EQUITY BANCSHARES INC 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

EQUITY BANCSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:46:12 EST.

Filings

10-K filed on 2024-03-07

EQUITY BANCSHARES INC filed an 10-K at 2024-03-07 16:46:12 EST
Accession Number: 0000950170-24-028081

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity The Company s Board of Directors (the Board ) recognizes the importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to enterprise risk management ( ERM ). The Company s cybersecurity policies, standards, processes and practices are integrated into the Company s ERM program In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of its systems and the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Due to our heavy reliance on the strength and capability of our technology systems, which we use both to interface with our customers and to manage our internal financial reporting and other systems, we utilize a layered cybersecurity model designed to protect Company systems and sensitive data. This defense model is composed of a variety of different components including administrative, technical controls and safeguards. These various components are centrally managed and monitored creating a multi-layered, interlocking, cybersecurity defense system. We believe this defense system is dynamic and designed to adjust to protect against the latest cyber threats and attack vectors. Risk Management and Strategy As one of the critical elements of the Company s overall ERM approach, the Company s cybersecurity risk management program and strategy is focused on the following key areas: Governance: As discussed in more detail under the heading Governance, The Board s oversight of cybersecurity risk management is supported by the Risk Management Committee of the Board (the Risk Management Committee ), which regularly interacts with the Company s ERM function, the Company s Chief Information Security Officer ( CISO ), the Company s Chief Information Officer ( CIO ), other members of management. Incident Response and Recovery Planning: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that establish a structured approach for the Company s response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Outside Experts . The Company routinely works with outside experts, consultants, auditors and other third parties in connection with managing its cybersecurity risks and for advice regarding best practices and technical expertise. Education and Awareness: The Company provides regular, mandatory training for personnel regarding cybersecurity threats to equip the Company s personnel with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. The Company engages in the periodic assessment and testing of the Company s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reviewed by the Cybersecurity team and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. 48 Governance Board Oversight of Risks from Cybersecurity Threats The Board, in coordination with the Risk Management Committee, oversees the Company s ERM process, including the management of risks arising from cybersecurity threats. The Board and the Risk Management Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company s peers and third parties. The Board and the Risk Management Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board and the Risk Management Committee discuss the Company s approach to cybersecurity risk management with the Company s CISO and CIO. During the fiscal year of this Report, the Company has not identified risks from cybersecurity threats, including as a result of prior cybersecurity incidents, that individually or in the aggregate have materially affected or are reasonably anticipated to materially affect the organization. Nevertheless, the Company recognizes cybersecurity threats are ongoing and evolving, and we continue to remain vigilant. For more information on the Company’s cybersecurity-related risks, see “Item 1A - Risk Factors - We use information technology in our operations and offer online banking services to our customers, and unauthorized access to our or our customers’ confidential or proprietary information as a result of a cyber-attack or otherwise could expose us to reputational harm and litigation and adversely affect our ability to attract and retain customers.” Management s Role in Assessing and Managing Risks from Cybersecurity Threats The CISO, in coordination with our Chief Executive Officer ( CEO ), Chief Financial Officer ( CFO ), Chief Information Officer ( CIO ) and Chief Legal Officer ( CLO ), works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company s incident response and recovery plans. To facilitate the success of the Company s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and CIO monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Risk Management Committee when appropriate. The CISO has served in various roles in information technology and information security for over 15 years, including serving as the Chief Information Security Officer of two large public companies. The CISO holds an undergraduate degree in Information Networking and Telecommunications , a graduate degree in Cybersecurity, and has attained the professional certification of Certified Information Systems Security Professional. The CIO holds an undergraduate degree in Business Finance and has served in various roles in information technology for over 30 years, including serving as either the Chief Information Security Officer or Chief Information Officer of two public companies.

Company Information