PINNACLE FINANCIAL PARTNERS INC 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

PINNACLE FINANCIAL PARTNERS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 17:05:42 EST.

Filings

10-K filed on 2024-02-26

PINNACLE FINANCIAL PARTNERS INC filed an 10-K at 2024-02-26 17:05:42 EST
Accession Number: 0001115055-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Managment, Strategy and Governance Pinnacle places a high priority and focus on securing the confidential information it receives and stores about its borrowers, depositors and other customers and employees. This priority and focus starts with Pinnacle’s board of directors, which is ultimately responsible for establishing effective risk oversight, approving our risk appetite, understanding our key risks and seeking to establish the risk management strategy, processes and internal controls that are appropriate to manage risk, in each case inclusive of cybersecurity risk. Our risk appetite includes specific information technology risk tolerance thresholds and limits established with the approval of our board of directors, or designated committees thereof, and executive management. Key risk indicators are monitored by the Risk Committee of our board of directors (the Risk Committee ), which receives quarterly reports from our Chief Risk Officer, Chief Solutions Officer/EVP of Bank Operations (“CSO”), Enterprise Wide Risk Management (“EWRM”) Committee and Operations and Automation (“O&A”) Committee regarding management s efforts to protect Pinnacle from cybersecurity threats and the general threat landscape facing companies with operational characteristics similar to ours. The CSO reports quarterly to Pinnacle’s board of directors regarding our information security risk oversight processes as the board of directors seeks to ensure Pinnacle is operating within its stated risk appetite. Pinnacle’s CSO has appointed a Chief Information Security Officer (the CISO ). The CISO reports directly to Pinnacle’s CSO and the responsibilities of this role are in conjunction with information security and other special projects concerning risk and operational issues identified. The CISO coordinates Pinnacle’s information security risk assessment process, facilitates annual employee training, and prepares an annual report to Pinnacle’s board of directors with a summary of the Information Security Strategic Plan for the coming year, top cybersecurity risks and crucial information security updates that could impact us. 46 Pinnacle s objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse its systems or information. A key part of Pinnacle s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of the Company s processes and practices through auditing, security assessments, and other exercises focused on evaluating effectiveness of Pinnacle s processes and programs. Pinnacle also deploys technical safeguards that are designed to protect its information systems from cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing disruptions to its business. Pinnacle has also developed and periodically updates incident response plans that provide a documented framework for responding to actual or potential cybersecurity incidents, including timely notification and escalation to the appropriate management committees and to the Risk Committee of the board and full board of directors as appropriate. These incident response plans are coordinated through the CSO and other key members of management, including the CEO. Pinnacle s board of directors delegates authority to the Risk Committee to assist the board in carrying out certain of its duties of risk oversight, including with respect to information security risk. The Risk Committee provides primary board-level oversight of our enterprise-wide risk posture and the processes established to identify, measure, and monitor our risk level, including regarding information security risk. This oversight includes reviewing and approving our risk appetite, including with respect to information security risk and reviewing quarterly reporting from management on monitoring of performance of Pinnacle against its risk appetite. Pinnacle s EWRM Committee, which is a management committee consisting of key employees of Pinnacle, including our Chief Risk Officer, Chief Executive Officer, Chief Financial Officer, CSO, Chief Credit Officer, Deputy Chief Credit Officer, Treasurer and Chief Compliance Officer as well as other nonvoting members including our Chief Audit Executive, oversees monitoring of the Information Technology program. Testing of the Information Technology program, including information security, is accomplished using a comprehensive program of on-going internal testing, utilizing third-party service providers to provide routine vulnerability scanning and penetration testing, and conducting targeted threat assessments with third-party consultants on an annual basis. Additionally, our Internal Audit function includes information technology, including information security, in its annual audit plan. In addition, in accordance with the Information Technology program, our O&A Committee assesses information security risks on a quarterly basis, or more often in response to changes in products or services that are offered, technological changes, changes in the threat landscape facing Pinnacle, including as a result of cybersecurity incidents affecting financial institutions or their third party vendors generally or any change that may materially affect our risk environment. The CISO, the CSO, our Chief Information Officer (CIO) and Chief Risk Officer collaborate in the development and implementation of the Information Technology Program. Together with our information technology staff, third-party vendors and other outside resources, information security standards and controls are implemented across all enterprise systems. The CISO monitors Pinnacle’s information technology systems for threats and vulnerabilities, reporting regularly to the CIO. The CISO also recommends changes to those systems designed to protect the systems from attack and reduce cybersecurity risk. The O&A Committee, chaired by the CSO, is responsible for the oversight of the Information Security Advisory Team (ISAT) committee, which monitors monthly operational cybersecurity reporting, threat intelligence, security project implementation, and maintenance of the information security policies and standards managed by the Company s CISO. The monthly ISAT reports are provided to the Risk Committee quarterly and describe the overall status of the Information Security activities, including, but not limited to: Decisions about enterprise cybersecurity risks and mitigating controls; Results of testing, including regular external and internal penetration testing; Cybersecurity Threat Intelligence; Security Operations Systems Performance; and Security breaches or violations and management s responses. To date, no attempted cyber-attack or other attempted intrusion on Pinnacle’s information technology networks has resulted in a material adverse impact on the operations or financial results of Pinnacle Financial or Pinnacle Bank. For further discussion of risks from cybersecurity threats, see the section captioned We are dependent on our information technology and telecommunications systems and third-party servicers, and systems failures, interruptions or breaches of security could have a material adverse effect on our financial condition and results of operations, as well as cause legal or reputational harm in Item 1A. Risk Factors. Information Security Training and Awareness Information security awareness training is provided to all employees and bank business units at initial new hire orientation and no less often than annually thereafter and focuses on: Pinnacle’s overall Information Security Program, roles and responsibilities of employees during an incident and how to report suspicious activity. Third Party Risk Management (TPRM) Management identifies, assesses, controls, monitors and reports on risks related to Pinnacle’s use of third and fourth parties per applicable laws, safe and sound business practices, and related supervisory guidance, particularly that of the Interagency Guidance on 47 Third-Party Relationships: Risk Management. It is our policy to ensure the internal controls and financial condition of a third-party vendor are carefully evaluated prior to the allowance of such support services to begin, and as an on-going condition of continuing support of such products or services. Vendors with access to customer information or direct access to the network are carefully reviewed to ensure that appropriate controls and mechanisms are in place in an attempt to safeguard confidential information, and our contracts with such vendors include obligations on the part of the vendors to maintain the confidentiality of such information in compliance with applicable legal requirements.

Company Information