SEACOAST BANKING CORP OF FLORIDA 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

SEACOAST BANKING CORP OF FLORIDA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 17:07:43 EST.

Filings

10-K filed on 2025-02-25

SEACOAST BANKING CORP OF FLORIDA filed a 10-K at 2025-02-25 17:07:43 EST
Accession Number: 0000730708-25-000045

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy The Company’s information security program is designed to protect sensitive information from unauthorized access, use, disclosure, alteration, or destruction, and to maintain the confidentiality, integrity, and availability of our information assets, including employee and customer non-public information, financial data, and internal operational information. Our Chief Information Security Officer, who reports to our Chief Risk Officer, manages our information security strategy and development within our overarching Enterprise Risk Management program. The Company’s cybersecurity program, including our information security policies, is designed to align with regulatory guidance and industry practices. To protect our information systems, network, and information assets from cybersecurity threats, we use various security tools, products and processes that help identify, prevent, investigate, and remediate cybersecurity threats and security incidents. The Company’s Information Security team monitors threat intelligence sources to research evolving threats, investigates the potential impact to financial services companies, examines company controls to detect and defend against those threats, and proactively adjusts company defenses against those threats. The Information Security team also actively monitors company networks and systems to detect suspicious or malicious events, including through penetration testing and periodic vulnerability scans, a managed security service provider supplements our efforts to provide 24 hours a day, seven days a week coverage, and we work with leading cybersecurity companies and organizations to leverage third party technology and expertise as appropriate. We maintain policies and procedures for the safe storage, handling and secure disposal of customer information. Each employee is expected to be responsible for the security and confidentiality of customer information, and we communicate this responsibility to employees upon hiring and regularly throughout their employment. Annually, we provide employees with mandatory security awareness training. The curriculum includes the recognition and appropriate handling of potential phishing emails, which could, ultimately, place sensitive customer or employee information at risk. The Company employs a number of technical controls to mitigate the risk of phishing emails targeting employees. We test employees monthly to determine their susceptibility to phishing test emails, and we require susceptible employees to take additional training and provide regular reports to management. As part of our information security program, we have adopted a Cyber Incident Response Plan (“Incident Response Plan”) which is administered by our CISO who closely coordinates with the Company’s Information Technology team. The Incident Response Plan describes the Company’s processes, procedures, and responsibilities for responding to cybersecurity incidents, and identifies those team members responsible for assessing potential security incidents, declaring an incident, and initiating a response. The Incident Response Plan outlines action steps for investigating, containing, and remediating a cybersecurity incident, and includes procedures for escalation and reporting of potentially significant cybersecurity incidents to the Company’s Senior Leadership Team, including the CEO, CFO, CRO, Head of Legal, and the Board of Directors. As necessary, the Company may retain a third-party firm to assist with forensic investigation and management of cybersecurity incidents . Annually, our incident response team performs exercises to simulate responses to cybersecurity events. Each exercise results in lessons learned and subsequent improvement to the Incident Response Plan. The Company conducts due diligence prior to engaging third-party service providers which have access to the Company’s networks, systems, and/or customer or employee data. Risk assessments are performed using Service Organization Controls (SOC) reports, self-attestation questionnaires, and other tools. Third-party service providers are required to comply with the Company’s policies regarding non-public personal information and information security. Third parties processing non-public personal information are contractually required to meet all legal and regulatory obligations to protect customer data against security threats or unauthorized access. After contract execution, Seacoast requires critical and high-risk providers to have an ongoing monitoring plan. While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive, and cybersecurity risk has increased in recent years. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. See Item 1A. “Risk Factors” for further discussion of the material risks associated with an interruption or breach in our information systems or infrastructure. 28 Cybersecurity Governance Our Board of Directors is responsible for overseeing the Company’s business and affairs, including risks associated with cybersecurity threats. The Board oversees the Company’s corporate risk governance processes primarily through its committees, and oversight of cybersecurity threats is delegated primarily to our Information Technology Committee. The Enterprise Risk Management Committee of the Board has primary responsibility for overseeing the Company’s comprehensive ERM program. The ERM program assists senior management in identifying, assessing, monitoring, and managing risk, including cybersecurity risk, in a rapidly changing environment. Cybersecurity matters and assessments are regularly included in both ITC and ERMC meetings. The Board’s oversight of cybersecurity risk is supported by our CISO . The CISO attends ITC and ERMC meetings and provides cybersecurity updates to these Board committees. The CISO also provides annual risk assessments and reports regarding the information security program to the full Board of Directors. Our CRO, in conjunction with our CISO, facilitates the involvement of the ITC in oversight of potentially significant cybersecurity incidents. The Company’s CISO directs the company’s information security program and our information technology risk management. In this role, in addition to the responsibilities discussed above, the CISO supports the information security risk oversight responsibilities of the Board and its committees. The CISO is also responsible for the Company’s information technology governance, risk, and compliance program and ensures that high level risks receive appropriate attention. The Information Security team examines risks to the Company’s information systems and assets, designs and implements security solutions, monitors the environment, and provides responses to threats. Our CISO has cybersecurity and information technology experience spanning more than 30 years. Prior experience includes serving as the CISO for a multi-national cloud hosting organization serving the legal community and several senior leadership roles in both information technology and information security at a large financial institution, Fortune 500 organizations and a large professional services firm. The CISO holds a degree in Computer Science and maintains appropriate industry certifications.

Company Information