EAGLE BANCORP INC 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

EAGLE BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:26:39 EST.

Filings

10-K filed on 2025-02-27

EAGLE BANCORP INC filed a 10-K at 2025-02-27 16:26:39 EST
Accession Number: 0001050441-25-000051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As a publicly-traded financial institution, we are subject to various cybersecurity risks that could adversely affect our business, financial condition, results of operations and reputation, including, but not limited to, cyber-attacks against us or our service providers focused on gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data or causing operational disruption. As described below, we have risk management and governance practices and processes designed to address these risks. The Company has established an enterprise risk management framework that outlines the processes and procedures the Company uses to identify, assess, mitigate and monitor the risks faced by the Company, including cybersecurity risk. Within the overarching enterprise risk management framework, we have an information security program designed to preserve the confidentiality, integrity, and availability of information or data on our systems and those of our service providers, as documented in our information security policy. Our information security program takes a risk-based approach to identifying and assessing the cybersecurity risks that exist within our business and information technology systems. The program addresses the roles and responsibilities of the Board, its committees and management. The Board is responsible for the oversight of cybersecurity risk management, as well as the selection of a Chief Information Security Officer (“CISO”), the management official responsible for administering and executing the information security program. The Board’s Technology Oversight Committee (the “TOC”) assists the Board in its oversight of the information security program. The TOC reviews information security metrics, oversees significant instances of non-compliance with the information security policy and monitors remediation of those instances, and reviews the appointment of the CISO for recommendation to the Board. At the management level, the Enterprise Risk Management Committee (the “ERMC”) is primarily responsible for cybersecurity risk management. As it pertains to the information security program, the ERMC assesses and monitors information security risks and approves the information security policy on at least an annual basis. Certain instances of non-compliance with the information security policy are escalated to the EMRC, which may further escalate to the TOC as appropriate. Once escalated to a committee, the committee is responsible for overseeing related remediation. Our CISO is responsible for the overall administration and execution of the information security program and reports to our Chief Risk Officer (“CRO”). Our CISO has over fifteen years of experience working in information security and risk for a variety of companies and organizations, including multiple financial institutions . The CISO monitors the security of, among other things, systems, applications, tools, databases, computers, websites, cloud infrastructure, vendor tools, and user access systems. The CISO performs an annual information security risk assessment, which, among other things, documents inherent risk levels and controls in place to manage those risks. The information security risk assessment is presented to the Board annually. We strive to minimize the occurrence of cybersecurity incidents and the risks resulting from such incidents. However, when a cybersecurity incident does occur, the Company has in place an incident response program to guide our assessment of and response to the incident. The CISO coordinates the Company’s response to a cybersecurity incident, including investigating, recording and evaluating any potential, suspected or confirmed incidents involving non-public customer information or Company confidential information. On a regular basis, the CISO discusses with the CRO information security risk issues, risk mitigation progress and developments and information security enhancement initiatives. The CISO reports to the TOC quarterly on information security developments and emerging risks, both in the industry and specific to the Company. The CISO and CRO report on the information security program, including the status of information security-related key risk indicators, to the TOC and the ERMC. The Information Security Policy is also approved by the TOC on an annual basis. 33 Table o f Contents The Company employs third parties in certain aspects of its information security and cybersecurity risk management. For example, we utilize third parties to conduct certain security operations and maintain certain information security infrastructure. We have adopted a Third Party Risk Management Policy, which addresses the identification, measurement, monitoring, and management of our third-party service provider relationships, including those related to information security. The Director of Third-Party Risk Management, along with the CISO, assess and monitor information risks posed by third parties and any non-compliance with the controls created to address such risks. With respect to cybersecurity incidents affecting our third-party service providers, the Director of Third-Party Risk Management works with our service providers to understand and document any incidents, along with managing the impact to us and reporting such incidents to the CRO, ERMC, TOC, and, if applicable, the Board. To date, we have not incurred any material losses related to cybersecurity incidents. However, the risk management and governance processes described above may not be sufficient to prevent cybersecurity incidents, and we could incur substantial costs and suffer other negative consequences from cybersecurity incidents. See “Part 1, Item IA. - Risk Factors” for more information on the cybersecurity risks facing the Company.

Company Information