Pinnacle Financial Partners, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Pinnacle Financial Partners, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 13:32:13 EST.

Filings

10-K filed on 2026-03-02

Pinnacle Financial Partners, Inc. filed a 10-K at 2026-03-02 13:32:13 EST
Accession Number: 0002082866-26-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management, Strategy and Governance At December 31, 2025, Pinnacle placed a high priority and focus on securing the confidential information it received and stored about its borrowers, depositors and other customers and employees. This priority and focus started with Pinnacle's board of directors, or committees of the board of directors, which were ultimately responsible for establishing effective risk oversight, approving its risk appetite statement, understanding its key risks and seeking to establish the risk management strategy, processes and internal controls that were appropriate to manage risk, in each case inclusive of cybersecurity risk. At December 31, 2025, Pinnacle's risk appetite statement included specific information technology risk tolerance thresholds and limits established with the approval of its board of directors, or designated committees thereof, and executive management. At December 31, 2025, key risk indicators were monitored by the Risk Committee of its board of directors (the "Risk Committee"), which received quarterly reports from its Chief Risk Officer, Chief Solutions Officer/EVP of Bank Operations ("CSO"), Risk Management Committee and Operations and Automation ("O&A") Committee regarding management's efforts to protect Pinnacle from cybersecurity threats and the general threat landscape facing companies with similar operational characteristics. At December 31, 2025, the CSO reported quarterly to Pinnacle's Risk Committee of the board of directors regarding its information security risk oversight processes as the board of directors, acting through the Risk Committee, sought to ensure Pinnacle was operating within its stated risk appetite. At December 31, 2025, Pinnacle's CSO had appointed a Chief Information Security Officer (the "CISO"). At December 31, 2025, the CISO reported directly to Pinnacle's CSO and the responsibilities of this role were in conjunction with information security and other special projects concerning risk and operational issues identified. At December 31, 2025, the CISO coordinated Pinnacle's information security risk assessment process, facilitated annual employee training, and prepared an annual report to Pinnacle's board of directors with a summary of the Information Security Strategic Plan for the coming year, top cybersecurity risks and crucial information security updates that could impact us. Pinnacle's CISO held a Master's Degree in Information Security and Assurance and brought 28 years of experience in IT and Information Security. Prior to being appointed as the CISO, its CISO served as Pinnacle's Deputy CISO which allowed for longstanding knowledge of the environment and its clients to be maintained while working to keep its cybersecurity risks managed. At December 31, 2025, Pinnacle's objective for managing cybersecurity risk was to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse its systems or information. A key part of Pinnacle's strategy for managing risks from cybersecurity threats at December 31, 2025 was the ongoing assessment and testing of its processes and practices through auditing, security assessments, and other exercises focused on evaluating effectiveness of Pinnacle's processes and programs at December 31, 2025. At December 31, 2025, Pinnacle also deployed technical safeguards that were designed to protect its information systems from cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing disruptions to its business. At December 31, 2025, Pinnacle had also developed and periodically updated incident response plans that provided a 46 documented framework for responding to actual or potential cybersecurity incidents, including timely notification and escalation to the appropriate management committees and to the Risk Committee of the board and full board of directors as appropriate. At December 31, 2025, these incident response plans were coordinated through the CSO and other key members of management, including the CEO. At December 31, 2025, the CISO, the CSO, our Chief Information Officer (CIO) and Chief Risk Officer collaborated in the development and implementation of the Information Technology Program. Together with our information technology staff, third-party vendors and other outside resources, information security standards and controls were implemented across all enterprise systems at December 31, 2025. At December 31, 2025, the CISO and team members reporting to him monitored Pinnacle's information technology systems for threats and vulnerabilities, reporting regularly to the CIO. At December 31, 2025, the CISO also recommended changes to those systems designed to protect the systems from attack and reduce cybersecurity risk. At December 31, 2025, Pinnacle's board of directors delegated authority to the Risk Committee to assist the board in carrying out certain duties related to risk oversight, including with respect to information security risk. At December 31, 2025, the Risk Committee provided primary board-level oversight of its enterprise-wide risk posture and the processes established to identify, measure, and monitor its risk level, including regarding information security risk. At December 31, 2025, this oversight included reviewing and approving its risk appetite statement, including with respect to information security risk and reviewing quarterly reporting from management on monitoring of performance of Pinnacle against its risk appetite. At December 31, 2025, Pinnacle's Risk Management Committee, which was a management committee consisting of key employees of Pinnacle, including its Chief Risk Officer, Chief Executive Officer, Chief Financial Officer, CSO, Chief Credit Officer, Treasurer and Chief Compliance Officer as well as other nonvoting members including its Chief Audit Executive, oversaw monitoring of the Information Technology program. Testing of the Information Technology program at December 31, 2025, including information security, was accomplished using a comprehensive program of then on-going internal testing, utilizing third-party service providers to provide routine vulnerability scanning and penetration testing, and conducting targeted threat assessments with third-party consultants on an annual basis. Additionally, at December 31, 2025, its Internal Audit function included information technology, as well as information security, in its annual audit plan. In addition, in accordance with the Information Technology program, at December 31, 2025, its O&A Committee assessed information security risks on a quarterly basis, or more often in response to changes in products or services that were offered, technological changes, changes in the threat landscape that faced Pinnacle, including as a result of cybersecurity incidents affecting financial institutions or their third party vendors generally or any change that could have materially affected our risk environment. At December 31, 2025, the O&A Committee, chaired by the CSO, was responsible for the oversight of the Information Security Advisory Team (ISAT) subcommittee, which monitored monthly operational cybersecurity reporting, threat intelligence, security project implementation, and maintenance of the information security policies and standards managed by the Company's CISO. At December 31, 2025, the monthly ISAT reports were provided to the Risk Committee quarterly and described the overall status of the Information Security activities, including, but not limited to: - Decisions about enterprise cybersecurity risks and mitigating controls; - Results of testing, including regular external and internal penetration testing and vulnerability scans; - Cybersecurity Threat Intelligence; - Security Operations Systems Performance; and - Security breaches or violations and management's responses. At December 31, 2025, no attempted cyber-attack or other attempted intrusion on Pinnacle's information technology networks had resulted in a material adverse impact on the operations or financial results of Pinnacle Financial or Pinnacle Bank. For further discussion of risks from cybersecurity threats, see the section captioned "We are dependent on our information technology and telecommunications systems and third-party servicers, and systems failures, interruptions or breaches of security could have a material adverse effect on our financial condition and results of operations, as well as cause legal or reputational harm" in Item 1A. Risk Factors. Information Security Training and Awareness Information security awareness training is provided to all employees and bank business units at initial new hire orientation and no less often than annually thereafter and focuses on Pinnacle's overall Information Security Program, roles and responsibilities of employees during an incident and how to identify and report suspicious activity. Third Party Risk Management (TPRM) At December 31, 2025, management identified, assessed, controlled, monitored and reported on risks related to Pinnacle Financial's and Pinnacle Bank's use of third and fourth parties per applicable laws, safe and sound business practices, and related supervisory guidance, particularly that of the Interagency Guidance on Third-Party Relationships: Risk Management. 47 At December 31, 2025, it was its policy to ensure the internal controls and financial condition of a third-party vendor were carefully evaluated prior to the allowance of such support services to begin, and as an on-going condition of continuing support of such products or services. At December 31, 2025, vendors with access to customer information or direct access to the network were carefully reviewed to ensure that appropriate controls and mechanisms were in place in an attempt to safeguard confidential information, and its contracts with such vendors included obligations on the part of the vendors to maintain the confidentiality of such information in compliance with applicable legal requirements.

Company Information