23 16:35:18 EST
Accession Number: 0000868671-24-000042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity for additional information regarding our efforts to detect, identify, assess, manage, and respond to material risks from cybersecurity threats. We have various anti-takeover measures that could impede a takeover. Our articles of incorporation include certain provisions that could make it more difficult to acquire us by means of a tender offer, a proxy contest, merger or otherwise. These provisions include a requirement that any Business Combination (as defined in the articles of incorporation) be approved by at least 80 percent of the voting power of the then outstanding shares, unless it is either approved by our Board or certain price and procedural requirements are satisfied. In addition, the authorization of preferred stock, which is intended primarily as a financing tool and not as a defensive measure against takeovers, may potentially be used by management to make more difficult uninvited attempts to acquire control of us. These provisions may have the effect of lengthening the time required to acquire control of us through a tender offer, proxy contest or otherwise, and may deter any potentially unfriendly offers or other efforts to obtain control of us. This could deprive our shareholders of opportunities to realize a premium for their common stock in the Company, even in circumstances where such action is favored by a majority of our shareholders. Regulatory Matters We operate in a highly regulated environment and changes or increases in, or supervisory enforcement of, banking or other laws and regulations or governmental fiscal or monetary policies could adversely affect us. We are subject to extensive regulation, supervision and examination by federal and state banking regulators. In addition, as a publicly-traded company, we are subject to regulation by the SEC. Any change in applicable regulations or federal, state or local legislation or in policies or interpretations or regulatory approaches to compliance and enforcement, income tax laws and accounting principles could have a substantial impact on us and our operations. Changes in laws and regulations may also increase expenses by imposing additional fees or taxes or restrictions on operations. Additional legislation and regulations that could significantly affect powers, authority and operations may be enacted or adopted in the future, which could have a material adverse effect on our business, financial condition, and results of operations. Failure to appropriately comply with any such laws, regulations or principles could result in sanctions by regulatory agencies or damage to our reputation, all of which could adversely affect our business, financial condition or results of operations. Regulators have significant discretion and authority to prevent or remedy unsafe or unsound practices or violations of laws or regulations by financial institutions and bank holding companies in the performance of their supervisory and enforcement duties. Existing and proposed federal and state laws and regulations restrict, limit, and govern all aspects of our activities and may affect our ability to expand our business over time, may result in an increase in our compliance costs, and may affect our ability to attract and retain qualified executive officers and employees. The exercise of regulatory authority may have a negative impact on our business, financial condition and results of operations, including limiting the types of financial services and products we may offer or increasing the ability of non-banks to offer competing financial services and products at lower cost. Additionally, our business is affected significantly by the fiscal and monetary policies of the federal government and its agencies, including the Federal Reserve. We cannot accurately predict the full effects of recent legislation or the various other governmental, regulatory, monetary and fiscal initiatives which have been and may be enacted. The terms and costs of these activities, or the failure of these actions to help stabilize the financial markets, asset prices, market liquidity and a continuation or worsening of current financial market and economic conditions could materially and adversely affect our business, financial condition, results of operations, and the trading price of our common stock. General Risk Factors National and international economic and geopolitical conditions could adversely affect our future results of operations or market price of our stock. Our business is impacted by factors such as economic, political and market conditions, broad trends in industry and finance, changes in government monetary and fiscal policies, inflation, and financial market volatility, all of which are beyond our control. National and global economies are constantly in flux, as evidenced by recent market volatility resulting from, among other things, the bank failures involving Silicon Valley Bank and Signature Bank, the effects of inflation, and the ever-changing landscape of the energy and medical industries. Future economic conditions cannot be predicted, and any renewed deterioration in the economies of the nation as a whole or in our markets could have an adverse effect, which could be material, on our business, financial condition, results of operations and prospects, and could cause the market price of our stock to decline. 19 Our business is heavily dependent on the services of members of the senior management team. We believe our success to date has been substantially dependent on our executive management team. In addition, our unique model relies upon the Presidents of our separate Bank divisions, particularly in light of our decentralized management structure in which such Bank divisions have significant local decision-making authority. The unexpected loss of any of these persons could have an adverse effect on our business, financial condition, results of operations, and future growth prospects. We could suffer operational, reputational and financial harm if we fail to properly anticipate and manage risk. We use models and strategies to forecast losses, project revenue, and measure and assess capital requirements for various credit, market, operational and strategic risks. These models require oversight, ongoing monitoring, and periodic reassessment. Models are subject to inherent limitations due to the use of historical trends and simplifying assumptions, uncertainty regarding economic and financial outcomes, and emerging risks from the use of applications that may rely on artificial intelligence. Our models and strategies may not be adequate due to limited historical data and shocks caused by extreme or unanticipated market changes, especially during severe market downturns or stress events. Regardless of the steps we take to ensure effective controls, governance, monitoring and testing, and implement new risk management tools, we could suffer operational, reputational and financial harm if our models and strategies and other risk management tools fail to properly anticipate and manage the current and evolving risks we face. Changes in accounting standards could materially impact our financial statements. Periodically, the Financial Accounting Standards Board ( FASB ) and the SEC change the financial accounting and reporting standards that govern the preparation of our financial statements. These changes can materially impact how we record and report our financial condition and results of operations. For information regarding the impact of recently issued accounting standards, see Item 7. Management s Discussion and Analysis of Financial Condition and Results of Operations. Climate change may materially adversely affect the Company’s business, financial condition, and results of operations. Concerns over the long-term effects of climate change have led to governmental efforts around the world to mitigate those impacts. Consumers and businesses also may voluntarily change their behavior as a result of these concerns. Both the Bank and its customers will need to respond to new laws and regulations as well as consumer and business preferences resulting from climate change concerns. The Bank and its customers may face cost increases, asset value reductions and operating process changes. The impact on our customers will likely vary depending on their specific attributes, including reliance on or role in carbon-intensive activities. Among the impacts to the Bank could be a drop in demand for our products and services, particularly in certain sectors. In addition, we could face reductions in creditworthiness on the part of some customers or in the value of assets securing loans. The Bank attemps to take these risks into account in making lending and other decisions, including by increasing our business with climate-friendly companies, but the bank s efforts may not be effective in protecting the Bank from the negative impact of new laws and regulations or changes in consumer or business behavior. Item 1B. Unresolved Staff Comments None Item 1C. Cybersecurity Cybersecurity has become a significant issue for financial institutions around the globe, and the Company is no exception. The Company s management has integrated cybersecurity issues into the Company s overall risk management system by making cybersecurity risk a key focus of its internal Strategic Technology Committee, Enterprise Risk Management Committee, and Board Risk Oversight Committee. These committees are provided regular updates on the Bank s cybersecurity risk management program. The Company has implemented a variety of mechanisms that are designed to detect, identify, assess, manage, and respond to material risks from cybersecurity threats. The Company s processes for identifying, assessing, and managing cybersecurity risks include: a rigorous internal audit process to evaluate the Company s cybersecurity strategies, with the Audit Committee apprised of risks or control failures that are identified during the audit; participation in multiple peer-sharing networks to obtain industry-wide intelligence regarding specific cybersecurity threats and industry best practices to minimize cybersecurity risks; participation in simulated cyber-event tabletop exercises designed to test the Company s incident response capabilities and the robustness of its cybersecurity program; an information security program that is regularly reviewed, tested, and updated, and includes vulnerability and patch management programs, incident response planning, security monitoring, employee training, and security awareness testing; cybersecurity insurance to mitigate the financial impact of a cybersecurity incident on the Company s business and financial condition; and periodic regulatory examinations that include an assessment of the Company s cybersecurity management, processes, and controls. 20 In addition to the internal programs outlined above, the Company engages with external cybersecurity experts to conduct thorough evaluations of the Company s cybersecurity processes and controls. These third-party consultants conduct periodic comprehensive vulnerability and penetration testing, alongside audits of high-risk technology systems designed to evaluate the efficacy of the Company s cybersecurity measures. The Company has also retained a third-party cybersecurity firm to assist with the Company s response to any future cybersecurity breaches. In order to identify material risks from cybersecurity threats associated with the use of third-party service providers, such as bank operations technology, payroll and benefits administrators, and professional service providers, the Company has established a dedicated department within its Enterprise Risk Management division. This department manages risks of third-parties and evaluates cybersecurity risks associated with the Company s third-party service providers with the Bank s Information Technology Department. The Board’s Risk Oversight Committee is responsible for oversight and monitoring of the Company s cyber risk management profile and related programs. In an effort to ensure transparency and provide appropriate oversight and monitoring, the Chief Risk Officer and Chief Information Security Officer present detailed reports to the Risk Oversight Committee on a quarterly basis. These reports address the current landscape of cybersecurity threats, any notable recent incidents, and a summary of emerging cybersecurity trends. The Board is also regularly furnished with key risk indicators and defined risk parameters with respect to the Company s cybersecurity program. The Board reviews and approves the Company s cybersecurity policies at least annually. Management’s role in assessing and managing material risks from cybersecurity threats is an important and multifaceted component of the Company s cybersecurity. Appropriate members of the Company s senior management, including the Chief Information Security Officer ( CISO ), Chief Risk Officer ( CRO ) and Chief Information Officer ( CIO ), are responsible for assessing and managing cybersecurity risks, which involves an ongoing process of identifying, analyzing, evaluating, and addressing the Company’s cybersecurity threats. The Company employs management and staff members who hold top cybersecurity certifications and have acquired the expertise needed to manage the Company s cybersecurity program, including a range of technical skills such as intrusion detection, network security control, security incident management, and risk assessment. These management and staff members also participate in structured ongoing training to keep current with industry trends and cybersecurity threats. The CISO has a degree in Business Administration, Finance, and Risk Management from Washington State University. The CISO has over 23 years of experience in cybersecurity and information security. The CISO has maintained a Certified Information Systems Security Professional (CISSP) certification for over 18 years. The CRO has a degree in Business Administration and Finance from the University of Montana. The CRO has over 20 years of combined experience with financial institution risk management, including prior experience as a bank regulator and a credit risk management consultant. The CIO has dual degrees in Accounting and Computer Science from the University of Montana. The CIO has over 30 years of experience managing information technology at the Company. The processes by which the relevant members of management are informed about and manage the prevention, detection, mitigation, and remediation of cybersecurity incidents include conducting cybersecurity risk assessments, establishing network access controls, creating a vulnerability management program, and continuous monitoring for threats. The Company is not aware of any current cybersecurity threats that are reasonably likely to materially affect the Company s business strategy, results of operations or financial condition. See Item 1A. Risk Factors for additional information regarding the risks we face from cybersecurity threats. 21

Company Information