PINNACLE FINANCIAL PARTNERS INC 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

PINNACLE FINANCIAL PARTNERS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 14:14:18 EST.

Filings

10-K filed on 2025-02-25

PINNACLE FINANCIAL PARTNERS INC filed a 10-K at 2025-02-25 14:14:18 EST
Accession Number: 0001115055-25-000042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management, Strategy and Governance Pinnacle places a high priority and focus on securing the confidential information it receives and stores about its borrowers, depositors and other customers and employees. This priority and focus starts with Pinnacle’s board of directors, or committees of the board of directors, which are ultimately responsible for establishing effective risk oversight, approving our risk appetite statement, understanding our key risks and seeking to establish the risk management strategy, processes and internal controls that are appropriate to manage risk, in each case inclusive of cybersecurity risk. Our risk appetite statement includes specific information technology risk tolerance thresholds and limits established with the approval of our board of directors, or designated committees thereof, and executive management. Key risk indicators are monitored by the Risk Committee of our board of directors (the “Risk Committee”), which receives quarterly reports from our Chief Risk Officer, Chief Solutions Officer/EVP of Bank Operations (“CSO”), Risk Management Committee and Operations and Automation (“O&A”) Committee regarding management’s efforts to protect Pinnacle from cybersecurity threats and the general threat landscape facing companies with operational characteristics similar to ours. The CSO reports quarterly to Pinnacle’s Risk Committee of the board of directors regarding our information security risk oversight processes as the board of directors, acting through the Risk Committee, seeks to ensure Pinnacle is operating within its stated risk appetite. Pinnacle’s CSO has appointed a Chief Information Security Officer (the “CISO”). The CISO reports directly to Pinnacle’s CSO and the responsibilities of this role are in conjunction with information security and other special projects concerning risk and operational issues identified. The CISO coordinates Pinnacle’s information security risk assessment process, facilitates annual employee training, and prepares an annual report to Pinnacle’s board of directors with a summary of the Information Security Strategic Plan for the coming year, top cybersecurity risks and crucial information security updates that could impact us. Pinnacle’s CISO holds a Master’s Degree in Information Security and Assurance and brings 28 years of experience in IT and Information Security. Prior to being appointed as the CISO, our CISO served as the Company’s Deputy CISO which allows for longstanding knowledge of the 48 environment and our clients to be maintained while working to keep our cybersecurity risks managed. Pinnacle’s objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse its systems or information. A key part of Pinnacle’s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of its processes and practices through auditing, security assessments, and other exercises focused on evaluating effectiveness of Pinnacle’s processes and programs. Pinnacle also deploys technical safeguards that are designed to protect its information systems from cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing disruptions to its business. Pinnacle has also developed and periodically updates incident response plans that provide a documented framework for responding to actual or potential cybersecurity incidents, including timely notification and escalation to the appropriate management committees and to the Risk Committee of the board and full board of directors as appropriate. These incident response plans are coordinated through the CSO and other key members of management, including the CEO. The CISO, the CSO, our Chief Information Officer (CIO) and Chief Risk Officer collaborate in the development and implementation of the Information Technology Program. Together with our information technology staff, third-party vendors and other outside resources, information security standards and controls are implemented across all enterprise systems. The CISO and associates reporting to him monitor Pinnacle’s information technology systems for threats and vulnerabilities, reporting regularly to the CIO. The CISO also recommends changes to those systems designed to protect the systems from attack and reduce cybersecurity risk. Pinnacle’s board of directors delegates authority to the Risk Committee to assist the board in carrying out certain duties related to risk oversight, including with respect to information security risk. The Risk Committee provides primary board-level oversight of our enterprise-wide risk posture and the processes established to identify, measure, and monitor our risk level, including regarding information security risk. This oversight includes reviewing and approving our risk appetite statement, including with respect to information security risk and reviewing quarterly reporting from management on monitoring of performance of Pinnacle against its risk appetite. Pinnacle’s Risk Management Committee, which is a management committee consisting of key employees of Pinnacle, including our Chief Risk Officer, Chief Executive Officer, Chief Financial Officer, CSO, Chief Credit Officer, Treasurer and Chief Compliance Officer as well as other nonvoting members including our Chief Audit Executive, oversees monitoring of the Information Technology program. Testing of the Information Technology program, including information security, is accomplished using a comprehensive program of on-going internal testing, utilizing third-party service providers to provide routine vulnerability scanning and penetration testing, and conducting targeted threat assessments with third-party consultants on an annual basis. Additionally, our Internal Audit function includes information technology, as well as information security, in its annual audit plan. In addition, in accordance with the Information Technology program, our O&A Committee assesses information security risks on a quarterly basis, or more often in response to changes in products or services that are offered, technological changes, changes in the threat landscape facing Pinnacle, including as a result of cybersecurity incidents affecting financial institutions or their third party vendors generally or any change that may materially affect our risk environment. The O&A Committee, chaired by the CSO, is responsible for the oversight of the Information Security Advisory Team (ISAT) subcommittee, which monitors monthly operational cybersecurity reporting, threat intelligence, security project implementation, and maintenance of the information security policies and standards managed by the Company’s CISO. The monthly ISAT reports are provided to the Risk Committee quarterly and describe the overall status of the Information Security activities, including, but not limited to: - Decisions about enterprise cybersecurity risks and mitigating controls; - Results of testing, including regular external and internal penetration testing and vulnerability scans; - Cybersecurity Threat Intelligence; - Security Operations Systems Performance; and - Security breaches or violations and management’s responses. To date, no attempted cyber-attack or other attempted intrusion on Pinnacle’s information technology networks has resulted in a material adverse impact on the operations or financial results of Pinnacle Financial or Pinnacle Bank. For further discussion of risks from cybersecurity threats, see the section captioned “We are dependent on our information technology and telecommunications systems and third-party servicers, and systems failures, interruptions or breaches of security could have a material adverse effect on our financial condition and results of operations, as well as cause legal or reputational harm” in Item 1A. Risk Factors. Information Security Training and Awareness Information security awareness training is provided to all employees and bank business units at initial new hire orientation and no less often than annually thereafter and focuses on Pinnacle’s overall Information Security Program, roles and responsibilities of employees during an incident and how to identify and report suspicious activity. Third Party Risk Management (TPRM) 49 Management identifies, assesses, controls, monitors and reports on risks related to Pinnacle’s use of third and fourth parties per applicable laws, safe and sound business practices, and related supervisory guidance, particularly that of the Interagency Guidance on Third-Party Relationships: Risk Management. It is our policy to ensure the internal controls and financial condition of a third-party vendor are carefully evaluated prior to the allowance of such support services to begin, and as an on-going condition of continuing support of such products or services. Vendors with access to customer information or direct access to the network are carefully reviewed to ensure that appropriate controls and mechanisms are in place in an attempt to safeguard confidential information, and our contracts with such vendors include obligations on the part of the vendors to maintain the confidentiality of such information in compliance with applicable legal requirements.

Company Information