FB Financial Corp 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

FB Financial Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:57:26 EST.

Filings

10-K filed on 2025-02-25

FB Financial Corp filed a 10-K at 2025-02-25 16:57:26 EST
Accession Number: 0001649749-25-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C- Cybersecurity Cyber risk management and strategy The Bank recognizes the critical importance of developing, implementing, assessing, and maintaining appropriate cybersecurity measures to safeguard information systems and protect the confidentiality, integrity, and availability of data. The Risk Committee of the Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks. The Chief Information Security Officer with experience in information technology and cybersecurity, is primarily responsible for implementing cyber risk mitigation strategies and is supported by a team of skilled professionals holding cybersecurity-related certifications. To ensure the robustness of cybersecurity strategies, the Bank actively collaborates with external experts, including cybersecurity assessors, consultants, and auditors , who provide specialized knowledge and insights. These partnerships include regular audits, threat assessments, and consultations on security enhancements. The Bank’s CISO regularly briefs the Risk Committee of the Board of Directors on cybersecurity and information security posture. Cybersecurity risk management is integrated into the Bank’s broader risk management framework to foster a company-wide culture of cybersecurity awareness. Key risk indicators, aligned with the Board-approved Statement of Risk Appetite, are reported quarterly to multiple management level committees and the Risk Committee of the Board of Directors. This process ensures timely communication and escalation of issues along with the required mitigation and remediation efforts related to cybersecurity risks. Given the risks associated with third-party service providers, thorough assessments are conducted before engagement and ongoing monitoring is maintained to ensure compliance with organizational standards. Elements of the assessment include cyber, financial, reputational, compliance, legal, strategic and operational reviews. The Third-Party Risk Management department, reporting directly to our CISO, oversees this critical process. To further strengthen the Bank’s preparedness, cybersecurity insurance coverage is maintained with coverage levels periodically reviewed to ensure alignment with the risk appetite. While robust cybersecurity measures have been implemented, the Bank has not experienced any material impacts from cybersecurity threats to date. This is not a guarantee that potential future events will be immaterial. The evolving nature of cyber threats means that new risks will emerge. These threats could potentially affect the Bank’s business strategy, operations, or financial condition. For potential impacts of future threats, refer to “Item 1A - Risk Factors - Technology and Operational Risks.” Cybersecurity governance The Bank has implemented a comprehensive set of information security policies, standards, and related training programs to promote awareness and prevention of cybersecurity risks. All employees are required to: - Review and acknowledge the information security framework upon hiring. - Formally review and understand updates to these policies. - Complete annual training sessions addressing data privacy and security, password protection, internet use, social engineering risks, and other key cybersecurity topics. These efforts ensure employees remain vigilant and informed about evolving threats and best practices. The Bank’s information security program undergoes rigorous internal and external auditing. The internal audit team and bank examiners conduct annual reviews to evaluate program’s effectiveness and risk mitigation efforts. Additionally, external auditors assess specific components of the information security program as part of the annual financial statements audit. The program is designed in accordance with the National Institute of Standards and Technology guidelines and the Cyber Risk Institute Profile recommended by the American Bankers Association underscoring our commitment to maintaining a strong cybersecurity governance framework. 32

Company Information