FIRST FINANCIAL BANCORP /OH/ 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

FIRST FINANCIAL BANCORP /OH/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:13:54 EST.

Filings

10-K filed on 2025-02-20

FIRST FINANCIAL BANCORP /OH/ filed a 10-K at 2025-02-20 16:13:54 EST
Accession Number: 0000708955-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Cybersecurity (cyber) risk is differentiated from information technology risk by threat interactions that yield high impact consequences and ever-increasing probability. While standard security operations address most day-to-day incidents, cyber risk includes motivated threat actors who often use advanced tools, techniques and processes to evade detection or inflict maximum damage to an organization’s information assets. Cyber threats and attacks adapt and evolve rapidly, and the Company works to continuously enhance controls and processes to protect its networks, applications, and data from attack, damage, or unauthorized access. Critical components to the Company’s cyber risk control structure include corporate governance, access management, threat intelligence, security operations, security awareness training, and vulnerability management programs. Cyber risk mitigation includes effectively identifying, protecting against, detecting, responding to, and recovering from cyber threats. The Company’s cybersecurity program is overseen by its Chief Information Security and Privacy Officer (the “CISO”). The Company’s CISO has over 25 years of experience in information security and technology governance, risk, and compliance, including a previous CISO position at a large regional bank. The Company’s CISO has also held leadership roles in enterprise risk management and internal audit for large financial service organizations, as well as at a global audit, assurance, and advisory firm. The CISO meets quarterly with and chairs the Cyber ERM Committee, which consists of representatives from the officer of enterprise security, information technology, risk, compliance, and other internal stakeholders, and presents quarterly to the Enterprise Risk Management Committee (“ERMC”), which includes executive and senior leadership of the Company, and the Risk and Compliance Committee of the Board of Directors (“Board Risk Committee”). The management of risk from cybersecurity threats is one of the risks that is continuously assessed, monitored and managed by the Company under the Company’s ERM framework which is described more fully in the Company’s Annual Report to Shareholders. The CISO maintains a scorecard which monitors and measures various cyber risks, including: a. Operational capability, including cyber defense, vulnerability management, and third-party risk management. b. Risk assessments, including GLBA assessments and attack simulations. 28 TABLE OF CONTENTS c. Program maturity, i ncluding the NIST Cybersecurity Framework (CSF) and the Federal Financial Institutions Examination’s Council’s (FFIEC) maturity framework. d. Internal and External Audit, including external assessments, internal audit results, and regulator exam results. The Company uses a variety of tools to monitor and mitigate cybersecurity risks, including employee training, simulated phishing exercises, incident response tabletops, cybersecurity insurance, and business continuity planning for the protection of the Company’s assets. Additionally, the Company’s cybersecurity function is audited on an annual basis by internal audit and external regulatory examiners. The Company maintains an ad hoc committee comprised of senior management with responsibility for third party (vendor) risk management, including the CISO, the Chief Risk Officer, the Chief Compliance Officer, representatives from vendor management, and enterprise risk management associates. The ad hoc committee reviews diligence regarding vendors, including cyber diligence, and monitors any incidents or cybersecurity threats involving those third parties. Cyber diligence of critical vendors (vendors which store or interact with customers’ personally identifiable information) includes an annual review of the technology and data interfaces with the vendor, an annual review of the vendor’s cyber security controls, and monthly monitoring of the vendor’s outward-facing security posture. The Company is not aware of risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, which have materially affected the Company, including its business strategy, results of operations, or financial condition. Governance First Financial’s board of directors is responsible for overseeing the Company’s cybersecurity risk management objectives and risk tolerance as part of its oversight of the Company’s compliance and risk management activities. Specific oversight of the cybersecurity function is delegated to the Board Risk Committee. The Chair of the Board Risk Committee has extensive cybersecurity experience, including both experience as a chief information security officer of a publicly traded financial institution and as an outside cybersecurity consultant. The committee chairperson maintains CISSP and CRISC certifications. Through the Board Risk Committee, the Board’s oversight responsibilities include: a. establishing and guiding the Company’s cybersecurity risk tolerance, including the determination of the aggregate risk appetite and identifying the senior managers who have the responsibility for managing risk; b. ensuring that the Company implements sound fundamental principles that facilitate the identification, measurement, monitoring and control of risk; c. ensuring that adequate resources are dedicated to cybersecurity risk management; and d. confirming that awareness of cybersecurity risk management activities is evident throughout the organization. The Company has developed and documented an incident response plan that includes various levels of escalation in the event of a cyber incident. All incidents begin with information security and information technology associates, with escalation to a crisis management team comprised of the CISO, the Chief Risk Officer and certain designated members of executive management in the event the situation is severe. The crisis management team communicates with the full executive team and the Board of Directors in case of more severe incidents. More complete reporting is then provided to the ERMC and the Board Risk Committee during regularly scheduled quarterly meetings.

Company Information