BANK OF HAWAII CORP 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 4, 2025

BANK OF HAWAII CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 19:10:56 EST.

Filings

10-K filed on 2025-03-03

BANK OF HAWAII CORP filed a 10-K at 2025-03-03 19:10:56 EST
Accession Number: 0000950170-25-031193

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurit y As a company that collects and retains large volumes of customer and employee data, including payment card numbers and other personally identifiable information, we face significant and persistent cybersecurity risks. The protection and integrity of that data is important to us, which is demonstrated by the significant efforts and investments made to implement various measures to manage the risk of a security breach or disruption. Risk Management and Strategy Assessing, identifying, and managing cybersecurity related risks are integrated into our overall Enterprise Risk framework, of which one of the objectives is to ensure the confidentiality, integrity, and availability of our information sets through the maintenance of a comprehensive information security program. The program ensures regulatory compliance in alignment with Federal Financial Institutions Examination Council, the Sarbanes-Oxley Act of 2002, and the Gramm-Leach-Bliley Act. One of the key aspects of this program is a risk assessment that is used to identify industry and company-specific risks, measure control effectiveness, identify any gaps that need to be addressed, and linking our controls with applicable policies, standards and guidelines to ensure that responsible parties are aware of their obligations with respect to this program. Governanc e The Board of Directors holds ultimate responsibility for overseeing cybersecurity and information security risks. They dedicate substantial time and attention to this critical area, leveraging the technical expertise of their members. The Board regularly reviews an Enterprise-Wide Risk Report, which includes key cybersecurity risk measures and trends across the Company. Additionally, the Board annually reviews and approves the Information Security Policy and frequently receives presentations from the Chief Information Security Officer ( “CISO” ) on cybersecurity risks, industry trends, and best practices . The Risk Management Committee, which is charged with assisting the Board of Directors in fulfilling its oversight responsibilities related to the Company’s enterprise-wide risk management framework, receives an operational risk update at least quarterly that includes a review of cybersecurity and information security risk. The Board of Directors is also responsible for the approval and oversight of the Information Security (“IS”) Program . Our CISO , who is designated as the IS Program Coordinator, has over 15 years of relevant information technology, security and program management experience. Under the direction of the CISO, the IS Program focuses on preventing, detecting, and responding to cybersecurity incidents by ensuring the confidentiality, integrity and availability of company information. Central to incident management is the Information Security Incident Response Team, which is responsible for responding expeditiously and effectively to security incidents to minimize risks to the business, customers and consumers. In the event of an incident, we follow the detailed incident response plan, which outlines the steps to be followed from incident identification to mitigation, recovery and notification, including notifying functional areas, regulators, as well as senior leadership and the Board , as appropriate. All of our employees also have a responsibility to protect the privacy of bank confidential and proprietary information. They are required to undergo periodic information security awareness training to ensure a clear understanding of their roles in protecting information assets and to create a security-minded culture. We continue to strengthen the management and oversight of cybersecurity risks through new security system enhancements, policies, testing, identification and reporting. We also engage a third-party to perform penetration testing and ongoing analysis to identify potential vulnerabilities and areas for additional enhancements. We depend on third-party service providers to support our business and operational activities and to help us achieve our strategic goals. However, these third parties can introduce various risks to us and our customers. To mitigate these risks, we have established a Third Party Risk Management framework. This framework equips us with the necessary tools and practices for effective oversight of third-party service providers, ensuring compliance with legal and regulatory obligations, contractual requirements, performance expectations, and our own principles and values. Our vendor risk management practices are robust and include comprehensive risk assessments of suppliers, with a strong emphasis on cybersecurity. We use commercially available services to monitor our vendors, providing security scores for supplier technology services, threat intelligence, financial intelligence, and other cybersecurity-related considerations. Regular reviews are conducted to track changes in our vendors’ cybersecurity risk posture, and continuous threat intelligence monitoring helps identify potential cybersecurity incidents involving third parties. We also strive to negotiate appropriate cybersecurity provisions in our vendor contracts. For the 2024 period, we reported no material cybersecurity incidents affecting the confidentiality, integrity, or availability of data or systems. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition . We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For furth er information, see Item 1A. “Risk Factors,” including the risk factor titled “An interruption or breach in security of our information systems or those related to merchants and third-party vendors, including as a result of cyber attacks, could disrupt our business, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, or result in financial losses.”

Company Information