SOUTH PLAINS FINANCIAL, INC. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

SOUTH PLAINS FINANCIAL, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:34:29 EDT.

Filings

10-K filed on 2024-03-15

SOUTH PLAINS FINANCIAL, INC. filed an 10-K at 2024-03-15 16:34:29 EDT
Accession Number: 0001140361-24-013519

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Cybersecurity threats have the potential to negatively impact companies of all sizes and complexities. Our normal business operations could be severely disrupted by cyberattacks, both against our own information systems as well as those hosted and managed by our third party partners. The loss or disclosure of sensitive data as a result of cyberattacks could have a material impact on our business. For more information on how cybersecurity risk may materially affect the Company s business strategy, results of operations or financial condition, please refer to Item 1A, Risk Factors, of this Form 10-K. We have implemented a comprehensive Information Security and Risk Management Program that is designed and maintained to be compliant with all applicable federal and state regulations, and is regularly audited by independent experts to ensure continuous effectiveness and compliance. Key elements of this program include: a comprehensive risk management process, integrated with the Enterprise Risk Management system, that continuously assesses, identifies, and manages current and emerging cybersecurity threats and risks, evaluates the effectiveness of information security controls, and reports the overall risk posture to Executive Management and the Board of Directors. assessment of daily cyber threat intelligence from multiple sources the use of third party information security services for continuous monitoring and alerting of information systems, network. and user activity a Vulnerability Management Program that scans networks, devices, and information systems for known cyber vulnerabilities, and initiates processes to mitigate them a third party risk management program that evaluates and ensures our key partners adhere to the same level of information security posture as we do internally 37 Table of Contents Business Continuity and Incident Response plans that are designed and tested for anticipated operational failures, natural disasters, cyberattacks, and other disruptive events and an Information Security Awareness program to ensure employees and customers maintain an awareness of information security threats and best practices to prevent them. Information Security Governance The Chief Information Security Officer is primarily responsible for the Information Security and Cyber Risk Management programs, and reports to the Chief Risk Officer. The Chief Technology Officer that oversees the Information Technology Department plays a key role in cybersecurity, ensuring that information systems, networks, and endpoints are configured and operated according to the requirements of the Information Security Program and related policies and standards. Both the current Chief Information Security Officer and Chief Technology Officer have well over 20 years of experience in Information Technology and Information Security. The Information Security Committee, consisting of senior management and analysts from Information Security and Information Technology, monitors and assesses cyber threat intelligence, responds to cyber incidents at a technical level, and determines whether new controls are needed to address emerging risks or active cyber exploits. Key Risk Indicators for Information Security and Information Technology are reported to the Operations and Information Technology Steering Committees. Key risks and other relevant information is further summarized for the Board Risk and Audit Committees. The Board also receives a full report on the Information Security Program and its effectiveness annually. Other cyber related issues are brought to the attention of the Board as needed.

Company Information