FIRST BANCORP /PR/ 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

FIRST BANCORP /PR/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 15:29:43 EST.


10-K filed on 2025-02-28

FIRST BANCORP /PR/ filed a 10-K at 2025-02-28 15:29:43 EST
Accession Number: 0001057706-25-000002

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy The Corporation recognizes the significance of cybersecurity in the financial industry and the potential risks associated, such as the risks arising from the loss of confidentiality, integrity, or availability of information systems. The Corporation’s processes to identify, assess, and monitor material risks from cybersecurity threats are part of its Enterprise Risk Management (“ERM”) Program, under which the Corporation has implemented a comprehensive Corporate Information Security Program (“CISP”). Cybersecurity risk is managed as part of the overall information technology risk, under the direction of the Corporate Security Office (“CSO”) led by the Corporate Security Officer (“CSO Officer”), who directly reports to the Chief Operations Officer. The CSO Officer also serves as Chief Information Security Officer (“CISO”). The CISP outlines the Corporation’s overall vision, direction, and governance to protect the confidentiality, integrity, and availability of customer information and seeks to prevent unauthorized access as required by regulatory guidelines and industry security best practices. The CISP is based on well-renowned frameworks such as the International Organizational Standard ISO 27000 series and the NIST Cybersecurity Framework. As such, it serves as a guide for the implementation of security safeguards across the Corporation and its subsidiaries. The CISP also addresses cybersecurity breaches and procedures for appropriate response efforts, including any required notification, depending on the severity of the specific security incident. In addition, the CISP incorporates a risk-based approach to ensure that risk is treated in a consistent and effective matter and is designed to protect classified information to prevent disclosure to unauthorized individuals; prioritize the use of information security resources by concentrating on critical business applications; develop quality, cost-effective, and reliable systems; ensure the proper and secure disposal of sensitive information; and implement adequate processes to ensure compliance. The ERM Program includes a Corporate Incident Response Program, which features a risk-based escalation process to manage corporate incidents, including cybersecurity incidents, and notify the Risk Committee of the Board of Directors and applicable stakeholders as appropriate. The Corporation incorporates the Information Technology (“IT”) Risk Unit of the ERM Department, which is comprised of several members such as IT Risk Managers and the ERM Director who is part of senior management, as well as external expertise, in the review of its processes, including an independent internal assessment of cybersecurity measures and controls. The Corporation also invests in threat intelligence, vulnerability management, and incident response drills. Furthermore, all of the Corporation’s employees and consultants with access to the Corporation’s network are required to complete a comprehensive cybersecurity awareness program on an annual basis. Additionally, awareness and training on information technology and cybersecurity risk is provided to the Board on a regular basis. The Corporation has a Vendor Management Program and a Third-Party Risk Management function to manage the cybersecurity risks associated with conducting business with third-party vendors, which includes the requirement for third-party vendors to implement appropriate measures to ascertain security and confidentiality of the Corporation’s resources. The Corporation places vendors into tiers based on the inherent risk due to the nature of the relationship with that vendor to determine any additional security requirements commensurate to such level of risk. The Corporation does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Corporation’s business strategy, results of operations or financial condition as of December 31, 2024. While the Corporation continues to closely monitor cyber risk and has implemented processes that are intended to assess, identify, and manage material risks from cybersecurity threats, security controls, no matter how well designed or implemented, may only partially mitigate and not fully eliminate these risks. Events, when detected by security tools or third parties, may not always be immediately understood or acted upon. See Item 1A, “Risk Factors - Risks Relating to Cybersecurity and Technology” for more information on how cybersecurity risk could adversely affect the Corporation, which should be read in conjunction with this Item 1C. 35 Governance Responsibility for risk oversight and management generally lies with the Corporation’s Board of Directors . To effectively manage oversight of the CISP’s governance and cybersecurity risk management, the Board has delegated such responsibility to the Risk Committee. As part of its oversight, the Risk Committee receives reports from the Executive Risk Management Committee and IT Steering Committee, which are committees at the management level, on the Corporation’s cybersecurity processes. The Corporate Internal Audit Department performs periodic audits of the Corporation’s information security practices and presents them to the Audit Committee of the Board. The scope of testing is in accordance with applicable regulatory guidance and prudent business practices. The periodicity of testing is determined by the Corporate Internal Audit Department based on their risk assessment. Findings from internal audit procedures are reported to Management and the Audit Committee. In addition, the Vendor Management Committee periodically reports to the Risk Committee about the Vendor Management program status. The Risk Committee provides the Board with updated information on the matters discussed in the Risk Committee meetings as it relates to the CISP and the overall information security strategic direction and evaluates and approves (if necessary) reports presented by executive management related to the information security strategic direction of the Corporation. The CSO, led by the CSO Officer, oversees the CISP, its development, and any applicable updates in response to changes in operations and other circumstances, and reports on a quarterly basis to the IT Steering Committee and to the Board’s Risk Committee. The CSO Officer, who has been in charge since 2016, has over 20 years of experience in functional expertise concerning all aspects of information security, integrity and privacy of systems, and data resources, and holds several relevant licenses and/or certifications. Also, certain topics related to information security are presented on an ad hoc basis to the Executive Risk Management Committee. The CSO provides the Board’s Risk Committee regular reports and engages in discussions on the effectiveness of the CISP, including risk mitigation strategy and progress. The Board’s Risk Committee reviews and approves the CISP annually and receives a report on the security safeguards annually. See “Risk Management - Risk Governance” for more information on the Corporation’s risk governance structure. 36
Item 1C. 35 Governance Responsibility for risk oversight and management generally lies with the Corporation’s Board of Directors . To effectively manage oversight of the CISP’s governance and cybersecurity risk management, the Board has delegated such responsibility to the Risk Committee. As part of its oversight, the Risk Committee receives reports from the Executive Risk Management Committee and IT Steering Committee, which are committees at the management level, on the Corporation’s cybersecurity processes. The Corporate Internal Audit Department performs periodic audits of the Corporation’s information security practices and presents them to the Audit Committee of the Board. The scope of testing is in accordance with applicable regulatory guidance and prudent business practices. The periodicity of testing is determined by the Corporate Internal Audit Department based on their risk assessment. Findings from internal audit procedures are reported to Management and the Audit Committee. In addition, the Vendor Management Committee periodically reports to the Risk Committee about the Vendor Management program status. The Risk Committee provides the Board with updated information on the matters discussed in the Risk Committee meetings as it relates to the CISP and the overall information security strategic direction and evaluates and approves (if necessary) reports presented by executive management related to the information security strategic direction of the Corporation. The CSO, led by the CSO Officer, oversees the CISP, its development, and any applicable updates in response to changes in operations and other circumstances, and reports on a quarterly basis to the IT Steering Committee and to the Board’s Risk Committee. The CSO Officer, who has been in charge since 2016, has over 20 years of experience in functional expertise concerning all aspects of information security, integrity and privacy of systems, and data resources, and holds several relevant licenses and/or certifications. Also, certain topics related to information security are presented on an ad hoc basis to the Executive Risk Management Committee. The CSO provides the Board’s Risk Committee regular reports and engages in discussions on the effectiveness of the CISP, including risk mitigation strategy and progress. The Board’s Risk Committee reviews and approves the CISP annually and receives a report on the security safeguards annually. See “Risk Management - Risk Governance” for more information on the Corporation’s risk governance structure. 36

Company Information

SIC DescriptionState Commercial Banks
TickerFBP - NYSE
CategoryLarge accelerated filer
Fiscal Year EndDecember 30