FIRST INTERSTATE BANCSYSTEM INC 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

FIRST INTERSTATE BANCSYSTEM INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 14:46:18 EST.

Filings

10-K filed on 2024-02-29

FIRST INTERSTATE BANCSYSTEM INC filed an 10-K at 2024-02-29 14:46:18 EST
Accession Number: 0000860413-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company provides cybersecurity services to the Bank. In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. Cybersecurity risk management is overseen both as a critical component of our overall risk management program and as a standalone program. As further described below, we have implemented a risk-based, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. We also offset cyber risk through internal training and testing of our employees, among other processes, in accordance with our policies and procedures. Risk Management and Strategy We have developed policies and procedures to provide processes and guidelines for managing cybersecurity incidents with the goal of minimizing disruption, damage, protecting data, and helping recover from a cybersecurity incident as quickly as possible. 30 Table of Conten ts In addition, in furtherance of our fiduciary responsibility to protect and account for information and information systems that are recognized as critical bank assets, we have established policies that require, among other things, that we perform an information security risk and vulnerability assessment at least annually, and implement corresponding risk management controls; implement a defense-in-depth security architecture, which may include firewalled network segmentation, malicious software protection, and data loss prevention; leverage data loss prevention technology to assist in preventing unauthorized disclosure of non-public information; and engage independent third parties to review, audit, and test the information security control structure and program to ensure processes and controls are functioning properly. As part of our overall cybersecurity risk management process, employees receive annual training on incident preparedness, response, and recovery which we believe to be commensurate with their responsibilities. Employees are given directions on where to report actual or suspected incidents, both with respect to cybersecurity incidents as well as other risks, such as office closures, robbery, physical security, and employee or client injury. In addition to employees, individuals with a leadership role in the cybersecurity incident response processes are trained on their responsibilities annually, and the processes and those responsible for implementing them will be tested at least annually to assist in improving performance of the incident handlers and to identify issues with policies, procedures, and communication process. To manage the information security processes related to relationships with third parties and contractors, we maintain a policy which requires all third parties and contractors to implement controls and abide by a non-disclosure agreement, and we regularly evaluate existing critical third-party service providers to ensure they continue to meet our minimum information security practices. Proposed relationships with new third-party service providers are evaluated to ensure the technology provided is in alignment with our standards and guidelines. We have not experienced a significant compromise, significant data loss, or any material financial losses related to cybersecurity attacks, and no risks from cybersecurity threats that are known to us are believed to be reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Risks and exposures related to cybersecurity attacks, however, are expected to remain high for the foreseeable future, due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of third-party service providers, internet banking, mobile banking, and other technology-based products and services. Governance While all employees, including members of our information technology ( IT ) team, are required to report any known or suspected security event, pursuant to our policies and procedures, the following members of Company management and the Board of Directors are tasked specifically with the responsibilities described below: Cybersecurity Incident Response Team ( CIRT ) The CIRT was established to provide quick, effective, and orderly responses to serious successful cybersecurity related incidents such as system and application outages, virus infections, hacker attempts, system compromises, improper disclosure of confidential information, system service interruptions, breach of personal identifiable information, or other technology related events with serious security implications or business disruptions. The CIRT consists of various IT groups with the knowledge and expertise needed to execute the technical aspect of the Company s cybersecurity policies and procedures, including our Chief Information Officer ( CIO ) and Chief Information Security Officer ( CISO ). As further described below, these officers are responsible for facilitating communications with the Risk Committee. When an incident is reported, the CIRT determines the scope, scale and severity of the event and determines if the event is an incident. When the CIRT has determined an incident has occurred, the team is responsible for responding to such incident in a timely, cost-effective manner and reporting findings as necessary and appropriate, including communicating to other key stakeholders for the duration of such incident. In general, the CIRT reports such findings to the CISO, the CISO reports the information to the Chief Risk Officer ( CRO ), and the CRO ultimately reports those findings to the Risk Committee. Risk Committee The Risk Committee of our Board of Directors is responsible for overseeing our enterprise-wide risk management program and corporate risk function, including cyber risk. The Risk Committee assesses whether the risk-management programs are capable of managing our significant risks and monitors whether our most significant enterprise-wide risk exposures are in alignment with our appetite for risk. Enterprise Risk Management Committee ( ERMC ) The ERMC is a management committee of the Bank. The Risk Committee delegates oversight responsibility of the Company s cybersecurity programs to the ERMC. The ERMC presents summary reporting to the Risk Committee pertaining to the status of such programs. 31 Table of Conten ts Chief Risk Officer ( CRO ) Karlyn M. Knieriem has served as our Executive Vice President and CRO since 2022. As CRO, Ms. Knieriem is responsible for reporting serious incidents to external authorities pursuant to advice from internal or external legal counsel, unless otherwise delegated. Ms. Knieriem has over 25 years of experience in financial services across a variety of roles including finance, treasury, retail, credit, and risk management. Chief Information Officer ( CIO ) Lori Meyer has served as our CIO since June 30, 2023, after serving in several leadership roles in the Company, including Director of Enterprise Program Management, Director of IT Business Management, Director of IT Business Relations, and Business Process Improvement Lead. As CIO, Ms. Meyer is responsible for oversight of the Company s cybersecurity policies and informing the ERMC on current computer security readiness, information security standards, procedures, regulatory compliance, data security and privacy concerns, and the remediation plans annually, or as needed. Chief Information Security Officer ( CISO ) Dale Daugherty has served as our CISO since 2021. As CISO, Mr. Daugherty is responsible for establishing and monitoring the effectiveness of the Company s cybersecurity policies and reporting the status and a summary of cybersecurity incidents to the CRO, CIO, ERMC, and Risk Committee. In this role, Mr. Daugherty serves as an intermediary between the CRO and the CIRT. Since 2002, Mr. Daugherty has served in the roles of Information Security Officer, AVP IT Audit Manager, and Director of IT Compliance, Risk, and Security for the Bank and holds the CISSP, CISA, GCIH, GCIA, and GSEC certifications. Chief Human Resources Officer ( CHRO ) Rachel B. Turitto has served as our CHRO since 2019. As CHRO, Ms. Turitto is responsible for appropriate administration of the Company s cybersecurity policies with respect to employee-related cybersecurity incidents. Ms. Turitto joined us with over 15 years of diverse experience across multiple human resource disciplines, including human resource information systems. The Company believes its risk management strategy and governance programs related to cybersecurity matters are appropriate for a growing banking system of its size, but we continue to monitor them and improve upon them as warranted under our programs, policies, and procedures. Finally, we maintain customary cybersecurity insurance that we believe is appropriate for our industry and comparable to our peers.

Company Information