1ST SOURCE CORP 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

1ST SOURCE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 16:02:06 EST.

Filings

10-K filed on 2026-02-17

1ST SOURCE CORP filed a 10-K at 2026-02-17 16:02:06 EST
Accession Number: 0000034782-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Our Board of Directors has delegated primary responsibility for oversight of cybersecurity risk management to the Digital and Technology Committee of the Board . The Committee receives quarterly reports from the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO) , respectively, and reviews them with such officers. These reports are made available to all board members. In addition, our Chief Risk Officer (CRO) provides a quarterly report to the full Board that covers material risks to the organization and cybersecurity and other information security risks are among the organization's material risks. Such reports include management's updates on the inherent risk level of cybersecurity and other information security risks and the strength of controls designed to mitigate those risks. Our processes for assessing, identifying, and managing material risks from cybersecurity threats are based on examination guidance published by the Federal Financial Institution Examination Council (FFIEC), an interagency body established under the Financial Institutions Regulatory and Interest Rate Control Act of 1978. Consistent with FFIEC guidance, 1st Source selected and adheres to the risk management framework established by the Cybersecurity Risk Institute known as the "CRI Profile." The CRI Profile is based primarily on the well-known National Institute of Standards and Technology's (NIST) "Framework for Improving Critical Infrastructure Cybersecurity" and is tailored to ensure expectations of financial institution regulators are met. Our processes are designed to meet standards for all seven CRI Profile functions - governance, identification, detection, protection, response, recovery, and supply chain dependency management. In addition, we adhere to security standards set by the PCI Security Standards Council which are designed to ensure secure payments globally. Risks from cybersecurity threats, including risks identified from previous cybersecurity incidents, have required significant investments over time in maturing our Information Security Program and attracting and retaining the personnel with requisite experience and expertise. In particular, the CISO has substantial relevant expertise in the financial services industry and formal training in the areas of information security and cybersecurity risk management. We will need to continue to make meaningful investments in cybersecurity controls for continuous improvement and maturation in response to constantly evolving cybersecurity threats. Cybersecurity threats will continue to be endemic to the financial services industry for the foreseeable future. Governance Our Board and senior management oversee our processes for management of cybersecurity risks consistent with the foregoing standards. As noted above, s uch oversight includes regular reporting by management to the Board on the adequacy of such processes and potential material issues identified. Before escalation to the Board, issues are generally identified and assessed through our risk governance structure established under our Enterprise Risk Management Program. The risk governance structure includes three distinct components: management oversight, third-party professional assessment, and separate oversight and review by our Internal Audit Department. Management oversight is maintained through several committees that serve as forums for further assessment, remediation, and escalation. These management oversight committees include the Information Security Committee, co-chaired by the CISO and CRO, the Operational and Compliance Risk Committee, chaired by the Chief Operating Officer (COO) and vice chaired by the Chief Compliance Officer, the IT Steering Committee, chaired by the Chief Information Officer (CIO), the Enterprise Risk Management Committee, chaired by the CRO, the Data Governance Committee, chaired by the CIO, and the executive management committee known as the Strategic Deployment Committee, chaired by the Chief Executive Officer (CEO). We regularly engage third-party assessors, consultants, and auditors to test and evaluate our controls for managing cybersecurity threats. These include third-party engagements by management and by our Internal Audit Department for (i) regular penetration testing of our cyber defenses, including an annual PCI-certified penetration test, (ii) third-party "health checks" on supporting technology, including our security incident and event management system (SIEM) and vulnerability management program, and (iii) third-party social engineering tests of the effectiveness of our employee training for detection of invasive attempts by malevolent actors. In addition, the Federal Reserve and DFI examine our control environment for managing cybersecurity risks each year. Our risk governance structure includes a Third-Party Risk Management Program with first-level oversight by management's Third-Party Risk Management Committee and conforms to bank regulatory guidance. This program includes due diligence and periodic monitoring of the information security controls such providers have in place to protect our confidential data received, processed and/or stored by such providers. Risks from Cybersecurity Incidents We have not encountered, to our knowledge, a cybersecurity incident that has materially impaired, or is reasonably likely to materially impair, our business strategy, operations, or financial condition. The measures summarized above are intended to help ensure that 1st Source does not suffer a material adverse impact from security breaches, but, as cybersecurity risks evolve and increase in sophistication, we can provide no assurance that our financial condition or results of operations will not be adversely impacted. See "Item 1A. Risk Factors - Operational Risks - Technology Security Breaches."

Company Information