SOUTHSIDE BANCSHARES INC 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

SOUTHSIDE BANCSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:50:46 EST.

Filings

10-K filed on 2025-02-27

SOUTHSIDE BANCSHARES INC filed a 10-K at 2025-02-27 16:50:46 EST
Accession Number: 0000705432-25-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Strategy Given the increasing reliance on technology and potential of cyber threats, we have integrated a cybersecurity component into our risk management program , which is designed to identify, assess and mitigate risks across various aspects of the Company. We have a dedicated Information Security Department, which is led by our Chief Information Security Officer. The Information Security Department serves to protect the security and confidentiality of customer information, protect against any threats or hazards to the security or integrity of Company information and protect against unauthorized access to, or use of, such information that could result in substantial harm or inconvenience to our customers. Our information security program strives to protect the confidentiality, integrity and availability of information and information systems and is aligned to the Company’s business and risk management strategies. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk. The information security program includes policies and standards that define the risk assessment procedures, reporting and an incident response plan. Key elements of our cybersecurity risk management program include: - IT risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment; - Information Security Department responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to a cybersecurity incident; - Cybersecurity Assessment Toolkit (developed by the FFIEC) is assessed annually, tracks program maturity, changes in risk profile, and reviews security controls critical to reduce cybersecurity risk. Results are presented to and approved by the Board. We are currently in the process of transitioning to the Cybersecurity Framework developed by the National Institute of Standards and Technology as the FFEIC Cybersecurity Assessment Toolkit will sunset on August 31, 2025; - Ransomware Assessment Toolkit (developed by the Bankers Electronic Crimes Task Force, state bank regulators and the U.S. Secret Service) is assessed biannually to capture any gaps and address any potential control deficiencies; - training and awareness programs for employees that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - a cybersecurity incident response plan that includes procedures for responding to a cybersecurity incident; and defines escalations to senior management and the Board, as well as required notifications and timeframes to customers and regulatory authorities, - a third-party risk management process for service providers, suppliers, and vendors, including those external service providers we engage in our cybersecurity risk management processes. Risks from cybersecurity threats are assessed with existing controls and residual risk is monitored. We have not experienced any material cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. We cannot provide full assurance that our cybersecurity risk management processes described will be fully implemented, complied with or effective in protecting our systems and information. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See “Part I - Item 1A. Risk Factors - Risks Related to Our Business” in this report for a discussion of risks related to cybersecurity. Governance Management’s Role Our CISO leads our Information Security Department , is responsible for the information security program, which includes cybersecurity, and reports to the Chief Risk Officer. Our CISO joined the Company in 2012. He has over two decades of experience, involving both information technology and information security. He has a Master of Business Administration in Cybersecurity, graduate studies certificate in cybersecurity and has achieved four certifications, including Certified Information Security Manager, Certified Information Systems Auditor, Certified Data Privacy Solutions Engineer and Cisco Certified Network Associate. We also have a trained response team lead by the CISO, consisting of key individuals from executive management, finance, operations, risk, compliance, communications, human resources, banking and information technology departments, that is engaged for cybersecurity related incidents where necessary and as appropriate. Additionally, we engage a third party that offers cybersecurity solutions, monitoring and incident response services for additional support. Board Oversight of Cybersecurity The Audit and Risk Committees of the Board oversee cybersecurity risk and the information security program which includes overseeing management’s actions to identify, assess, mitigate and remediate or prevent material cybersecurity risks. The Audit Committee receives, from the CISO, an annual report of the information security program and monthly reports of any security incident or on notable security events for the period. The Board Chairman and Vice Chairman are notified of any high criticality security incidents within 24 hours. The notable security event briefings by the CISO are intended to create discussion that allows Board members to understand the impact, controls and risk. The Risk Committee receives, from the CISO, annual reports on risk assessments and at least quarterly reports on key risk indicators. The Risk Committee receives at least one annual training from the CISO on the information security program, cybersecurity controls or cybersecurity threats. Both the Bank’s management level Risk Committee and the Risk Committee of the Board review all risk assessments and remediations annually.

Company Information