HomeTrust Bancshares, Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

HomeTrust Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 16:52:14 EDT.

Filings

10-K filed on 2024-03-12

HomeTrust Bancshares, Inc. filed an 10-K at 2024-03-12 16:52:14 EDT
Accession Number: 0001538263-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management, Strategy and Governance There continues to be a rise in electronic fraudulent activity, security breaches and cyber-attacks within the financial services industry, especially in the commercial banking sector where our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Although we are not aware that we have experienced any material misappropriation, loss or other unauthorized disclosure of confidential or personally identifiable information as a result of a cybersecurity breach or other act, we are regularly the target of attempted threats such as ransomware and denial-of-service attacks. In addition, our customers, vendors and other third parties also face the same threats, and a cybersecurity incident impacting any of these parties could also impact our operations. For these reasons, cybersecurity is critical to supporting our business and protecting our customers. Our Chief Information Officer is responsible for monitoring and coordinating the Company s Information Security Program, which is managed on a day-to-day basis by our Physical and Information Security Officer. This program has been designed to: Ensure appropriate security of all information systems data, equipment and processes Ensure the security and confidentiality of nonpublic customer information Protect against any anticipated threats or hazards and Protect against unauthorized access to, or use of, such information. Operationally, the information security team employs numerous security tools such as threat detection, alerting and monitoring, data loss prevention, vulnerability remediation, anti-malware and email security protections. Consistent with our Business Continuity and Security Incident Response Policies, the Company engages in annual disaster recovery and information security tabletop exercises to simulate threats and events, and engages third parties on an annual basis to conduct and report on penetration testing exercises. We administer mandatory annual security awareness training, routine employee email phishing testing, and provide regular updates across the Company to highlight recent examples of risks as they are identified. Our Board of Directors is responsible for overseeing the Company s cybersecurity strategies and setting the acceptable cybersecurity risk appetite as part of its oversight of the Company s risk management activities. The Board has designated the Executive and Risk Committee to oversee the Company s Enterprise Risk Management Program, which includes the framework for identifying, measuring, monitoring and controlling cybersecurity risk. Between updates provided by the Chief Information Officer and Chief Risk Officer, who leads the Company s Enterprise Risk Management function, the Committee receives quarterly updates over assessed internal and external risks, cyber threats, industry trends in the cyber area, security operations and incident response, threat and vulnerability management activities, identity and access management controls, and the results of third-party audits and examinations. To ensure this focus is properly disseminated, the Enterprise Risk Management Program includes a Management Risk Committee, made up of executive officers, to ensure proper oversight of risk-related decision making and communication by executive management. In addition to internal monitoring procedures, the Company maintains a vendor risk management program that is designed to identify and manage risks, including cybersecurity risks, posed by our third-party vendors, particularly those with access to, or possession of, sensitive information. Vendor contract negotiations require the inclusion of data protection terms and responsibilities regarding information breach notifications and reporting. The program also includes due diligence and risk assessment procedures occurring prior to and during the life of these contractual relationships, to evaluate the vendor s management of data transmission, storage of information, encryption practices, vulnerability testing and general strength of the vendor s information security policy and practices. The Company s information security team has a defined escalation path for issues and events as outlined in our Security Incident Response Policy. Our information security, IT infrastructure, IT support, and system analyst teams will take the lead role in evaluating, escalating, investigating and remediating a potential cybersecurity event, including formulating the initial response, and bringing in individuals from other departments as deemed appropriate. Any incident assessed as potentially being or becoming material is further escalated to the 23 Operating Committee which includes all executive officers, and may be elevated to the Board of Directors if the incident is deemed material or otherwise appropriate. Outside legal counsel and forensic analysts may also be engaged to assist in evaluating and remediating cybersecurity issues and events. In spite of the Company s investments in systems and processes to address cyber risk, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material effect on the Company. For further discussion, see Item 1A. Risk Factors Risks Related to Cybersecurity, Data and Fraud.

Company Information