National Bank Holdings Corp 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

National Bank Holdings Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:11:12 EST.

Filings

10-K filed on 2025-02-25

National Bank Holdings Corp filed a 10-K at 2025-02-25 16:11:12 EST
Accession Number: 0001558370-25-001502

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY. Our risk management program is designed to identify, assess, manage, and mitigate risks across various aspects of our Company , including, but not limited to, financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. The Company’s cybersecurity risk management program consists of a layered cybersecurity approach and is organized pursuant to prevailing guidance such as the Federal Financial Institutions Examination Council, including its underlying handbooks and assessment tools, and incorporates guidance issued by the National Institute of Standards and Technology and the Cybersecurity Infrastructure and Security Agency. The Company’s cybersecurity risk management program is designed to ensure the Company’s data, information systems, networks and devices are appropriately protected from a variety of threats and that our third parties with access to the Company’s data take similar precautions. Regular risk assessments are conducted to validate control requirements and ensure that the Company’s information is protected at a level commensurate with its sensitivity and value. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of Company information. These controls include, but are not limited to, access control, data encryption, data loss prevention, incident response, security monitoring, third-party risk management, and vulnerability management. The Company’s cybersecurity risk management program and strategy are regularly assessed by consultants, regulatory authorities, and external auditors. The Company’s Enterprise Risk Management department also plays a crucial role in monitoring the program by internally conducting regular cyber maturity assessments. Cybersecurity processes are adjusted as needed based on the information gathered from these internal and external assessments to ensure that the program is aligned with the Company’s business objectives, is designed to address evolving cybersecurity threats, satisfies regulatory requirements, and conforms with industry standards. The Company, through its Enterprise Risk Management, Enterprise Technology, and Internal Audit departments, actively maintains and monitors various systems, controls and surveillance measures that are intended to mitigate cybersecurity risks including: ● Layered security controls monitoring traffic to and within the Company that identify and block suspicious activity, with system configurations that align with industry best practices. ● Preventative and detective controls to identify adverse internal and external trends and analyze the Company’s response mechanisms. ● Annual network and penetration testing by reputable third parties to evaluate the Company’s suite of security controls and tools and identify potential vulnerabilities. ● Regular cybersecurity and information security awareness training for associates, supplemented with recurring social engineering tests. ● Conducting regular cyber maturity assessments to ensure the Company is prepared to manage and respond to cybersecurity threats. ● An incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident, which is tested on a periodic basis. ● Recurring audit and oversight of all critical third parties within the Company’s digital ecosystem to identify risks and adverse trends and monitor their compliance with our cybersecurity requirements. ● Use of external subject matter experts to provide threat intelligence and updates on trends and emerging schemes. ● Annual risk and self-assessments against established industry frameworks to ensure best practices are in place and the Company’s risk assessment continues to evolve. ● Carrying out regular trainings and tests, including phishing simulation tests, to ensure the Company’s associates remain vigilant with regards to cybersecurity threats. ● Annual testing from a business continuity perspective, including annual business impact analysis reviews, annual testing of all critical departments, systems and third parties, and established back-up, replication, and restoration to help ensure continuity of operations. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks and, if necessary, remediate any potential damage. While we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected the Company’s business, financial condition, and results of operations. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cybersecurity breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A Risk Factors. Governance The Company’s Board of Directors is charged with overseeing the establishment and execution of the Company’s Risk Management program and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility, the Board has delegated primary oversight responsibility over the Company’s risk management program, including oversight of cybersecurity risk management, to the Audit & Risk Committee of the Board. The Company’s Chief Risk Management Officer reports directly to the CEO and chairs the Company’s management-level Enterprise Risk Management Committee, through which the Company’s executive team manages and oversees the Company’s entire risk management program, including cybersecurity risk management. In addition, the Company’s Chief Information Security Officer (“CISO”) reports directly to the Chief Risk Management Officer and works in tandem with the Company’s Enterprise Technology Department. The Enterprise Technology department is responsible for the Company’s information systems and for building and maintaining cybersecurity defenses within the Company’s technology systems. The Company’s Chief Technology Officer (“CTO”) reports directly to the CEO and leads the Enterprise Technology Department. Collectively, the Enterprise Technology and Enterprise Risk Management Departments work together to oversee the day-to-day management and implementation of the Company’s cybersecurity risk management program. The Company’s Internal Audit Department, including third parties engaged by Internal Audit, evaluate the overall effectiveness of the Bank’s cybersecurity risk management strategy which is reported to the Audit & Risk Committee of the Board. In addition, the Enterprise Technology and Enterprise Risk Management Departments provide reports to the Audit & Risk Committee of the Board discussing items such as the Departments’ efforts to prevent, detect, mitigate, and potentially remediate cybersecurity risks, cybersecurity status updates, and current cybersecurity trends in the banking industry. Finally, the Company’s Board participates in training at least annually on the Directors’ role in managing cybersecurity risks. The Company’s CISO has over 15 years of prior work experience, which includes managing information security and operational risk, developing cybersecurity strategy and incident responses, implementing effective information and cybersecurity programs, preventing fraud and social engineering, and ensuring business continuity and proper third party management. The Company’s CTO has over 25 years of prior work experience in cybersecurity and data center management and design, 16 years of which has been devoted to the financial and banking sectors. The Enterprise Technology Department is comprised of a team of subject matter experts in security operations, network architecture, cyber and information security governance and cybersecurity/network operations.

Company Information