Stellar Bancorp, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Stellar Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:01:33 EST.

Filings

10-K filed on 2026-02-26

Stellar Bancorp, Inc. filed a 10-K at 2026-02-26 17:01:33 EST
Accession Number: 0001473844-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company's risk management program is designed to identify, assess, and mitigate risks across various areas and functions, including financial, operational, technological, regulatory, reputational, and legal. Cybersecurity is a critical component of the enterprise risk management program, given the increasing reliance on technology and potential of cyber threats. The Company's information security program is designed to protect the confidentiality, integrity, and availability of its computer systems, networks, software and information assets, including customer, and other sensitive data. The structure of the Company's information security program is designed around regulatory guidance, industry leading risk frameworks and other industry standards. In addition, the Company leverages certain industry and government associations, third-party benchmarking, audits, and threat intelligence sources to facilitate and promote program effectiveness. The Chief lnformation Security Officer ("CISO") , who reports directly to the Chief Risk Officer ("CRO"), and the Chief lnformation Officer ("CIO"), along with key members of their teams, regularly collaborate with peer banks and industry groups to discuss cybersecurity trends, issues, and best practices. The information security program is periodically reviewed with the goal of addressing changing threats and conditions. The Company employs an in-depth, layered, defensive strategy that embraces a "secure by design" philosophy when designing new products, services, and technology. The Company leverages people, processes, and technology as part of its efforts to manage and maintain cybersecurity controls. The Company employs a variety of solutions and processes designed to prevent, detect, and respond to suspicious activity. The Company also actively monitors its email gateways for malicious phishing email campaigns and monitors remote connections as a portion of its workforce has the option to work remotely. The Company has established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. It engages in regular assessments of its infrastructure, software systems, and network architecture, using internal cybersecurity experts, and third-party specialists. The Company also maintains a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and its supply chain. The Company leverages internal and 37 external auditors and independent external partners to periodically review its processes, systems, and controls, including with respect to its information security program, to assess the design and operating effectiveness of the control environment and make recommendations to strengthen its risk management program. The Company maintains a Cybersecurity Incident Response Policy ("CSIRP") and related checklists that provide a documented framework for responding to actual or potential cybersecurity incidents, including timely escalation of incidents to the Cybersecurity Response Team and notification to the appropriate regulatory and governmental authorities. As needed, the notification may include senior management and/or the Company's and Bank's Board of Directors. The CSIRP and related checklists are coordinated through the CISO, CRO, and key members of management, including but not limited to representatives from the information security, information technology and legal teams that are embedded into the Cybersecurity Response Team. The CSIRP facilitates coordination across multiple parts of the organization and is evaluated at least annually. During the fiscal year of this Report, the Company has not experienced a cybersecurity incident that has materially impacted its business strategy, results of operations, or financial condition. Despite the Company's efforts, there can be no assurance that its cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting its systems and information. The Company faces risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect its business strategy, results of operations or financial condition including through potential operational disruption, regulatory or supervisory actions, reputational harm or increased costs associated with remediation and recovery. See "Item 1A. Risk Factors" in this document for further information. Governance The Bank's Board of Directors is responsible for overseeing the risks associated with cybersecurity threats. The Bank Operational Risk Committee ("Ops Risk") of the Board has primary responsibility for overseeing the technology program, including management's actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. The CISO and the CIO provide quarterly reports to the Ops Risk Committee regarding the information security and technology programs, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The CISO also reports summaries of key issues, including significant cybersecurity incidents. In addition to the Ops Risk Committee, the management-level Technology Committee ("TC") focuses on and provides oversight of the information security program. The TC reviews and, as appropriate, approves the broad objectives, strategies and policies governing the Company's protection of data assets and information security framework. The CRO additionally assesses the adequacy of information security practices and reports on cyber risk to the Risk Oversight Committee ("ROC") of the Company's Board of Directors. The TC is co-chaired by the CIO and CISO, and includes the CEO, CRO, COO, and other key departmental managers from throughout the Bank. This committee generally meets monthly to discuss various operational strategies and issues, including information technology and information security policies, practices, controls, and mitigation and prevention efforts . The CISO, in coordination with the CRO, CIO and General Counsel, works across the Company to implement and monitor a program designed to protect the Company's information systems from cybersecurity threats and promptly respond to any cybersecurity incidents in accordance with the Company's cybersecurity incident response plan. The Company's CISO has served in various roles in information technology and information security for over twenty years, including serving as a Cyberspace Operations Officer in the United States Air Force Reserves and instructing for the SANS Technology Institute. The Company's CISO holds an undergraduate degree in Business Administration and has attained the professional certification of Certified Information Systems Security Professional ("CISSP"). The Company's CRO has over a 25-year career in the banking industry and is currently serving as Senior Executive Vice President and Chief Risk Officer of Stellar Bank and Chief Risk Officer of Stellar Bancorp, Inc. Previously, the CRO has held the positions of President and Chief Risk Officer at Allegiance Bank and Executive Vice President and Chief Risk Officer at Allegiance. The Company's CRO's banking career as an executive started at Independence Bank in 2002 as Senior Credit Officer and eventually was promoted to President in 2009. Between 2010 and 2013, the CRO also served as CEO of Independence Bank until joining Allegiance Bank following a merger. The Company's CRO has since assumed the roles of Regional President, Deputy Chief Credit Officer, and Chief Administration Officer at Allegiance Bank. The CRO holds an MBA from the University of Houston and a Bachelor of Arts in Finance & Marketing from the same institution. The Company's CEO, CFO and General Counsel each hold undergraduate and/or graduate degrees in their respective fields, and each have significant experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats. The members of the Boards of Directors of the Company and the Bank have hundreds of combined years of experience running successful companies and managing enterprise risk. Specific cybersecurity expertise is brought to the Board from independent directors who lead or have led technology firms and, as such, have direct managerial oversight of cybersecurity risks. 38

Company Information