Investar Holding Corp 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

Investar Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 15:05:09 EDT.

Filings

10-K filed on 2025-03-12

Investar Holding Corp filed a 10-K at 2025-03-12 15:05:09 EDT
Accession Number: 0001437749-25-007226

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. The Company’s IS Program is comprised of five pillars: the Information Security Policy, the Enterprise Information Security Risk Assessment, the Incident Response Plan, a formalized Security Awareness Campaign, and an enterprise monitoring and reporting program. - The Information Security Policy contains numerous distinct administrative and technical controls that govern data security for the organization and is based on the NIST Cybersecurity Framework. The policy is reviewed and approved by the Board annually. - The Enterprise Information Security Risk Assessment quantifies risk criteria utilizing the same impact measures, including financial, strategic, operational, and reputational, set forth by the Enterprise Risk Committee. The risk assessment is reviewed and approved by the B oard annually. The Enterprise Risk Committee includes members of management from various departments and members of the Board and oversees the overall risk management of the Company. The Enterprise Risk Committee meets as often as appropriate to perform its responsibilities, but no less than once per calendar quarter and reports findings and provides recommendations to the Board on a routine basis. - The IRP includes procedures for responding to actual or potential cybersecurity incidents, including providing timely notice to customers and our bank regulatory agencies when appropriate. The IRP is based on the NIST Cybersecurity Framework. The plan is tested annually through tabletop exercises. - The Security Awareness Campaign is designed with the goal that employees are educated on policy, threats, and best practices from onboarding and throughout their tenure at the Company. This effort includes an onboarding training program, annual attestation and training, and weekly communication designed to help instill in employees a security mindset through repetition. - The Company maintains an enterprise monitoring and reporting program, which identifies key risk indicators for tracking and identifying trends. The key risk indicators are presented to the Company’s IT Committee and th e Board on a monthly basis. The IS Program is monitored each year through various internal and external audits, as well as OCC regulatory exams. Vulnerability and penetration testing are also conducted at least annually by an independent third party to supplement the vulnerability and patching program routinely performed by internal staff. Third-party vendors supplement the Company’s internal patching program as necessary. The Company also utilizes a third -party “SOC as a Service” to monitor extended detection and response logs and network traffic. Third-party service provider risk is evaluated prior to and throughout the relationship. Third-party service providers must meet a minimum set of baseline security standards prior to being onboarded. During onboarding, the third party and the services they provide are added to the Information Security Risk Assessment, including consideration of inherent risk factors and mitigating controls. Alternative vendors and the effort to transition between vendors are identified during onboarding as well as in the event that the selected provider may fail in providing contracted services at any time. After a third party is onboarded, they are subject to the annual third -party risk management program, specific to their assigned risk criticality. This effort includes the review of service organization controls reports, business continuity and disaster recovery efforts, insurance certificates, and other compliance related concerns when applicable. We have not experienced any cybersecurity incidents that have materially affected our Company, including our business, strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats may be reasonably likely to materially affect us, refer to Item 1A. Risk Factors - Risks Related to our Business - “We rely on information technology and telecommunications systems, many of which are provided by third-party vendors” and - “Cyberattacks or other security breaches could adversely affect our operations, net income or reputation,” incorporated by reference into this Item 1C. Governance The Board is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board and the IT Committee. The IT Committee’s primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. Of the IT Committee members who are not Board members, only our CIO and CISO are responsible for assessing and managing cybersecurity risks, and the other committee members are responsible for oversight. The CISO provides monthly information security reports to the Board and IT Committee on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board. The CISO also provides the Board with an annual Information Security Program Summary Report in compliance with federal banking guidelines. The IS Program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. An information security analyst reports to the CISO and performs security and assurance functions daily. The CIO and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company’s technology infrastructure. The CISO holds two cybersecurity industry leading certifications (Certified Information Systems Security Professional and Certified Cloud Security Professional) and has more than 20 years of technology experience. The CIO has been in the information technology field for over 30 years and at various points held the following certifications: Cisco Certified Internetwork Expert, Cisco Certified Network Professional, Cisco Certified Voice Professional, Cisco Certified Design Professional, and Microsoft Certified Systems Engineer. The information security analyst has over five years of experience and holds ISC2’s “Certified in Cybersecurity” certification. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.
Item 1C. Governance The Board is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board and the IT Committee. The IT Committee’s primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. Of the IT Committee members who are not Board members, only our CIO and CISO are responsible for assessing and managing cybersecurity risks, and the other committee members are responsible for oversight. The CISO provides monthly information security reports to the Board and IT Committee on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board. The CISO also provides the Board with an annual Information Security Program Summary Report in compliance with federal banking guidelines. The IS Program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. An information security analyst reports to the CISO and performs security and assurance functions daily. The CIO and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company’s technology infrastructure. The CISO holds two cybersecurity industry leading certifications (Certified Information Systems Security Professional and Certified Cloud Security Professional) and has more than 20 years of technology experience. The CIO has been in the information technology field for over 30 years and at various points held the following certifications: Cisco Certified Internetwork Expert, Cisco Certified Network Professional, Cisco Certified Voice Professional, Cisco Certified Design Professional, and Microsoft Certified Systems Engineer. The information security analyst has over five years of experience and holds ISC2’s “Certified in Cybersecurity” certification. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.

Company Information