BANCPLUS CORP 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

BANCPLUS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 17:04:07 EST.

Filings

10-K filed on 2024-03-06

BANCPLUS CORP filed an 10-K at 2024-03-06 17:04:07 EST
Accession Number: 0001118004-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY BancPlus recognizes the critical importance of assessing, identifying, and managing material risks from cybersecurity threats and safeguarding the security of its banking operations and data, including protecting its customers information. As described in more detail below, BancPlus has established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats (collectively, the cybersecurity program ). The Company has devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and have made significant investments to maintain the security of the Company s banking operations and data and cybersecurity infrastructure. Risk Management and Strategy BancPlus cybersecurity program is integrated into its overall enterprise-wide risk management program and based on guidance established by the National Institute of Standards and Technology ( NIST ), the International Organization for Standardization and applicable regulatory standards, as described below. Collaboration BancPlus cybersecurity program seeks to address cybersecurity risks through a cross-functional approach that is focused on confidentiality, security, and availability of the information that the Company collects and stores by identifying and mitigating cybersecurity threats and effectively responding to cyber threats when they occur. BancPlus cybersecurity program is primarily administered at the management level by the Cybersecurity Committee, which is led by Bancplus Chief Information Security Officer ( CISO ) with other members of executive management serving as members. The Cybersecurity Committee is a cross-functional governing body that drives alignment on security decisions across the Company. The Cybersecurity Committee meets regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. The cybersecurity program includes controls and procedures that are designed to ensure prompt escalation of appropriate cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the BancPlus board of directors in a timely manner. Risk Assessment The Cybersecurity Committee, described below, meets as needed, but at least monthly, to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Cybersecurity Committee also considers and makes recommendations to the BancPlus board of directors on the Company s cybersecurity program, including security policies and procedures, security service requirements, and risk mitigation strategies. At least annually, the Cybersecurity Committee conducts a cybersecurity risk assessment that considers information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance the Company s cybersecurity program, including security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to the Risk Committee of the BancPlus board of directors and members of management. Technical Safeguards As part of the Company s cybersecurity program, BancPlus regularly assess and deploy technical safeguards designed to protect the Company s information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence, and incident response experience. In the event of a cybersecurity incident, the CISO will notify the Cybersecurity Committee. Incident Response and Recovery Planning As part of its cybersecurity program, BancPlus has established comprehensive incident response and recovery plans in the case of a cybersecurity incident and continues to regularly test and evaluate the effectiveness of those plans. The Company s incident response and recovery plans address and guide its employees, management, and the BancPlus board of directors on responses to a cybersecurity incident. Third-Party Risk Management BancPlus engages third party assessors, consultants and auditors in connection with the Company s information security program, including to conduct external penetration testing, independent audits, and risk assessments. BancPlus also utilizes third party 38 Table of Contents service providers in the ordinary course of business. The Company has implemented controls designed to identify and mitigate cybersecurity threats associated with its use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. The Company uses a variety of inputs in such risk assessments, including information supplied by providers and third parties who assist in such risk assessment. In addition, the Company requires its providers to meet appropriate security requirements, controls, and responsibilities and investigate security incidents that have impacted the Company s third-party providers, as appropriate. Education and Awareness BancPlus cybersecurity program requires each of the Company s employees to contribute to the Company s data security efforts. The Company regularly reminds employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. External Assessments BancPlus cybersecurity program, including the related policies, standards, processes, and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities, including information security maturity assessments, audits and independent reviews of the Company s information security control environment and operating effectiveness. Reports and significant findings from these assessments are provided to management and the Risk Committee of the BancPlus board of directors. The Company s cybersecurity program is reviewed by the BancPlus board of directors at least annually and is adjusted based on the information provided from these assessments and other recommendations from the Cybersecurity Committee. Cybersecurity Risk Oversight The BancPlus board of directors, through the Risk Committee, provides direction and oversight of the enterprise-wide risk management framework of BancPlus. The Risk Committee of the BancPlus board of directors oversees the Company s cybersecurity program. They receive regular reports from the Cybersecurity Committee about the prevention, detection, mitigation, and remediation of cybersecurity risks, including cybersecurity incidents, information security vulnerabilities, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents. BancPlus risk management framework is overseen by the Chief Risk Officer at the management level. BancPlus CISO has primary responsibility for assessing and managing material cybersecurity risks and leads management s Cybersecurity Committee. The CISO s experience spans over 20 years of cybersecurity operations and management, leading teams in highly regulated industries such as healthcare, education, and financial industry consulting for private and public companies. The CISO holds a Master of Business Administration and has attained a variety of professional certifications such as CISSP, CISM, GLAW, and GSEC, among others. The CISO reports to the Chief Risk Officer. See the section entitled Part I, Item 1. Business Enterprise Risk Management for additional information on the role of the BancPlus board of directors and its committees in overseeing risk management. Relevant Regulations As a regulated financial institution, BankPlus is also subject to financial privacy laws and the Company s cybersecurity practices are subject to oversight by the federal banking agencies. In addition, the SEC recently enacted rules, effective as of December 18, 2023, requiring public companies to disclose material cybersecurity incidents that they experience on Form 8-K within four business days of determining that a material cybersecurity incident has occurred and to disclose on annual basis material information regarding their cybersecurity risk management, strategy, and governance. For additional information, see the section entitled Part I, Item 1. Business Supervision and Regulation Financial Privacy and Cybersecurity. Prior Incidents Although BancPlus has not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected its business, financial condition or results of operations, there can be no guarantee that it will not experience such an incident in the future. There can be no guarantee that BancPlus policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. For additional information regarding the risks the Company faces from cybersecurity threats, please see the risk factor titled Unauthorized access, cyber-crime and other threats to data security may subject BancPlus to regulatory action or penalties, require significant resources, harm BancPlus reputation, and otherwise cause harm to its business included in Part I, Item 1A. Risk Factors of this report.

Company Information