GREAT SOUTHERN BANCORP, INC. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

GREAT SOUTHERN BANCORP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 17:33:19 EDT.

Filings

10-K filed on 2024-03-11

GREAT SOUTHERN BANCORP, INC. filed an 10-K at 2024-03-11 17:33:19 EDT
Accession Number: 0001410578-24-000178

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity and Risk Management The Company s cybersecurity risk management processes are integrated into the overall risk management process managed by the Chief Risk Officer through reporting of cyber risks to the Information Security Steering Committee (ISSC). The ISSC is chaired by the Managing Director of Information Security, who has 17 years of information technology (IT) and information security experience in the financial services industry. Key metrics are monitored on an ongoing basis by the IT Risk Management and IT Security teams, with oversight by the ISSC. IT Risk Management performs regular information security-focused risk assessments, including but not limited to assessments based on the Center for Information Security Controls Self-Assessment Tool and Ransomware Self-Assessment Tool aligned to the Federal Financial Institutions Examination Council standards. IT Risk Management maintains processes for prevention, detection, and mitigation of cybersecurity incidents. The Company maintains an Incident Response Plan (IRP) that covers response and remediation processes for managing cybersecurity incidents. The Incident Response Team (IRT) members include senior management and other relevant personnel, with defined roles and responsibilities. IRP metrics related to monitoring and detection are presented to the ISSC and reported to the board. The IRT is notified of all incidents, and incidents are elevated to the board when warranted. 60 Table of Contents Engagement of Third Parties The Company utilizes third parties for some cybersecurity services, including but not limited to managed security services, external and internal penetration testing, social engineering tests, third party risk reviews and tabletop exercises. Oversight and Identification of Risks Associated with Third Parties Third Party Risk Management, a component of IT Risk Management, reviews new vendors prior to onboarding to oversee and identify potential risks and performs ongoing monitoring of emerging risks related to third-party service providers. Third-party service provider reviews include completion of a standardized questionnaire and risk reviews for financial, reputation, information security, cybersecurity, and business resiliency risk. These reviews are reported to the Information Technology Steering Committee (ITSC) for approval of new applications. The ITSC is chaired by the Chief Information Officer, who has more than 20 years experience in IT management and cybersecurity, predominantly in the financial services industry. IT Risk Management performs contract reviews for security controls and notification processes. IT Risk Management also conducts annual IT risk assessments on critical and high risk applications. Risks from Cybersecurity Threats In the last fiscal year, the Company did not experience any material cybersecurity incidents. For additional discussion of cybersecurity-related risks facing the Company, see Item 1A. Risk Factors. Board Oversight In connection with the board s oversight of risk management, cybersecurity updates are provided to the board at least quarterly, including, but not limited to, the following materials: Annual Gramm-Leach-Bliley Act Information Security Program (ISP) Report, IT Risk Management and IT Security Metrics, Penetration Testing and Tabletop Exercise updates, IT Risk Assessments, Disaster Recovery Test Results, Third Party Risk Management Metrics, Incident Response Metrics, Security Awareness Training Metrics and additional cybersecurity education topics.

Company Information