National Bank Holdings Corp 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

National Bank Holdings Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:11:51 EST.

Filings

10-K filed on 2024-02-27

National Bank Holdings Corp filed an 10-K at 2024-02-27 16:11:51 EST
Accession Number: 0001558370-24-001838

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY. Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our Company, including, but not limited to, financial, operational, regulatory, reputational, and legal risks. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Chief Information Security Officer and Chief Technology Officer are primarily responsible for this cybersecurity component. The Chief Technology Officer is responsible for the first line of defense and has assembled a capable team of professionals with expertise in cybersecurity. The Chief Information Security Officer is a key member of the Risk Management organization, reporting directly to the Chief Risk Management Officer and, as discussed below, provides updates to the Audit & Risk Committee of our Board of Directors. The Company s cybersecurity risk management program is designed to ensure the Company’s data, information systems, networks and devices are appropriately protected from a variety of threats and that our third parties with access to the Company s data take similar precautions. Regular risk assessments are conducted to validate control requirements and ensure that the Company s information is protected at a level commensurate with its sensitivity and value. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of Company information. These controls include, but are not limited to, access control, data encryption, data loss prevention, incident response, security monitoring, third-party risk management, and vulnerability management. The Company’s cybersecurity risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Company’s business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards. The Company utilizes various systems, controls and surveillance to mitigate cybersecurity risks including: Layered security controls monitoring traffic to and within the Company that identify and block suspicious activity, with system configurations that align with industry best practices. Preventative and detective controls to identify adverse internal and external trends and analyze the Company s response mechanisms. Annual network and penetration testing by reputable third-parties to evaluate the Company’s suite of security controls and tools, and identify potential vulnerabilities. Regular cybersecurity and information security awareness training for associates, supplemented with recurring social engineering tests. An incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident, which is tested on a periodic basis. Recurring audit and oversight of all critical third-parties within the Company’s digital ecosystem to identify risks and adverse trends. Our third-party risk management program is designed to ensure that our third-party providers meet our cybersecurity requirements. This includes conducting periodic risk assessments of our third-party providers requiring them to implement appropriate cybersecurity controls and monitoring third-party compliance with our cybersecurity requirements. Annual evaluation of the Company s cybersecurity insurance program, with coverage levels benchmarked against industry peers. Use of external subject matter experts to provide threat intelligence and updates on trends and emerging schemes. Annual risk and self-assessments against established industry frameworks to ensure best practices are in place and the Company s risk assessment continues to evolve. 37 Table of Contents Annual testing from a business continuity perspective, including annual business impact analysis reviews, annual testing of all critical departments, systems and third-parties, and established back-up, replication, and restoration to help ensure continuity of operations. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected the Company’s business, financial condition, and results of operations. However, the sophistication of cyber threats continues to increase, and the Company s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company s controls are, it will not be able to anticipate all cybersecurity breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Company s business strategy, results of operations or financial condition, please refer to Item 1A Risk Factors. Governance The Enterprise Technology group, in conjunction with the Enterprise Risk Management department, and most specifically within that group, the Chief Information Security Officer, are responsible for implementing and maintaining the Company s cybersecurity risk management program. The Enterprise Technology group includes cybersecurity and information risk professionals who assess, identify, and manage cybersecurity risks. Individuals within these departments are subject to professional education and certification requirements. As a governance and oversight function, the Enterprise Risk Management department measures and reports on the quality of information and cyber risk management across all functions of the Company. Cybersecurity risk is reported by both the Enterprise Risk Management and Enterprise Technology departments through monthly cybersecurity meetings with executive management and quarterly Enterprise Risk Management Committee meetings. The Company s Board of Directors is charged with overseeing the establishment and execution of the Company s Risk Management program and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility the Board has delegated primary oversight responsibility over the Company s Risk Management program, including oversight of cybersecurity risk and risk management, to the Audit & Risk Committee of the Board. The Audit & Risk Committee receives regular updates on the cybersecurity program, including cybersecurity risks and incidents through direct interaction with the Chief Technology Officer, the Chief Information Security Officer and the Chief Risk Management Officer. Additionally, the Board of Directors also receives periodic updates regarding cybersecurity risks and the cybersecurity program, as well as training at least annually on the Director s role in managing cybersecurity risks.

Company Information