Page last updated on February 24, 2025
FIRST MERCHANTS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 12:07:42 EST.
Filings
10-K filed on 2025-02-24
FIRST MERCHANTS CORP filed a 10-K at 2025-02-24 12:07:42 EST
Accession Number: 0000712534-25-000058
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. - Changes in tax legislation could materially impact the Corporation’s business and financial results and the Corporation may have exposure to tax liabilities that are larger than it anticipates. The tax laws applicable to our business activities, including the laws of the United States and the State governments where the Corporation has tax nexus, are subject to interpretation and may change over time. From time to time, legislative initiatives, such as corporate tax rate changes, which may impact our effective tax rate and could adversely affect our deferred tax assets or our tax positions or liabilities, may be enacted. The taxing authorities in the jurisdictions in which we operate may challenge our tax positions, which could increase our effective tax rate and harm our financial position and results of operations. In addition, our future income taxes could be adversely affected by earnings being higher than anticipated in jurisdictions that have higher statutory tax rates or by changes in tax laws, regulations or accounting principles. We are subject to audit and review by U.S. federal and state tax authorities. Any adverse outcome of such a review or audit could have a negative effect on our financial position and results of operations. In addition, the determination of our provision for income taxes and other liabilities requires significant judgment by management. Although we believe that our estimates are reasonable, the ultimate tax outcome may differ from the amounts recorded in our financial statements and could have a material adverse effect on our financial results in the period or periods for which such determination is made. - Adverse developments affecting the financial services industry, such as recent bank failures or concerns involving liquidity, may have a material effect on our operations. Recent events relating to the failures of Silicon Valley Bank and Signature Bank in March 2023 have caused general uncertainty and concerns regarding the adequacy of liquidity in the banking sector as a whole. A financial institution’s liquidity reflects its ability to meet customer demand for loans, accommodating possible outflows in deposits and accessing alternative sources of funds when needed, while at the same time taking advantage of interest rate market opportunities. The ability to manage liquidity is fundamental to a financial institution’s business and success. The bank failures in March 2023 highlight the potential results of an insured depository institution unexpectedly having to obtain needed liquidity to satisfy deposit withdrawal requests, including how quickly such requests can accelerate once uninsured depositors lose confidence in an institution’s ability to satisfy its obligations to depositors. Current market uncertainties and other external factors may impact the competitive landscape for deposits in the banking industry in an unpredictable manner. In addition, the rising interest rate environment has continued to increase competition for liquidity and the premium at which liquidity is available to meet funding needs. These possible impacts may adversely affect our future operating results, including net income, and negatively impact capital. - Regulatory requirements arising from recent events in the financial services industry, or the application of current regulations, could increase our expenses and affect our operations. We anticipate the potential of new regulations for banks of similar size to the Bank, designed to address the recent developments in the financial services industry, which may increase our costs of doing business and reduce our profitability. Among other things, there may be an increased focus by both regulators and investors on deposit composition and the level of uninsured deposits. We also expect that another result of the recent bank failures, as well as any future bank failures, will be an increase to our FDIC insurance premiums in future years, further increasing our cost of doing business. General Risk Factors - A disaster, natural or otherwise, acts of terrorism and political or military actions taken by the United States or other governments could adversely affect the Corporation’s business, directly or indirectly. Disasters (such as tornadoes, floods, and other severe weather conditions, pandemics, fires, and other catastrophic accidents or events) and terrorist activities and the impact of these occurrences cannot be predicted. Such occurrences could harm the Corporation’s operations and financial condition directly through interference with communications and through the destruction of facilities and operational, financial and management information systems and/or indirectly by adversely affecting economic and industry conditions. These events could prevent the Corporation from gathering deposits, originating loans and processing and controlling its flow of business by affecting borrowers, depositors, suppliers or other counterparties. The Corporation’s ability to mitigate the adverse impact of these occurrences would depend in part on the Corporation’s business continuity planning, the ability to anticipate any such event occurring, the preparedness of national or regional emergency responders, and continuity planning of parties the Corporation deals with. - The Corporation’s stock price can be volatile. The Corporation’s stock price can fluctuate widely in response to a variety of factors, including: actual or anticipated variations in the Corporation’s quarterly operating results; recommendations by securities analysts; significant acquisitions or business combinations; strategic partnerships, joint ventures or capital commitments; operating and stock price performance of other companies that investors deem comparable to the Corporation; new technology used or services offered by the Corporation’s competitors; news reports relating to trends, concerns and other issues in the banking and financial services industry, and changes in government regulations. General market fluctuations, industry factors and general economic and political conditions and events, including terrorist attacks, increased inflation, economic slowdowns or recessions, interest rate changes, credit loss trends or currency fluctuations, could also cause the Corporation’s stock price to decrease, regardless of the Corporation’s operating results. ITEM 1B. UNRESOLVED STAFF COMMENTS. None. 29 PART I: ITEM 1A., ITEM 1B., AND ITEM 1C. ITEM 1C. THE CORPORATION’S CYBERSECURITY PROCESSES, POLICIES AND GOVERNANCE. The increased use of, and dependence on, information management systems in order to engage with customers and conduct business necessarily creates cyber risk. Despite the significant resources and security measures used by the Corporation, the incentives for threat actors to obtain financial payment information and customer non-public information, or to conduct ransomware will continue to exist. Cyber breach statistics over the past several years evidence the targeting of numerous banking institutions and credit bureaus. Phishing attempts have also significantly increased and political conflict also presents cyber threats by nation states. Operational risk is inherent in the Corporation’s activities and can present itself in numerous ways, including internal or external fraud, business disruptions or failures, noncompliance with applicable laws and regulations, cyber breach, or failure of third parties, among other events. The result of these could be reputational harm, financial losses, or litigation and regulatory fines for the Bank. The Corporation operates in a fashion that allows operational risk to be in line with its risk appetite. To govern, monitor and control operational risk, the Corporation maintains an ERM Program, which sets thresholds for risk appetite by key risk areas, such as strategic risk and operational risk. These thresholds are monitored by the Compliance and Internal Audit Departments and key metrics are reported to management and Board committees. The ERM Program includes managing material risks from cybersecurity threats. Use of third-party software and services also exposes the Corporation to cybersecurity risk as numerous service providers host critical data or have direct contact with our bank customers. Although the Corporation adheres to industry standard practices in conducting thorough due diligence of vendors and contract management, should a vendor experience a breach the bank could still suffer reputational harm, and potentially financial losses. Expanded use of cloud-based technologies and providing our customers more internet-based product offerings to continue to remain competitive will serve to increase these potential risks. The Corporation’s third party risk management program helps to mitigate risks posed by reliance on third and fourth parties. Governance of third parties includes a due diligence and risk assessment prior to contract execution, with oversight completed based on a frequency defined by the third parties risk profile. To combat these ever-present cyber risks, the Corporation maintains a comprehensive Information Security Program, which includes annual risk assessments, an Incident Response Plan, and a layered control environment meant to detect, prevent, and limit unauthorized or harmful actions across our information technology environment. Policies over information security are Board-approved and various types of control testing is conducted throughout the year, both by internal and external parties. Findings are actioned on throughout the year and reported to various committees. The Corporation has adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework for the management and development of cybersecurity controls and is an active participant in the financial sector information sharing organization structure, known as the Financial Services Information Sharing and Analysis Center. The Corporation’s Chief Information Security Officer (CISO) is responsible for assessing and managing the Corporation’s risks from cybersecurity threats. The CISO is an active Certified Information Security Systems Professional and has been with the organization for 18 years with over 21 years of experience in technology infrastructure and security. The Information Security Department conducts cyber incident tabletop exercises on an ongoing basis. These exercises vary by topic, but may include internal incident response teams, executive management, and third parties that provide services across forensic, legal, and public relations capabilities. The purpose of these tabletops is to simulate a cyber event and work through the event using our Incident Response Plan. This allows our incident response team to become familiar with the logistics of the plan, as well as provide feedback to improve the process and plan. External subject matter experts, such as Bank legal counsel, forensic advisors, marketing agency and insurance broker participate in these exercises. Management has established an Information Security Committee in order to assist executive management and the Board of Directors of the Bank in fulfilling their oversight responsibilities related to information security. The Corporation’s Information Security Committee consists of members with diverse experience, including the Corporation’s leaders from information security, enterprise risk management, legal, bank protection, internal audit and various business units. The Corporation’s information security professionals have a range of varying cybersecurity experience and education, many of whom have substantial experience assessing and managing cybersecurity initiatives and hold certain cybersecurity certificates. The Corporation uses multiple assessors, consultants, auditors and other third parties in the fulfillment of the information security program. These third parties participate in testing and validation processes, as well as the execution of certain program-related controls. The Committee reports its activities, key conclusions and recommendations to the Enterprise Risk Management Committee and the Board’s Risk and Credit Policy Committee of the Board on a quarterly basis. At the Information Security Committee, security-related policies and standards are reviewed and recommended for approval, annual risk assessment results and action plans are noted, annual penetration test reports shared, current security incidents discussed, and relevant cyber risks and trends are presented. The Corporation’s Board of Directors has delegated primary responsibility for oversight of cybersecurity risk to its Risk and Credit Policy Committee , with its Audit Committee also considering cyber risk as part of financial oversight. The Information Security Department provides an annual update to the Risk and Credit Policy Committee of the Board on the state of the Information Security Program. This cybersecurity “deep dive” includes review of key security incidents and review of the Information Security Policy, Information Security Program, the Incident Response Plan, and the Acceptable Use Policy. The Board is then presented with the update by the Chair of the Risk and Credit Policy Committee. The Board considers cybersecurity risks in business strategy by getting updates on the Bank’s cybersecurity risk assessment. It assesses the experience of management personnel responsible for preventing, mitigating, detecting and remediating any cyber incidents, including the Chief Information Security Officer. In 2022, the Board appointed Jason Sondhi to its Board of Directors. Mr. Sondhi has experience managing companies who provide endpoint detection and incident response, vulnerability scans, security information and event management, security employee training and vCISO services. Mr. Sondhi’s cybersecurity expertise assists the Board in overseeing management’s cybersecurity related efforts. 30 PART I: ITEM 2., ITEM 3. AND ITEM 4.
ITEM 1C. ITEM 1C. THE CORPORATION’S CYBERSECURITY PROCESSES, POLICIES AND GOVERNANCE. The increased use of, and dependence on, information management systems in order to engage with customers and conduct business necessarily creates cyber risk. Despite the significant resources and security measures used by the Corporation, the incentives for threat actors to obtain financial payment information and customer non-public information, or to conduct ransomware will continue to exist. Cyber breach statistics over the past several years evidence the targeting of numerous banking institutions and credit bureaus. Phishing attempts have also significantly increased and political conflict also presents cyber threats by nation states. Operational risk is inherent in the Corporation’s activities and can present itself in numerous ways, including internal or external fraud, business disruptions or failures, noncompliance with applicable laws and regulations, cyber breach, or failure of third parties, among other events. The result of these could be reputational harm, financial losses, or litigation and regulatory fines for the Bank. The Corporation operates in a fashion that allows operational risk to be in line with its risk appetite. To govern, monitor and control operational risk, the Corporation maintains an ERM Program, which sets thresholds for risk appetite by key risk areas, such as strategic risk and operational risk. These thresholds are monitored by the Compliance and Internal Audit Departments and key metrics are reported to management and Board committees. The ERM Program includes managing material risks from cybersecurity threats. Use of third-party software and services also exposes the Corporation to cybersecurity risk as numerous service providers host critical data or have direct contact with our bank customers. Although the Corporation adheres to industry standard practices in conducting thorough due diligence of vendors and contract management, should a vendor experience a breach the bank could still suffer reputational harm, and potentially financial losses. Expanded use of cloud-based technologies and providing our customers more internet-based product offerings to continue to remain competitive will serve to increase these potential risks. The Corporation’s third party risk management program helps to mitigate risks posed by reliance on third and fourth parties. Governance of third parties includes a due diligence and risk assessment prior to contract execution, with oversight completed based on a frequency defined by the third parties risk profile. To combat these ever-present cyber risks, the Corporation maintains a comprehensive Information Security Program, which includes annual risk assessments, an Incident Response Plan, and a layered control environment meant to detect, prevent, and limit unauthorized or harmful actions across our information technology environment. Policies over information security are Board-approved and various types of control testing is conducted throughout the year, both by internal and external parties. Findings are actioned on throughout the year and reported to various committees. The Corporation has adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework for the management and development of cybersecurity controls and is an active participant in the financial sector information sharing organization structure, known as the Financial Services Information Sharing and Analysis Center. The Corporation’s Chief Information Security Officer (CISO) is responsible for assessing and managing the Corporation’s risks from cybersecurity threats. The CISO is an active Certified Information Security Systems Professional and has been with the organization for 18 years with over 21 years of experience in technology infrastructure and security. The Information Security Department conducts cyber incident tabletop exercises on an ongoing basis. These exercises vary by topic, but may include internal incident response teams, executive management, and third parties that provide services across forensic, legal, and public relations capabilities. The purpose of these tabletops is to simulate a cyber event and work through the event using our Incident Response Plan. This allows our incident response team to become familiar with the logistics of the plan, as well as provide feedback to improve the process and plan. External subject matter experts, such as Bank legal counsel, forensic advisors, marketing agency and insurance broker participate in these exercises. Management has established an Information Security Committee in order to assist executive management and the Board of Directors of the Bank in fulfilling their oversight responsibilities related to information security. The Corporation’s Information Security Committee consists of members with diverse experience, including the Corporation’s leaders from information security, enterprise risk management, legal, bank protection, internal audit and various business units. The Corporation’s information security professionals have a range of varying cybersecurity experience and education, many of whom have substantial experience assessing and managing cybersecurity initiatives and hold certain cybersecurity certificates. The Corporation uses multiple assessors, consultants, auditors and other third parties in the fulfillment of the information security program. These third parties participate in testing and validation processes, as well as the execution of certain program-related controls. The Committee reports its activities, key conclusions and recommendations to the Enterprise Risk Management Committee and the Board’s Risk and Credit Policy Committee of the Board on a quarterly basis. At the Information Security Committee, security-related policies and standards are reviewed and recommended for approval, annual risk assessment results and action plans are noted, annual penetration test reports shared, current security incidents discussed, and relevant cyber risks and trends are presented. The Corporation’s Board of Directors has delegated primary responsibility for oversight of cybersecurity risk to its Risk and Credit Policy Committee , with its Audit Committee also considering cyber risk as part of financial oversight. The Information Security Department provides an annual update to the Risk and Credit Policy Committee of the Board on the state of the Information Security Program. This cybersecurity “deep dive” includes review of key security incidents and review of the Information Security Policy, Information Security Program, the Incident Response Plan, and the Acceptable Use Policy. The Board is then presented with the update by the Chair of the Risk and Credit Policy Committee. The Board considers cybersecurity risks in business strategy by getting updates on the Bank’s cybersecurity risk assessment. It assesses the experience of management personnel responsible for preventing, mitigating, detecting and remediating any cyber incidents, including the Chief Information Security Officer. In 2022, the Board appointed Jason Sondhi to its Board of Directors. Mr. Sondhi has experience managing companies who provide endpoint detection and incident response, vulnerability scans, security information and event management, security employee training and vCISO services. Mr. Sondhi’s cybersecurity expertise assists the Board in overseeing management’s cybersecurity related efforts. 30 PART I: ITEM 2., ITEM 3. AND ITEM 4.
ITEM 1C. THE CORPORATION’S CYBERSECURITY PROCESSES, POLICIES AND GOVERNANCE. The increased use of, and dependence on, information management systems in order to engage with customers and conduct business necessarily creates cyber risk. Despite the significant resources and security measures used by the Corporation, the incentives for threat actors to obtain financial payment information and customer non-public information, or to conduct ransomware will continue to exist. Cyber breach statistics over the past several years evidence the targeting of numerous banking institutions and credit bureaus. Phishing attempts have also significantly increased and political conflict also presents cyber threats by nation states. Operational risk is inherent in the Corporation’s activities and can present itself in numerous ways, including internal or external fraud, business disruptions or failures, noncompliance with applicable laws and regulations, cyber breach, or failure of third parties, among other events. The result of these could be reputational harm, financial losses, or litigation and regulatory fines for the Bank. The Corporation operates in a fashion that allows operational risk to be in line with its risk appetite. To govern, monitor and control operational risk, the Corporation maintains an ERM Program, which sets thresholds for risk appetite by key risk areas, such as strategic risk and operational risk. These thresholds are monitored by the Compliance and Internal Audit Departments and key metrics are reported to management and Board committees. The ERM Program includes managing material risks from cybersecurity threats. Use of third-party software and services also exposes the Corporation to cybersecurity risk as numerous service providers host critical data or have direct contact with our bank customers. Although the Corporation adheres to industry standard practices in conducting thorough due diligence of vendors and contract management, should a vendor experience a breach the bank could still suffer reputational harm, and potentially financial losses. Expanded use of cloud-based technologies and providing our customers more internet-based product offerings to continue to remain competitive will serve to increase these potential risks. The Corporation’s third party risk management program helps to mitigate risks posed by reliance on third and fourth parties. Governance of third parties includes a due diligence and risk assessment prior to contract execution, with oversight completed based on a frequency defined by the third parties risk profile. To combat these ever-present cyber risks, the Corporation maintains a comprehensive Information Security Program, which includes annual risk assessments, an Incident Response Plan, and a layered control environment meant to detect, prevent, and limit unauthorized or harmful actions across our information technology environment. Policies over information security are Board-approved and various types of control testing is conducted throughout the year, both by internal and external parties. Findings are actioned on throughout the year and reported to various committees. The Corporation has adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework for the management and development of cybersecurity controls and is an active participant in the financial sector information sharing organization structure, known as the Financial Services Information Sharing and Analysis Center. The Corporation’s Chief Information Security Officer (CISO) is responsible for assessing and managing the Corporation’s risks from cybersecurity threats. The CISO is an active Certified Information Security Systems Professional and has been with the organization for 18 years with over 21 years of experience in technology infrastructure and security. The Information Security Department conducts cyber incident tabletop exercises on an ongoing basis. These exercises vary by topic, but may include internal incident response teams, executive management, and third parties that provide services across forensic, legal, and public relations capabilities. The purpose of these tabletops is to simulate a cyber event and work through the event using our Incident Response Plan. This allows our incident response team to become familiar with the logistics of the plan, as well as provide feedback to improve the process and plan. External subject matter experts, such as Bank legal counsel, forensic advisors, marketing agency and insurance broker participate in these exercises. Management has established an Information Security Committee in order to assist executive management and the Board of Directors of the Bank in fulfilling their oversight responsibilities related to information security. The Corporation’s Information Security Committee consists of members with diverse experience, including the Corporation’s leaders from information security, enterprise risk management, legal, bank protection, internal audit and various business units. The Corporation’s information security professionals have a range of varying cybersecurity experience and education, many of whom have substantial experience assessing and managing cybersecurity initiatives and hold certain cybersecurity certificates. The Corporation uses multiple assessors, consultants, auditors and other third parties in the fulfillment of the information security program. These third parties participate in testing and validation processes, as well as the execution of certain program-related controls. The Committee reports its activities, key conclusions and recommendations to the Enterprise Risk Management Committee and the Board’s Risk and Credit Policy Committee of the Board on a quarterly basis. At the Information Security Committee, security-related policies and standards are reviewed and recommended for approval, annual risk assessment results and action plans are noted, annual penetration test reports shared, current security incidents discussed, and relevant cyber risks and trends are presented. The Corporation’s Board of Directors has delegated primary responsibility for oversight of cybersecurity risk to its Risk and Credit Policy Committee , with its Audit Committee also considering cyber risk as part of financial oversight. The Information Security Department provides an annual update to the Risk and Credit Policy Committee of the Board on the state of the Information Security Program. This cybersecurity “deep dive” includes review of key security incidents and review of the Information Security Policy, Information Security Program, the Incident Response Plan, and the Acceptable Use Policy. The Board is then presented with the update by the Chair of the Risk and Credit Policy Committee. The Board considers cybersecurity risks in business strategy by getting updates on the Bank’s cybersecurity risk assessment. It assesses the experience of management personnel responsible for preventing, mitigating, detecting and remediating any cyber incidents, including the Chief Information Security Officer. In 2022, the Board appointed Jason Sondhi to its Board of Directors. Mr. Sondhi has experience managing companies who provide endpoint detection and incident response, vulnerability scans, security information and event management, security employee training and vCISO services. Mr. Sondhi’s cybersecurity expertise assists the Board in overseeing management’s cybersecurity related efforts. 30 PART I: ITEM 2., ITEM 3. AND ITEM 4.
Company Information
| Name | FIRST MERCHANTS CORP |
| CIK | 0000712534 |
| SIC Description | National Commercial Banks |
| Ticker | FRME - NasdaqFRMEP - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |