Investar Holding Corp 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Investar Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 15:35:22 EST.

Filings

10-K filed on 2024-03-07

Investar Holding Corp filed an 10-K at 2024-03-07 15:35:22 EST
Accession Number: 0001437749-24-006962

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. The Company s Information Security Program (the Program ) is comprised of five pillars: the Information Security Policy, the Enterprise Information Security Risk Assessment, the Incident Response Plan, a formalized Security Awareness Campaign, and an enterprise monitoring and reporting program. The Information Security Policy contains numerous distinct administrative and technical controls that govern data security for the organization and is based on the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework. The policy is reviewed and approved by the Board of Directors annually. The Enterprise Information Security Risk Assessment quantifies risk criteria utilizing the same impact measures, including financial, strategic, operational, and reputational, set forth by the Enterprise Risk Committee. The risk assessment is reviewed and approved by the B oard of Directors annually. The Enterprise Risk Committee includes members of management from various departments and members of the Board of Directors and oversees the overall risk management of the Company. The Enterprise Risk Committee meets as often as appropriate to perform its responsibilities, but no less than once per calendar quarter and reports findings and provides recommendations to the Board of Directors on a routine basis. The Incident Response Plan ( IRP ) includes procedures for responding to actual or potential cybersecurity incidents, including providing timely notice to customers and our bank regulatory agencies when appropriate. The IRP is based on the NIST Cybersecurity Framework. The plan is tested annually through tabletop exercises. The Security Awareness Campaign is designed with the goal that employees are educated on policy, threats, and best practices from onboarding and throughout their tenure at the Company. This effort includes an onboarding training program, annual attestation and training, and weekly communication designed to help instill in employees a security mindset through repetition. The Company maintains an enterprise monitoring and reporting program, which identifies key risk indicators for tracking and identifying trends. The key risk indicators are presented to the Company s Information Technology Committee ( IT Committee ) and th e Board of Directors on a monthly basis. The Program is monitored each year through various internal and external audits, as well as OCC regulatory exams. Vulnerability and penetration testing are also conducted at least annually by an independent third party to supplement the vulnerability and patching program routinely performed by internal staff. Third-party vendors supplement the Company s internal patching program as necessary. The Company also utilizes a third-party SOC as a Service to monitor extended detection and response logs and network traffic. Third-party service provider risk is evaluated prior to and throughout the relationship. Third-party service providers must meet a minimum set of baseline security standards prior to being onboarded. During onboarding, the third party and the services they provide are added to the Information Security Risk Assessment, including consideration of inherent risk factors and mitigating controls. Alternative vendors and the effort to transition between vendors are identified during onboarding as well as in the event that the selected provider may fail in providing contracted services at any time. After a third party is onboarded, they are subject to the annual third-party risk management program, specific to their assigned risk criticality. This effort includes the review of service organization controls reports, business continuity and disaster recovery efforts, insurance certificates, and other compliance related concerns when applicable. During the last three years we h ave not experienced any cybersecurity incidents that have materially affected our Company, including our business, strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats may be reasonably likely to materially affect us, refer to Item 1A. Risk Factors Risks Related to our Business We rely on information technology and telecommunications systems, many of which are provided by third-party vendors and Cyberattacks or other security breaches could adversely affect our operations, net income or reputation, incorporated by reference into this Item 1C. Governance The Board of Directors is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board of Directors and the IT Committee. The IT Committee consists of members of the Board of Directors and key members of management. The IT Committee s primary purpose is to assist the Board of Directors in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. The Chief Information Security Officer ( CISO ) provides monthly information security reports on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board of Directors. The CISO also provides the Board of Directors with an annual Information Security Program Summary Report in compliance with federal banking guidelines. The program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. The Chief Information Officer ( CIO ) and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company’s technology infrastructure. The CISO holds two cybersecurity industry leading certifications (CISSP, CCSP) and has more than 20 years of technology experience. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO. 28 Table of Contents
Item 1C. Governance The Board of Directors is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board of Directors and the IT Committee. The IT Committee consists of members of the Board of Directors and key members of management. The IT Committee s primary purpose is to assist the Board of Directors in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. The Chief Information Security Officer ( CISO ) provides monthly information security reports on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board of Directors. The CISO also provides the Board of Directors with an annual Information Security Program Summary Report in compliance with federal banking guidelines. The program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. The Chief Information Officer ( CIO ) and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company’s technology infrastructure. The CISO holds two cybersecurity industry leading certifications (CISSP, CCSP) and has more than 20 years of technology experience. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO. 28 Table of Contents

Company Information