BANNER CORP 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 27, 2025

BANNER CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:38:44 EST.

Filings

10-K filed on 2025-02-26

BANNER CORP filed a 10-K at 2025-02-26 16:38:44 EST
Accession Number: 0000946673-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity Risk Management and Strategy Our cybersecurity risk management and strategy are integrated into our enterprise-wide risk management program, leveraging a “three lines of defense” model to manage risk within the organization. Technology risk (including cybersecurity risk) is considered to be a key risk area for the Company, with Management measuring inherent risk, mitigating controls, and residual risk on a quarterly basis . The ability to mitigate cybersecurity risks depends on an effective risk assessment process that identifies, measures, controls, and monitors material risks from cybersecurity threats. These threats include any potential unauthorized activities that could compromise the confidentiality, integrity, or availability of the Company’s information systems and data. Our Information Security Program includes a comprehensive information security risk assessment process that incorporates the following elements: - Identifying threats, measuring risk, defining information security requirements, and implementing controls to reduce risk. - Identifying reasonably foreseeable internal and external threats that may lead to unauthorized disclosure, misuse, alteration, or destruction of sensitive information or information systems. - Assessing the likelihood and potential damage posed by these threats, considering the degree of information sensitivity and the Company’s operations, inclusive of substantive changes to people, processes and technology. - Aligning the Information Security Program with the Company’s enterprise-wide risk management program, which identifies, measures, mitigates, and monitors risk. - Evaluating the adequacy of policies, procedures, information systems, and other arrangements designed to control identified risks, considering the Company’s operations, inclusive of substantive changes to people, processes and technology. - Conducting internal and third-party security assessments, including penetration testing. - Overseeing third-party vendor risk through due diligence and monitoring. The risk assessment process is designed to identify assets requiring risk reduction strategies and includes an evaluation of the key factors applicable to the operation. The Company conducts a variety of information security assessments throughout the year, both internally and through third-party specialists. In designing our Information Security Program, we refer to established industry frameworks - in particular, the Federal Financial Institutions Examination Council (FFIEC) and guidance from the International Organization for Standardization (ISO). The FFIEC framework offers a set of guidelines to help financial institutions effectively manage and mitigate cybersecurity risks. ISO/IEC 27001 is an international standard developed by the ISO specifically for Information Security, Cybersecurity and Privacy Protection (ISCPP). These frameworks provide best practices for managing cybersecurity risks and ensuring information security, and we consider them to be aspirational benchmarks to help inform the design of our Information Security Program. While our program is designed to be robust, the sophistication and evolving nature of cyber threats mean no system can fully eliminate risk. For more information on how cybersecurity risk may affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A, Risk Factors - Risks Related to Cybersecurity, Data and Fraud. The Company uses a cross-functional approach to identify, prevent, and mitigate cybersecurity threats and incidents. We have established procedures for the timely escalation and, when required, disclosure of cybersecurity incidents, supported by a formal incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident. While cybersecurity risks could materially affect the Company, past incidents have not materially affected our business strategy, results of operations or financial condition. For further details on potential cybersecurity risks, see Item 1A, Risk Factors - Risks Related to Cybersecurity, Data and Fraud. Governance Our Board of Directors annually reviews and approves the Company’s Risk Appetite Statement, which defines key risk categories and associated metrics that are monitored quarterly by Management and reported to the Risk Committee. Management measures and reports inherent risk, mitigating controls, and residual risk for each key risk category and identifies and regularly discusses emerging risks with the Risk Committee. The Company’s governance and oversight of cybersecurity risks are facilitated through our Information Security Program, which establishes administrative, technical, and physical safeguards designed to protect sensitive information in accordance with FDIC and FFIEC regulations. The program is tailored to align with the Company’s size, complexity and operational scope. Cybersecurity risk management is led by our Chief Information Officer (CIO) and Chief Information Security Officer (CISO), supported by our information technology and information security teams. The Bank’s Chief Information Officer (CIO) provides direction and oversight for information technology and security across the Company, including existing and emerging initiatives. In this role, she leverages more than 26 years of information technology experience. The Bank’s Chief Information Security Officer (CISO) has been with the Company for more than 13 years and has maintained various applicable cybersecurity and IT audit certifications. Prior to joining the Bank, he worked for a Fortune 500 company and had 15 years of information technology experience working in networking, information security and information technology auditing. 30 T able of C onten ts Our Information Technology (IT) Management team is responsible for conducting risk assessments, designing the Information Security Program, overseeing service provider arrangements, establishing risk-based response programs for incidents involving unauthorized data access, providing staff training, conducting testing of key controls, systems, and procedures, and adjusting the program to reflect changes in people, processes, technology, sensitive information, threats, and the business environment (e.g., mergers, acquisitions, alliances, joint ventures, or outsourcing arrangements). Our IT Management team reports annually to the Risk Committee on the status of the Information Security Program, including risk assessment, risk management and control decisions, service provider arrangements, results of independent testing, cybersecurity incidents and recommendations for improvements. Quarterly status updates are also provided to the Risk Committee. The Board of Directors plays a crucial role, annually reviewing and approving our Information Security Program. The Board oversees efforts to develop, implement, and maintain an effective Information Security Program, including reviewing Management’s reporting on program effectiveness. The Board of Directors’ Corporate Governance/Nominating Committee considers IT and cybersecurity expertise when assessing potential director candidates to help ensure effective oversight by the Board of Directors. We maintain a Cybersecurity Incident Response Team (CIRT) to handle technical aspects of the Company’s response to cybersecurity events and an Executive Cybersecurity Event Evaluation Team (ECEET) to assess potential business impacts and disclosure requirements related to cybersecurity events. Both teams may engage cybersecurity legal counsel and other external experts in connection with their respective activities. An escalation process facilitates updates to internal governance groups, including the Company’s Disclosure Committee and/or the Board of Directors’ Audit Committee, each of which also receives a quarterly report from the ECEET chair.

Company Information