FIRST MID BANCSHARES, INC. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

FIRST MID BANCSHARES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 11:42:57 EST.

Filings

10-K filed on 2026-02-27

FIRST MID BANCSHARES, INC. filed a 10-K at 2026-02-27 11:42:57 EST
Accession Number: 0001193125-26-080847

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy The Company's Information Security strategy prioritizes the identification, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. The Company's cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to 14 assess, identify and manage material risks from cybersecurity threats. The Company has policies in place, including an Information Security Program to implement risk-based controls to protect the Company's information, information systems, business operations, products and related services, and the information of the Company's customers. The Company has adopted security-control principles based on generally accepted industry-recognized standards, and contractual requirements, as applicable. The Company leverages industry associations, third-party benchmarking, the results from regular internal and third-party audits, including penetration testing, threat intelligence feeds, and other similar resources to inform the Company's cybersecurity processes and allocate resources. The Company maintains security programs that include physical, administrative and technical safeguards and maintains plans and procedures intended to assist the Company in preventing and appropriately responding to cybersecurity threats or incidents. Through the Company's cybersecurity risk management process, the Company monitors on an ongoing basis cybersecurity vulnerabilities and potential attack vectors to Company systems, and evaluates the potential operational and financial effects of identified threats and related countermeasures. The Company also periodically engages third-party consultants to assist in assessing, enhancing, implementing, and monitoring the Company's cybersecurity risk management programs and responding to incidents. The Company conducts tabletop testing of business continuity plans as outlined in the Company's Business Continuity Management Program. The Company has also established an Incident Response Plan that outlines steps and responsibilities to be taken during a cybersecurity incident. As part of the Company's cybersecurity risk management process, the Company conducts an annual "tabletop" exercise during which the Company simulates cybersecurity incidents to assess preparedness and identify opportunities for improvement. These exercises are conducted at both the technical and senior management levels. In addition, all employees are required to complete mandatory annual cybersecurity training courses and participate in bi-weekly phishing simulations Designed to enhance awareness of social engineering threats. The Company has established a Vendor Management Program that forms part of the Company's Enterprise Risk Management program and is supported by the Company's security, compliance, and third-party partners. Through this program, the Company assesses cybersecurity risks associated with third-party service providers with whom the Company shares personal identifying and confidential information. Vendors with access to personal identifying and confidential information are subject to more rigorous initial and more frequent ongoing due diligence, including reviews of Service Organization Control 2 reports, information security policies, vulnerability and penetration tests, human resource policies, and business continuity plans. The Company continues to enhance its oversight processes to mature how cybersecurity risks associated with third-party products and services are identified and managed. The Company has experienced, and may in the future experience, whether directly or through the Company's third-party partners, cybersecurity incidents. While prior incidents have not materially affected the Company's business strategy, results of operations or financial condition, and although the Company's processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect the Company's business strategy, results of operations or financial condition. The Company maintains cyber insurance coverage intended to help mitigate certain potential losses related to cybersecurity incidents. For further discussion about these risks, see "Item 1A. Risk Factors - Operational Risks" The Company integrates its cybersecurity practices into the Company's Enterprise Risk Management program to enhance the identification, assessment, and monitoring of cyber-related operational, regulatory, and compliance risks. The Enterprise Risk Management Program, Information Security Program, Incident Response Plan, Business Continuity Management Program, and Vendor Management Program are approved by the Company's Risk Oversight Committee (ROC), which is a management committee overseen by the Company's Board of Directors and chaired by the Company's Chief Financial and Risk Officer. The ROC brings together a multidisciplinary group to take an enterprise-wide view risk and promote risk awareness and sound risk management practices. Subcommittees and working groups are also in place to discuss technical expertise on specific areas of risk within the Company and provide updates to ROC. Governance The Company's Board of Directors has overall responsibility for risk oversight, with its committees assisting the Board in performing this function. Oversight of cybersecurity risk has been delegated to the Board Risk Committee and Audit Committee, each of which reports to the full Board on a quarterly basis. The Board Risk Committee oversees management's implementation and maintenance of the Company's cybersecurity risk program and management's response to material issues. The Audit Committee reviews the Company's cybersecurity processes and compliance with governance policies and procedures. The Enterprise Risk Management program is reviewed and approved by the Board Risk Committee. The Company's Information Security Risk Officer, who is a member of the risk management team reporting to the Chief Financial and Risk Officer, provides quarterly briefings to the ROC and the Board Risk Committee on cybersecurity risks. These briefings may include assessments of cyber risks, the threat landscape, updates on material incidents, and information regarding cybersecurity risk mitigation and governance. In the event of a potentially material cybersecurity incident, the Incident Response Team is notified and briefed, and meetings with the Incident Response Team, which includes management, are held, with the Board of Directors being briefed, as appropriate. The Information Security Risk Officer has over 20 years of experience in information security and network administration, including extensive experience in the banking industry, and holds multiple industry-recognized certifications. The Company's Chief Technology Officer, who reports to the Chief Information Officer, provides oversight of the Company's cybersecurity program as part of broader technology leadership responsibilities. The Chief Technology Officer oversees the Company's Security Operations Team, which supports the Company's efforts to identify, prevent, detect, respond to and recover from cybersecurity threats. The Security Operations Team is comprised of personnel with extensive information technology experience across both public and private sectors. The Chief Technology Officer has over 25 years of experience across cybersecurity, software development, systems, networking, and other technology- disciplines, including significant experience in technology leadership roles. 15

Company Information