PROSPERITY BANCSHARES INC 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

PROSPERITY BANCSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:11:36 EST.

Filings

10-K filed on 2025-02-27

PROSPERITY BANCSHARES INC filed a 10-K at 2025-02-27 17:11:36 EST
Accession Number: 0000950170-25-029222

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company’s risk management program is designed to identify, assess, and mitigate risks across various areas and functions, including financial, operational, technological, regulatory, reputational, and legal. Cybersecurity is a critical component of the risk management program. The Company’s information security program is designed to protect the security, availability, integrity, and confidentiality of its computer systems, networks, software and information assets, including customer and other sensitive data. The structure of the Company’s information security program is designed around the National Institute of Standards and Technology Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, the Company leverages certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. The Chief Information Security Officer (CISO), who reports directly to the Chief Risk Officer, and the Chief Information Officer (CIO), who reports directly to the Director of Corporate Strategy, along with key members of their teams, regularly collaborate with peer banks and industry groups to discuss cybersecurity trends, issues and best practices. The information security program is periodically reviewed with the goal of addressing changing threats and conditions. The Company employs an in-depth, layered, defensive strategy that embraces a “secure by design” philosophy when designing new products, services, and technology. The Company leverages people, processes, and technology as part of its efforts to manage and maintain cybersecurity controls and employs a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity. The Company also actively monitors its email gateways for malicious phishing email campaigns and monitors remote connections as a portion of its workforce has the option to work remotely. The Company has established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. It engages in regular assessments of its infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. The Company also maintains a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and its supply chain. The Company leverages internal and external auditors and independent external partners to periodically review its processes, systems, and controls, including with respect to its information security program, to assess their design and operating effectiveness and make recommendations to strengthen its risk management program. The Company maintains an Information Security Incident Response Policy (“Incident Response Policy”) and related procedures that provide a documented framework for responding to actual or potential cybersecurity incidents, including timely escalation of incidents to the Crisis Management Team and notification to the appropriate regulatory and governmental authorities. As needed, the notification may include the CEO and/or the Company’s and Bank’s Board of Directors. The Incident Response Policy and related procedures are coordinated through the Chief Risk Officer and key members of management, including but not limited to representatives from the information security, information technology and legal teams that are embedded into the procedures by design. The Incident Response Policy facilitates coordination across multiple parts of the organization and is evaluated at least annually. To date, the Company has not experienced a cybersecurity incident that has materially impacted its business strategy, results of operations, or financial condition. Despite the Company’s efforts, there can be no assurance that its cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting its systems and information. The Company faces risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect its business strategy, results of operations or financial condition. See Item 1A. “Risk Factors” in this document for further discussion of the risks associated with an interruption or breach in the Company’s information systems or infrastructure. Governance The Bank’s Board of Directors is responsible for overseeing the risks associated with cybersecurity threats. The Strategic Technology Oversight Committee (“STOC”) of the Board has primary responsibility for overseeing the technology program, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. The CISO and the CIO provide quarterly reports to the STOC regarding the information security and technology programs, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The CISO also reports summaries of key issues, including significant cybersecurity and/or privacy incidents. In addition to the STOC, the management-level Operations Committee and the Enterprise Risk Management Committee (“ERM Committee”) focus on and provide oversight of the information security program. The ERM Committee reviews and, as appropriate, approves the broad objectives, strategies and policies governing the Company’s protection of data assets and information 28 security framework. The ERM Committee additionally assesses the adequacy of information security practices and reports on cyber risk to the Risk Committee of the Company’s Board of Directors. The Operations Committee is chaired by the Chief Operating Officer and includes the CISO, CIO and other key departmental managers from throughout the Company. This committee generally meets bi-weekly to discuss various operational strategy and issues, including information technology and information security policies, practices, controls, and mitigation and prevention efforts. The CISO is accountable for managing the enterprise information security department and delivering the information security program. The responsibilities of the information security department include threat detection and prevention, cybersecurity risk assessment, a portion of defense operations, incident management, vulnerability assessment, threat intelligence, and third-party risk management. The department also provides security awareness training. The Company’s information technology department works together with information security in defense operations and is responsible for business resilience, including identity management.

Company Information