SOUTHERN MISSOURI BANCORP, INC. 10-K Cybersecurity GRC - 2024-09-13

Page last updated on September 16, 2024

SOUTHERN MISSOURI BANCORP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-13 17:11:11 EDT.

Filings

10-K filed on 2024-09-13

SOUTHERN MISSOURI BANCORP, INC. filed a 10-K at 2024-09-13 17:11:11 EDT
Accession Number: 0001558370-24-012781

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity and Risk Management As a financial institution, we are confronted with a spectrum of cyber threats, ranging from common attacks like ransomware to sophisticated, organized assaults by nation-state actors. These risks extend to our customers, shareholders, suppliers, and partners. Maintaining resilience in our cybersecurity posture is not just a priority but a fundamental necessity to safeguard our operations, performance, and maintaining customer confidence in our financial services. The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk appetite with our strategic objectives. Our risk management program is designed to identify, measure, monitor and control all significant risks across various aspects of the Company. Cybersecurity risk management processes are integrated into this program, given the increasing reliance on technology and potential of cyber threats. Our Information Security (“IS”) Officer leads our cybersecurity program, reporting directly to the Chief Risk Officer (“CRO”) and provides reports and updates to the information Technology (“IT”) Committee, and the Board of Directors monthly or more frequently as required. Our objective for managing cybersecurity risk is to maintain appropriate layers of safeguards to protect information systems from possible threats and to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. Our information security program aligns with industry frameworks, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, Federal Financial Institutions Examination Council (“FFIEC”) Information Technology Examination Handbooks, and the FFIEC Cybersecurity Assessment Tool, and is periodically reviewed and updated at least annually or more frequently upon significant changes to our operating environment. Our Information Security Program is led by our Information Security Officer in conjunction with our Information Technology Officer. We maintain an Incident Response Plan (“IRP”) that provides a documented framework for responding to actual or potential cybersecurity incidents. The Incident Response Team (‘IRT") members include senior management and other relevant personnel with defined roles and responsibilities. The IRP addresses roles, responsibilities, and communication and contract strategies in the event of a compromise, including analysis of reportable events in accordance with applicable legal and compliance requirements. The IRT is notified of all incidents, and incidents are elevated to the Board of Directors when warranted. We rely on a series of processes to identify threats, hazards, and other risks to our information assets. We employ a variety of preventative and detective tools designed to monitor, detect, block, and provide alerts regarding suspicious and unauthorized activity and to report on suspected advanced persistent threats. In addition to regular risk assessments, we rely on independent assessments, audits, and cybersecurity feeds from vendors, including directly into patch and vulnerability management tools. We engage cybersecurity experts and third-party specialists to perform regular assessments of our infrastructure, software systems and network architecture. We also leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness. We have regular and ongoing security education and training for employees and recovery and resilience tests. The Bank also retains third-party experts to conduct intrusion and penetration testing on an annual basis. All risk and security assessments results are shared with the IT Committee and Board of Directors. Our information assets are classified and protected based on the results of our risk assessment practices, which assess a variety of critical factors, including the type of data stored, system availability needs, confidentiality requirements, recovery time objectives, transactional processing, the number of users, and the volume and magnitude of transactions. Our IS and IT teams meet to ensure that risks are timely identified, patches and vulnerability requirements are monitored, and the necessary changes are implemented. Our IT governance ensures alignment between the Company’s technological strategy and business goals. We strive for efficient utilization of IT resources while effectively managing IT risks within the Company’s risk appetite. Oversight and Identification of Risks Associated with Third Parties Third party risk management is a component of our vendor management program. New vendors are reviewed prior to onboarding to ensure proper oversight and identify potential risks. Ongoing monitoring of emerging risks related to third-party services providers is performed periodically according to the vendor’s risk rating. Vendor reviews include risk reviews for financial, reputation, information security, cybersecurity and business resiliency risk. These reviews are reported to the IT Committee and Board of Dirctors for approval.. Identified Cybersecurity Risks Federal regulators have issued multiple statements and guidance regarding cybersecurity and that financial institutions need to design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised client credentials, including security measures to reliably authenticate clients accessing internet-based services of the financial institution. In addition, a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the timely recovery, resumption and maintenance of the institution’s operations in the event of a cyber-attack. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to a cyber-attack. If a financial institution fails to observe the regulatory guidance, they could be subject to various regulatory sanctions, including financial penalties. In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations to store and transmit sensitive data. We employ a layered, defensive approach that leverages people, processes, and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding the strength of our defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date we have not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, our systems and those of our clients and third-party service providers are under constant threat and there can be no assurance that our cybersecurity risk management program will be fully effective in protecting the confidentiality, integrity and availability of our information systems and our solutions. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of internet banking, mobile banking and other technology-based products and services by us and our customers. See Item 1A. Risk Factors for a further discussion of risks related to cybersecurity. See “Risks Related to Cybersecurity, Third Parties and Technology” under “Item 1A. Risk Factors” in this Form 10-K for a further discussion of risks related to cybersecurity. Management and Board Oversight of Cybersecurity Risks Our cybersecurity program is managed by the Information Security Officer who leads our IS team responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The Information Security Officer provides periodic reports to the IT Committee and Board of Directors. These reports address key cybersecurity topics, including the implementation and operation of preventative controls and the detection, mitigation, and remediation of cybersecurity incidents. The Chief Operating Officer, Chief Risk Officer, and board-level risk committees of the Bank provide comprehensive reports to the full Board of Directors regarding pertinent cybersecurity risk management topics. Our Information Security Officer has more than 40 years’ experience in financial services, substantial relevant expertise and formal training in the areas of information security, information technology, and cybersecurity risk management and is accountable for managing our enterprise information security department and developing and implementing our cybersecurity and information security programs. These qualifications, certifications, and experience include a degree from Missouri State University with focus on Business Administration Systems coursework.

Company Information