PACIFIC PREMIER BANCORP INC 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

PACIFIC PREMIER BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:31:49 EST.

Filings

10-K filed on 2024-02-23

PACIFIC PREMIER BANCORP INC filed an 10-K at 2024-02-23 16:31:49 EST
Accession Number: 0001028918-24-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Information security is essential to our mission and our institutional strategic goal. Under the leadership of our Chief Information Security Officer ( CISO ), we have developed and implemented a comprehensive risk-based information security program that meets regulatory requirements and encompasses a cybersecurity program that is based upon the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework. This framework enables identification and evaluation of cybersecurity risks, enabling risk management decisions, and responding to emerging threats. The Information Security Program and all applicable cybersecurity policies, processes, and controls apply to all of our operations and all of our employees. As part of our cybersecurity risk management strategy, we employ an in-depth, layered, and defensive approach that leverages people, processes, and technology to manage and maintain cybersecurity controls. As such, our cybersecurity risk management program includes, but is not limited to: regular employee cybersecurity training and communications; the use of preventative, detective, alerting, and defensive in-depth technologies; internal and third-party program oversight; policies and procedures regularly reviewed and designed with regulatory and industry guidance; an incident response plan to respond to cybersecurity incidents; and a threat intelligence program designed to assess the latest changes to the threat landscape. In addition, cybersecurity policies, procedures, and controls have been developed and implemented to protect against unauthorized access to consumer and customer information and to safeguard the information that is exchanged with third parties in accordance with applicable laws and regulations. Risk Management Integration with Overall Risk Management. Cybersecurity is a major component of our overall risk management approach. The Company s cybersecurity risk management program is integrated into our overall enterprise risk management processes. This integration helps ensure that cybersecurity considerations are an integral part of our decision-making processes across the organization. Our risk management team works closely with our Information Security and Information Technology departments to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We continually evaluate cybersecurity risks as part of our overall risk management strategy. Cybersecurity risks are assessed, identified, and managed through various ongoing and scheduled processes, technologies, and techniques, including, but not limited to periodic IT Risk Assessments, vulnerability scanning, penetration testing, employee cybersecurity awareness testing, and threat intelligence analysis. The Company receives cybersecurity alerts and threat intelligence from OpenSource Intelligence ( OSINT ) threat intelligence feeds, the Financial Services Information Sharing and Analysis Center ( FS-ISAC ), and government agencies, among other sources. The Company also continuously monitors its systems and networks. Management regularly reviews the evaluation of risks through these and other methods to mitigate risks and allocate resources in alignment with the overall risk management strategy. We also consider employee education paramount and conduct regular cybersecurity education through a security awareness, training, and education program that provides consistent and focused training to educate employees, raise awareness, and change behaviors. All employees are trained at least annually about the importance of information security and data privacy. Security campaigns are launched to test the effectiveness of the training provided and corporate communication bulletins are sent to employees on a periodic and as-needed basis. 48 Table of Contents We have created and regularly update our Incident Response Plan, which guides our response to a cybersecurity incident and outlines processes for forensic analysis, crisis communications, and required notifications. Disclosure of significant cybersecurity incidents are reported promptly to senior leadership and the Board of Directors. We test our Incident Response Plan through tabletop exercises. The Bank also maintains a business continuity program that addresses crisis management, business impact, and data and systems recovery. Engagement of Third Parties in Connection with Cybersecurity Processes . We regularly engage various third parties to assess, test, or assist with the implementation of our cybersecurity processes. We engage independent third parties to conduct risk assessments, penetration tests, vulnerability scans, and tabletop exercises. Although our internal audit department is responsible for auditing our cybersecurity programs, we also engage an independent, external firm with expertise in information security to conduct annual audits of our cybersecurity program. Third Party Risk Management. We maintain a process to identify and evaluate cybersecurity risks and incidents related to key third-party service providers. We assess key third-party service providers information security controls through an established due diligence process. We also require contracts with such service providers to maintain certain security controls to safeguard our data, and to notify the Company of cybersecurity incidents experienced by the service providers that affect our data. Governance Board Oversight. The Board of Directors maintains oversight responsibility over the enterprise risk management program, including risks related to cybersecurity threats and incidents, and approves the information security program. The Enterprise Risk Committee of the Board of Directors ( Enterprise Risk Committee ) assists the Board in evaluating enterprise risks and performing the Board s oversight responsibilities. As part of our integrated enterprise risk management process, cybersecurity risks and key metrics are evaluated by the Enterprise Risk Committee quarterly and reviewed by the full Board quarterly, and the Enterprise Risk Committee and the Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks and the overall risk management strategy. Our CISO, in coordination with our Chief Information Officer ( CIO ) and Chief Risk Officer ( CRO ), briefs the Enterprise Risk Committee on a regular basis, typically quarterly, concerning cybersecurity risks, the effectiveness of our cybersecurity risk management efforts, and updates and changes to our cybersecurity risk management program. In addition, the CISO briefs the entire Board concerning the cybersecurity risk management program on an annual basis and as requested. Management s Role. The CISO is responsible for assessing, implementing and monitoring our Information Security Program and cybersecurity controls, and works closely with the CIO and the CRO in managing our Information Security Program. The CISO maintains a dedicated cybersecurity staff comprised of certified security professionals with expertise in various disciplines including threat detection, governance risk and compliance, security architecture and engineering, incident response, and third-party risks. Our CISO regularly updates our management-level Enterprise Risk Management Committee concerning cybersecurity risks, and the effectiveness of our risk management efforts. The Enterprise Risk Management Committee is composed of members of executive management. 49 Table of Contents Notwithstanding our efforts at cybersecurity, no system of prevention is impenetrable, and we cannot guarantee that we will be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. To date, we have not detected any material cybersecurity incident to our own systems. However, in July 2023, one of our third-party vendors experienced a cybersecurity incident due to a previously unknown (i.e., zero-day) vulnerability in a popular file sharing software the vendor used called MOVEit Transfer. For further information regarding this incident, please see our Report on Form 8-K filed on July 25, 2023. At the time of our Form 8-K, we reported that the Company currently believes this incident will not have a material adverse effect on its or the Bank s business, operations, or financial results. Since that Report, this incident has not had a material adverse effect on our or the Bank s business, operations, or financial results. Future cybersecurity incidents could, however, materially affect our business strategy, results of operations, or financial condition. See Item 1A. Risk Factors for additional information on how risks could materially affect the company.

Company Information