TC Bancshares, Inc. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

TC Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 08:30:55 EDT.

Filings

10-K filed on 2024-03-22

TC Bancshares, Inc. filed an 10-K at 2024-03-22 08:30:55 EDT
Accession Number: 0000950170-24-035094

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Policy statements and regulations by state and federal bank regulators indicate that financial institutions should design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers accessing internet-based services of the financial institution. For example, a financial institution s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution s operations after a cyberattack involving destructive malware. On April 1, 2022, a final rule issued by federal financial regulatory agencies became effective that rule imposes upon banking organizations and their service providers notification requirements for significant cybersecurity incidents. Specifically, the rule requires banking organizations to notify their primary federal regulator as soon as possible and no later than 36 hours after the discovery of a computer-security incident that rises to the level of a notification incident as those terms are defined in the rule. Banks service providers are required under that rule to notify any affected bank to or on behalf of which the service provider provides services as soon as possible after determining that it has experienced an incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided to such bank for as much as four hours. Additionally, effective December 9, 2022, the FTC s amendments to the GLBA s Safeguards Rule went into effect. That rule requires financial institutions to: (i) appoint a qualified individual to oversee and implement their information security programs (ii) implement additional criteria for information security risk assessments (iii) implement safeguards identified by assessments, including access controls, data inventory, data disposal, change management, and monitoring, among other things (iv) implement information system monitoring in the form of either continuous monitoring or periodic penetration testing (v) implement additional controls including training for security personnel, periodic assessment of service providers, written incident response plans, and periodic reports from the qualified individual to the board of directors. Additionally, multiple states and Congress are considering laws or regulations which could create new individual privacy rights and impose increased obligations on companies handling personal data. Risk management and strategy. Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our Company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Information Security Officer Committee (ISOC) is primarily responsible for this cybersecurity component. The ISOC is chaired by the Company’s Chief Financial Officer with oversight by a third-party information security specialist. In addition, the ISOC members include our Chief Information Officer along with external technology and internal business resources. The ISOC makes quarterly reports to the board of directors. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Chief Information Officer, who reports directly to our Chief Financial Officer, along with key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions. We employ an in-depth, layered, defensive strategy that embraces a trust by design philosophy when designing new products, services, and technology. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using 39 internal cybersecurity experts and third-party specialists. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections as a significant portion of our workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and make recommendations to strengthen our risk management program. We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to executive management and/or the Board of Directors. The Incident Response Plan is coordinated through the Chief Information Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually. Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity events in the past, to date, risks from cybersecurity threats have not materially affected our company. For further discussion of risks from cybersecurity threats, see the section captioned Risks Related to Operational Matters in Item 1A. Risk Factors. Governance. Our Chief Information Officer is accountable for managing our enterprise information security department and delivering our information security program. The responsibilities of this department include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business resilience. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the Chief Information Officer, provides guidance, oversight, monitoring and challenge of the first line s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the Chief Financial Officer. The department, as a whole, consists of information security professionals with varying degrees of education and experience, as well as third-party information security specialists. In particular, our Chief Information Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management. In addition to the ISOC, our board of directors has created the Information Technology Steering Committee, These committees provide oversight and governance of the technology program and the information security program. These committees include the Chief Financial Officer and Chief Information Officer as well as their direct reports and other key departmental managers from throughout the entire Company. The Information Technology Steering Committee meets on a quarterly basis. The ISOC generally meets monthly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings occur from time to time in accordance with the Incident Response Plan in order to facilitate timely informing and monitoring efforts. The Chief Information Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the Information Technology Steering Committee of our board of directors on a quarterly basis (or more frequently as may be required by the Incident Response Plan). The Information Technology Steering Committee of our board of directors is responsible for overseeing our information security and technology programs, including management s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Chief Information Officer provides quarterly reports to the Information Technology Steering Committee of our board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The board of directors reviews and approves our information security and technology budgets and strategies annually. 40

Company Information