First Guaranty Bancshares, Inc. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

First Guaranty Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 15:14:49 EDT.

Filings

10-K filed on 2025-03-17

First Guaranty Bancshares, Inc. filed a 10-K at 2025-03-17 15:14:49 EDT
Accession Number: 0001408534-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C- Cybersecurity First Guaranty and First Guaranty Bank recognize the importance of incorporating cybersecurity in the company’s operations, reputation, and overall risk management frameworks. First Guaranty Bank manages cybersecurity for both the holding company First Guaranty Bancshares, Inc. and the bank subsidiary. The IT Steering Committee (ITSC), while reporting regularly to the full Bank Board of Directors (the “Bank Board”), has been delegated oversight to ensure appropriate cybersecurity risk management for risks that are inherent to our organization. These risk management strategies have been implemented into the organization’s enterprise risk management frameworks and our Internal Audit Plan . This disclosure is intended to inform investors about cybersecurity risks, risk management strategies, and potential impacts on financial conditions and operations in line with SEC guidance. First Guaranty Bank’s Chief Information Security Officer (“CISO”) is primarily responsible for the development, monitoring, and implementation of the Information Security Program. The CISO, through direct interaction with the Chief Information Officer (“CIO”), works to manage cybersecurity risks and provide updates to the Bank Board. The CISO and CIO for First Guaranty Bank have over 30 years of combined cyber security experience and wealth of expertise. The CISO reports quarterly on cybersecurity metrics, key initiatives, and emerging risks that could affect the organization. In accordance with the Graham Leach Bliley Act, the Information Security Program was designed to include administrative, logical, and physical safeguards appropriate for the size and complexity of the organization. First Guaranty’s Information Security program recognizes and is in alignment the Federal Financial Institutions Examination Council (FFIEC) standard for cybersecurity risk management and best practices. First Guaranty assesses cybersecurity risk by identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information, information systems, or bank records. These risks are then classified and prioritized based on their residual risk level. The organization has a board-approved risk appetite of “low.” Any risks with a residual risk above low are escalated to the board for oversight and a mitigation plan is developed to remediate the remaining residual risk. First Guaranty has developed and implemented an Incident Response Plan (IRP). The IRP establishes a framework for the information security team to identify, classify, notify, contain, eradicate, and recover from cybersecurity related incidents. Testing of the IRP is conducted annually. First Guaranty engages third-party services to conduct penetration testing as well as regular evaluations of security protocols and processes. Furthermore, First Guaranty has implemented a vendor risk management program that includes a thorough vendor review and information security assessment of the vendor’s security controls, policies, and procedures prior to onboarding. Ongoing and regular monitoring of third parties is managed through the vendor management, enterprise risk management, Information Security, and internal audit departments. First Guaranty’s Information Security and Learning and Development departments facilitate annual company-wide security awareness training, regular phishing exercises, and provide regular updates across the organization to keep employees informed on ways to mitigate cybersecurity risk. Information Security has developed and distributed a procedure to inform its employees how to escalate potential cybersecurity risks. As of the date of this Form 10-K, the organization is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect First Guaranty . For more information on how cybersecurity risk may materially affect the organization, please refer to Item 1A Risk Factors. -33-

Company Information