INDEPENDENT BANK CORP 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

INDEPENDENT BANK CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 17:27:46 EST.

Filings

10-K filed on 2025-02-28

INDEPENDENT BANK CORP filed a 10-K at 2025-02-28 17:27:46 EST
Accession Number: 0000776901-25-000093

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity threats pose a risk to the Company, as crimes committed through or involving the internet, such as phishing, hacking, denial of service attacks, stealing information, unauthorized intrusions into the Company’s internal systems or the systems of the Company’s third-party vendors could adversely impact the Company’s operations or damage its reputation. The Bank manages cybersecurity threats proactively and maintains robust controls to protect its critical systems and data by investing in secure, reliable, and resilient technology infrastructure, fostering a culture of technology risk awareness, and continuously improving its technology risk management practices. The Company’s process for monitoring and mitigating cybersecurity risk is designed in conjunction with its overall Enterprise Risk Management Policy. The Company’s Information Security Program follows ISO 27002, an international standard for information security controls, as well as references to the Federal Financial Institutions Examination Council Information Examination Handbook, and other regulatory guidance and industry standards. The Company has several processes in place to oversee and identify these risks, such as the Information Technology Risk Governance Committee (“ITRGC”), which is responsible for oversight of information technology (“IT”) and information security (“IS”) risk. This committee oversees the establishment and revision of IT and IS key risk and key performance indicators and ongoing monitoring of these metrics. The Company’s Chief Information Security Officer (“CISO”) is responsible for cybersecurity initiatives at the Company, including identifying and managing security risks, and escalating elevated risks with the Chief Risk Officer (“CRO”) where applicable. Together, the CISO and the CRO report on emerging and existing threats and mitigation strategies to the Board, which has oversight of cybersecurity risk, on a semi-annual basis, or more frequently, if needed. The CISO has over 30 years of information security experience, with experienced team members that come from a wide range of industries and possess substantial knowledge and expertise in how to manage information security and cybersecurity risks. Additionally, the team of employees supporting the CISO maintain education and certification requirements necessary to fulfill their responsibilities. The Company has deployed a layered security approach to identify, measure, monitor and control information technology risks. The Company also maintains a documented Incident Management Standard and Technology and Cyber Incident Response Plan. These documents address the detection, mitigation, and remediation of cybersecurity incidents, and include appropriate timely incident escalations to be followed during an incident, up to and including executive leadership, management committees and depending on incident severity, the Board, or a Board committee. The volume, severity, and root case of security incidents are reported on at monthly management committees. The Company will regularly engage independent third parties to assist in its cybersecurity preparedness, including but not limited to vulnerability scan assessments, secure code scan reviews, and cybersecurity incident response simulations. The Company’s internal audit department also performs annual cybersecurity penetration testing over the Company’s internal and external networks. Additionally, for third party related technologies, the Company’s Third-Party Risk Management Program (“TPRM”) is involved with onboarding all vendors, including ongoing monitoring of higher risk vendor relationships. TPRM documents the Company’s view of applicable third-party vendors assessing the vendor’s technological capability to provide products and/or services in a viable and risk adverse manner. In an effort to mitigate risks related to cybersecurity threats, the Company has also designed and implemented required training for all employees, including training on the Company’s security and privacy policies, which are mandatory as part of the onboarding process, with refresher trainings required annually thereafter. Additionally, the Company conducts regular phishing simulation tests throughout the year to keep employees alert, spread awareness and ensure that employees have the knowledge and resources necessary to report suspicious activity. While the Company has seen attempts to gain access to its systems, and expects such attacks to continue, or possibly intensify in the future, the Company has not experienced any material losses relating to cyber-attacks or other information security breaches as of December 31, 2024. As a protective measure, the Company maintains insurance coverage for cybersecurity incidents experienced by the Company, or by one or more of the Company’s third-party providers, however such insurance coverage may not be sufficient to cover all losses incurred. As of the date of this Report, no risks from cybersecurity 29 threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For further discussion surrounding risks from cybersecurity threats, refer to the section captioned “Risks Related to Information Security and Technology” within Part I. Item 1A of this Report.

Company Information