First Internet Bancorp 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

First Internet Bancorp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 16:29:49 EDT.

Filings

10-K filed on 2025-03-12

First Internet Bancorp filed a 10-K at 2025-03-12 16:29:49 EDT
Accession Number: 0001562463-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We believe that cybersecurity and the protection of data and customer information in our possession, custody or control is of paramount importance to our business. The Company’s information security program is designed to protect the confidentiality, integrity, and availability of our critical systems and information, including customer information. The program is comprised of policies, procedures, and programs, and is informed by and intended to align with the interagency guidance issued by banking regulators as well as the FFIEC Information Security Booklet and Cybersecurity Assessment Tool (the “Information Security Program”). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the guidance to help us identify, assess, and manage cybersecurity risks relevant to our business. Cybersecurity Risk Management and Strategy Our Information Security Program is integrated into our risk management program and is aligned to the Company’s business strategy and Enterprise Risk Management program. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk, including legal, compliance, strategic, operational, and financial risk. Key elements of our Information Security Program include: - risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment are conducted on at least an annual basis; 20 - internal testing of our security controls and our response to cybersecurity incidents; - the use of external service providers, to assess, test or otherwise assist with aspects of our security controls; - training and awareness programs for all employees that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; - maintenance and regular testing of a Business Continuity Plan that includes redundant back-up systems for critical functions; - a physical security program that is tested regularly; - obtaining and maintaining cyber insurance; and - a third-party risk management program for service providers, suppliers, and vendors, that provides for the assessment, monitoring and management of cybersecurity risk presented by the Company’s use of such third parties, as well as contractual protections related to cybersecurity incidents affecting third party vendors and service providers . The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. Incidents are reported to and handled under our Incident Response Policy, which designates an incident response team and includes procedures and processes to identify, assess, respond to, mitigate and report on cybersecurity incidents. The risk and evolving nature of cybersecurity threats, and not a previous cybersecurity incident, has led to the Company to devote significant time and resources to the development and implementation of the Information Security Program described above. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. Please see Part I, Item 1A Risk Factors for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure. Cybersecurity Governance Our Board of Directors keeps apprised of and oversees technology risk and cybersecurity of the Company. The Board receives updates from the Company’s Information Security Officer (“ISO”) on a quarterly basis and receives cybersecurity training on at least an annual basis. While the entire Board receives reporting and receives training, the Board has delegated certain specific responsibility for overseeing cybersecurity threats, among other things, to its Risk Committee . Our ISO and Chief Risk Officer provide the Risk Committee and the Company’s internal Enterprise Risk Management Committee periodic and as needed reports on our cybersecurity risks and cybersecurity incidents, if any. The Risk Committee and the entire Board review and approve the Company’s information security policies and certain other relevant policies on at least an annual basis. Our ISO, who has over twenty-five years of experience in the system, network, and cybersecurity space, is responsible for overseeing and managing the Information Security Program alongside our Chief Information Officer. The Chief Information Officer serves on the Enterprise Risk Management Committee, which is chaired by our Chief Risk Officer. They are supported by our team of technology professionals, who are responsible for information technology security monitoring and for managing the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents.

Company Information