Amerant Bancorp Inc. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Amerant Bancorp Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 13:21:41 EST.

Filings

10-K filed on 2024-03-07

Amerant Bancorp Inc. filed an 10-K at 2024-03-07 13:21:41 EST
Accession Number: 0001734342-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY We recognize the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving the value of the Company. We have an enterprise risk management framework that is designed to identify, measure, control, monitor and mitigate risks across various aspects of our business and operations, including, credit, interest rate, liquidity, operational, regulatory compliance, strategic, reputational, and legal risks. As we rely and continue to increase our reliance on technology and given the constant state of cyber threats, information security or cybersecurity is a significant component of our enterprise risk management framework. Our Chief Information Security Officer, a key member of our risk management organization, who has overall responsibility, accountability, and ownership for this cybersecurity component, reports directly to the Chief Risk Officer and periodically presents reports to the Risk Committee of our Board of Directors. We are actively engaged in identifying, managing, and mitigating cybersecurity risks with the objective of avoiding or minimizing the impact of malicious and non-malicious actions and threats aimed at penetrating, disrupting or misusing our systems and information. Protecting company data, non-public customer and employee data, and the systems that collect, process, and maintain this information is deemed critical. We have developed and implemented an enterprise-wide information security program, which is designed to protect the availability, integrity, and confidentiality of customer non-public information and company data, including the protection of the hardware and infrastructure used to store and transmit such information. Our Information Security Program is structured and aligned with the Federal Financial Institution Examination Council ( FFIEC ) guidelines for information security, regulatory guidance, and other industry standards. To promote the continued effectiveness of our information security program, we periodically conduct risk assessments, complete audits and tests, participate in industry associations, and review information from threat intelligence feeds. In addition, our Chief Information Security Officer and members of his team and of our Information Technology team regularly collaborate with external parties, including regulatory agencies, other banks and industry groups to share cyberthreat information, trends and issues and identify best practices. We leverage knowledge, people, processes, and technology to develop, implement, manage, and maintain cybersecurity controls. Our information security program employs several detective and defensive tools designed to monitor, alert, and block suspicious activity, as well as to identify, report and address any suspected threats. Our information security program is a continuous on-going periodically updated program that is supported by policies, procedures, standards and guidelines; an Enterprise-wide Vendor Management Program; a Technology Project Management Office (PMO) and an Enterprise-wide Business Continuity and Disaster Recovery Program. This integration is aimed at ensuring that program is embedded into the organization s lines of business, support functions and third-party vendor management program. We have implemented controls that align information security standards with the nature of our operations and strategic direction. When possible, we implement layered control systems by deploying different controls at different points of business processes and throughout an IT system so that the strength of one control can compensate for weaknesses in or possible failure of another control. We have also developed an enterprise-wide vendor management and third-party risk management program designed to identify, assess, and manage information security, operational and technology risks associated with third-party vendors. Our Enterprise-wide Vendor Management Program is in alignment with the FFIEC Guidelines for Third Party Service Providers and is designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers. Our Information Security Program also continuously promotes cybersecurity awareness and culture across the organization, including regular education and training, that requires team members to complete training and certification on an annual basis and phishing simulations (attempts of attacks) monthly. New hires are also provided with information security awareness training during the orientation process. A customer security awareness and communication program has also been developed and implemented to keep customers abreast of security and fraud risks. 57 While we believe that our business, financial condition, or results of operations have not been materially adversely affected by any cybersecurity incidents, cybersecurity threats are common and pervasive and, we, as well as our customers, regulators, and service providers, have experienced and will likely continue to experience a significant increase in information security and cybersecurity threats and attacks, see Our information systems are exposed to cybersecurity threats and may experience interruptions and security breaches that could adversely affect our business and reputation in Item 1A. Risk Factors. We continuously assess the risks and changes in the cyber environment and update our information security program to reflect the results of risk assessments and the key controls necessary to safeguard customer information and ensure the proper disposal of customer information. The program is updated considering changes in technology, the sensitivity of our customer information, internal or external threats to information, and our own changing business environment which can include mergers and/or acquisitions, outsourcing arrangements, and changes in customer information systems which may have material impact on the program. We also leverage control testing of key controls, systems, and procedures of our information security program performed by internal and external auditors and external partners, that is periodically completed to assess their design and operating effectiveness and make recommendations to strengthen our risk management program. We have developed and maintain an incident response plan that provides a documented procedure to respond and address cybersecurity incidents, including timely notification to the Executive Management Committee and the Risk Committee of the Board of Directors. The incident response plan provides for the interaction and coordination of executive, strategic and tactical teams, depending on the severity level of the incident, aimed at facilitating coordination across multiple units and departments of the Company. Our incident response plan is tested at least annually. Governance The Information Security Department, under the leadership of the Chief Information Security Officer, has the responsibility for implementation and monitoring our information security program. The responsibilities of this department include cybersecurity risk assessments, vulnerability management, access reviews for systems and applications, incident response and management, gathering and sharing threat intelligence, monitoring of controls, and overall responsibility for the development of the information security program including relevant policies, procedures, standards and guidelines to enhance data security and mitigate risks. Members of this department include individuals with varying degrees of education and experience, in particular, our Chief Information Security Officer has over twenty years of experience in information technology and risk management, with emphasis on information security and cyber security risk management; throughout his career he has served in different positions including as Information Technology Auditor, Technology Risk Manager, Information Security Program Manager and, since September 2018 as our CISO. He has a bachelor s degree in computer systems analysis and has obtain several relevant certifications, including having completed the EC-Council s Certified Chief Information Security Officer Program and obtaining the Information Systems Auditor and Risk and Information Systems Control certifications from the Information Systems Audit and Control Association, ISACA. Several management committees, including our Executive Management Committee, manage our information security program and meet periodically to review and discuss information security matters. In general, summaries of key matters discussed are reported to the Risk Committee. Our Board, through the Risk Committee, is actively engaged in the oversight of our information security program. The Risk Committee oversees our information security program, including management s actions to identify and evaluate, material cyber vulnerabilities, threats, and risks as well as the development and implementation of mitigating and remediating actions. Our Chief Information Security Officer presents quarterly reports to the Risk Committee regarding our information security program, including relevant information on key risk and performance indicators related to cybersecurity matters as well as significant cybersecurity and privacy events. In addition, our information security risk profile is presented to the Risk Committee on a semi-annual basis. 58

Company Information