Triumph Financial, Inc. 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

Triumph Financial, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 16:09:15 EST.

Filings

10-K filed on 2025-02-11

Triumph Financial, Inc. filed a 10-K at 2025-02-11 16:09:15 EST
Accession Number: 0001628280-25-004879

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy We use a variety of processes to assess, identify, manage, and mitigate material risks from cybersecurity threats. Our cybersecurity risk management process has been integrated into the Company’s overall Enterprise Risk Management framework as well as our Internal Audit plan. Our cybersecurity program regularly monitors external and internal threats to assess cybersecurity risk and engages in risk-based remediation. Our program is aligned to the Federal Financial Institutions Examination Council and other applicable industry standards. We conduct regular security awareness training, phishing exercises, and other security awareness programs to keep employees engaged and informed on ways to mitigate cybersecurity risk. The Company’s Chief Information Security Officer (“CISO”) is primarily responsible for developing, monitoring, and implementing our Information Security Program (the “ISP”) and coordinating with relevant parts of our business. Our program is organized around six key functions: (1) security operations and incident response, (2) security engineering and architecture, (3) threat and vulnerability management, (4) information technology/information security - governance, risk and controls, (5) security awareness and training, and (6) identity and access management. We engage third-party services to conduct penetration testing as well as other regular evaluations of our security protocols and processes. Additionally, we assess and monitor the cybersecurity controls of third party service providers and partners. Ongoing and regular monitoring of our third parties is also managed through our ISP team’s protocols in partnership with the vendor management, enterprise risk management, and internal audit departments. Cybersecurity incidents are managed as part of our ISP. Notwithstanding the focus we place on cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company. As of the date of this Form 10-K, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion, please see Item 1A. “Risk Factors” for a discussion of cybersecurity risks. Governance The Risk and Compliance Committee of our Board of Directors (the “Board”), in consultation with and regular reporting to our full Board, oversees enterprise technology and its associated risks including cybersecurity. The Board and Risk and Compliance Committee regularly reviews the measures implemented by the Company to identify and mitigate risks from cybersecurity threats on an annual basis. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, are reported to the Board and Risk and Compliance Committee in a timely manner. As noted above, the Company’s cybersecurity risk management process is integrated into our overall Enterprise Risk Management framework, which is overseen at the management level by senior leaders of the Company. Our CISO , who has over twenty-five years of experience managing information security programs across banking and technology companies, is responsible for the Company’s ISP and reports to our Chief Information Officer. The CISO receives reports on cybersecurity threats from a number of experienced information security officers responsible for various parts of the business on an ongoing basis and in conjunction with senior management, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO provides quarterly reports and an annual report to the Board and the Risk and Compliance Committee on cybersecurity matters.

Company Information