CROSSFIRST BANKSHARES, INC. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

CROSSFIRST BANKSHARES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 13:38:08 EST.

Filings

10-K filed on 2024-02-29

CROSSFIRST BANKSHARES, INC. filed an 10-K at 2024-02-29 13:38:08 EST
Accession Number: 0001558370-24-002154

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company maintains a cyber security risk management program designed to prevent, detect and respond to information security threats. The program is designed to align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as the banking-specific framework from the FFIEC s Cybersecurity Assessment Tool (CAT). The Company s program is led by our Chief Technology Officer ( CTO ) and chief information security officer ( CISO ), whose teams are responsible for leading short and long-term enterprise-wide cybersecurity strategy, policy, standards, monitoring, architecture and processes. The CTO chairs the Bank s Technology, Operations, and Compliance ( TOC ) Committee, which has primary management responsibility for oversight of operations, technology and operational risk, including information security, fraud, vendor, data protections and privacy, business continuity and cybersecurity risks. TOC meets at least quarterly to assess, among other things, cyber threats or risks to the Company and drive awareness and alignment across the Company for effective cybersecurity risk management and reporting. The Risk Committee of the Board of Directors (the Risk Committee ) is responsible for reviewing the Company s information security programs, including oversight of cybersecurity risks and threats. The Risk Committee receives quarterly reports from our CISO and CTO on, among other things, the Company s cyber risks and threats, the status of projects to strengthen the Company s information security program, the emerging threat landscape and key metrics from cybersecurity systems and monitoring. The Company s cyber security program and technology program are periodically audited by internal audit or independent third-party audit firms, and the results of these audits are reported to the Risk Committee, as well as the Audit Committee of the Board of Directors. The Company s processes for assessing, identifying, and managing material risks from cybersecurity threats include using a wide-range of industry-leading security tools, regularly updating our technology roadmaps, and mandating cybersecurity awareness, business continuity, and incident response training for all employees. This training is also supplemented with periodic phishing tests. We have a detailed incident response plan in place in the event of a cybersecurity incident for contacting authorities and informing key stakeholders to ensure that any non-routine events are properly escalated. The Company participates in cybersecurity incident response exercises to test pre-planned response actions from the Company s plan and to facilitate group discussions regarding the effectiveness of the Company s cybersecurity incident response strategies and tactics. We use a third-party Security Operations Center to provide 24x7x365 monitoring of logs, administrator and user actions, network and security appliances, and endpoint agents, and our CISO and CTO actively engage with key vendors, industry participants, the U.S. Department of Homeland Security, and intelligence and law enforcement communities. The company also maintains a vendor relationship with a cyber security firm that supports the Bank to review and mitigate any potential cyber incidents. Strong vendor management and monitoring controls are enforced and require, at a minimum, annual due diligence on critical vendors. As of the date of this report, cybersecurity threats have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. See Item 1A. Risk Factors for information on the risks that cybersecurity threats pose to the Company. 32 Table of Contents

Company Information