NICOLET BANKSHARES INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

NICOLET BANKSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:09:33 EST.

Filings

10-K filed on 2024-02-28

NICOLET BANKSHARES INC filed an 10-K at 2024-02-28 16:09:33 EST
Accession Number: 0001174850-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Nicolet is susceptible to information security breaches and cybersecurity-related incidents like any other entity. Risks related to cybersecurity attacks are expected to remain heightened as digital capabilities continue to evolve. Increasing use in digital platforms create a vast footprint for sophisticated threats to attack organizations internally and externally, blurring the outermost edge of security. To mitigate these risks, resources are employed to provide visibility, prevention, and mitigation strategies, in line with information security standards. Our management IT Steering Committee has established an Information Security Program, which includes appropriate security risk assessments, security monitoring, incident response, policies, operating standards, compliance, and employee training. The underlying controls of this security program are based on the guidelines and frameworks provided by the Office of the Comptroller of the Currency (the OCC ), the Federal Financial Institutions Examination Council (the FFIEC ), and the National Institute of Standards and Technology ( NIST ), as well as industry best practices and standards. The Information Security Program focuses on the following key areas: IT Governance, Risk & Compliance As discussed in further detail under the Governance section below, we have established programs, policies, and procedures for security oversight, including risk assessments for business processes and applications. These cyber and information security programs, policies and procedures are reviewed annually by a third-party. Identity & Access Management We have established controls to mitigate risks related to unauthorized access, identity theft, and data breaches. Process and technology controls include identity, authentication, authorization, account management, and access, along with monitoring and logging for tracking events. 26 Security Architecture & Engineering Our security is tailored around industry best practices and guidance. This establishes the foundation for secure resilient systems that can withstand and mitigate cyber risks effectively. Security Operations We use various tools to assess, monitor, and analyze the vulnerability of our operating systems, and have established an incident response plan for addressing identified threats and incidents. Resiliency, Safety & Security We have established policies and procedures to withstand and recover from disruption, protect our people and environment, as well as protect our systems and information from threats and unauthorized access. Vendor Risk Management We use a risk-based approach to assess and monitor cybersecurity risks presented by our vendors, third-party service providers, and other third-party users that we partner with. Security Awareness Education We use current cybersecurity and information security threats to develop our education program. This training focuses on information security, privacy, cybersecurity best practices (e.g., social engineering, incident reporting, maintaining strong passwords), identity and access management, and physical security. All employees receive education and awareness training throughout the year. In addition, some of this education is extended to our customer base, with current cyber activity and hygiene highlighted. To our knowledge, no cybersecurity incidents or threats have resulted in a reportable event, and have not materially impacted Nicolet s operations or financial condition. For additional discussion of cybersecurity risks, see Item 1A, Risk Factors Operational Risks. Governance Our Chief Information Security Officer ( CISO ) is responsible for managing our information security team and implementing the Information Security Program. As discussed in further detail under Risk Management and Strategy above, the primary responsibilities of the information security team include IT governance, risk and compliance; identity and access management; security architecture and engineering; security operations; resiliency, safety and security; vendor risk management, and security awareness education. The team includes information security professionals with varying degrees of education and experience, and many team members are subject to professional education and certification requirements. In particular, our CISO has substantial relevant experience in the areas of physical security, information security, and cybersecurity risk management. The management IT Steering Committee provides oversight and governance of the Information Security Program. This committee includes members of information security, compliance, audit, human resources, legal, operations, banking, and wealth. The committee generally meets monthly to review and provide oversight of our risk management strategy; audit reports related to our cyber and information security processes; third-party risk assessments; periodic testing of systems and infrastructure; status of employee and customer training; and updates on security incidents. More frequent meetings may occur in accordance with the incident response plan to facilitate timely assessment, monitoring, and reporting. The Board is actively engaged in oversight of our cybersecurity practices, with the Audit & Compliance Committee having primary oversight responsibility. The Audit & Compliance Committee reviews and approves the information security program on an annual basis, as well as receives management updates about information security matters on at least a quarterly basis. Additionally, the full Board receives regular presentations by our CISO regarding pertinent cyber and information security topics. These updates cover external cybersecurity hot topics and notable events, current and emerging threats, cybersecurity program achievements and progress on key initiatives, key performance indicators, key risk indicators and notable internal events. In addition, the Audit Committee receives prompt reporting and updates on significant cybersecurity-related incidents.

Company Information