FIRST BUSEY CORP /NV/ 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

FIRST BUSEY CORP /NV/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:00:37 EST.

Filings

10-K filed on 2025-02-27

FIRST BUSEY CORP /NV/ filed a 10-K at 2025-02-27 16:00:37 EST
Accession Number: 0000314489-25-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Busey maintains a cyber security risk management program designed to prevent, detect, and respond to information security threats. The program is designed to align with the Cyber Risk Institute’s Profile framework, which is based on the National Institute of Standards and Technology’s Cybersecurity Framework. The program is led by Busey’s Chief Information Security Officer (“CISO”) . Busey’s CISO has been in the role since September 2020 and has over 15 years of experience across external and internal audit, technology risk management, and cybersecurity matters, spanning various industries primarily within the financial services sector, but also including healthcare, technology, consumer products, and manufacturing for both regional and multinational corporations. Busey’s cyber security risk management program is a key part of the Company’s overall risk management system, which is administered by the Chief Risk Officer. Busey’s cyber security risk management program includes administrative, technical, and physical safeguards to help ensure the security and confidentiality of customer records and information. Busey has long devoted significant resources to assessing, identifying, and managing risks associated with cybersecurity threats, including: - Establishing an internal cybersecurity team that is responsible for conducting regular assessments of Busey’s information systems, existing controls, vulnerabilities, and potential improvements; First Busey Corporation (BUSE) | 2024 - - Employing continuous monitoring tools that can detect and help respond to cybersecurity threats in real-time; - Performing due diligence with respect to third-party service providers , including their cybersecurity practices, and requiring contractual commitments from Busey’s service providers to take certain cybersecurity measures; - Ongoing monitoring and assessment of third-party vendors’ cybersecurity practices, including regular audits, compliance checks, and incident reporting requirements; - Engaging third-party cybersecurity consultants, who conduct periodic penetration testing, vulnerability assessments, and other procedures to identify potential weaknesses in Busey’s systems and processes; - Mandating periodic cybersecurity training for Busey’s workforce, which includes awareness programs on phishing, social engineering, and other common cyber threats; - Implementing access control measures such as multi-factor authentication, role-based access controls, and regular access reviews to ensure that only authorized personnel have access to critical systems and data; - Using data encryption for both data at rest and data in transit to protect sensitive information; and - Creating an incident response plan that outlines the steps to contain, mitigate, and remediate the impact of cybersecurity incidents, including communication protocols and post-incident analysis. Busey’s security and privacy policies and procedures are in effect across all of its businesses and geographic locations. Busey adheres to various regulatory requirements and standards, including the Gramm-Leach-Bliley Act to ensure compliance with data protection laws. Additionally, Busey maintains cybersecurity insurance coverage to mitigate potential financial impacts from cyber incidents. Busey’s board of directors , as a whole and through its Enterprise Risk Committee (the “Risk Committee”), is responsible for the oversight of risk management. In that role, Busey’s board of directors and Risk Committee, with support from Busey’s cybersecurity advisors, are responsible for ensuring that the risk management processes developed and implemented by management are adequate and functioning as designed. To carry out those duties, both the board of directors and the Risk Committee receive quarterly reports from Busey’s management team regarding cybersecurity risks, and Busey’s efforts to prevent, detect, mitigate, and remediate any cybersecurity incidents. Busey’s historical data indicates that while Busey has encountered cybersecurity threats and incidents, none have materially affected the Company. Still, Busey faces a number of cybersecurity risks in connection with its business, and it is possible that threats and incidents identified in the future could have a material adverse effect on Busey’s business strategy, results of operations, and financial condition. For additional information on the risks that cybersecurity threats pose to Busey see " Item 1A. Risk Factors-Operational Risks ."

Company Information