Corporate Governance
Our Board, through the Risk Committee, is actively engaged in the oversight of our Information Security Program. The Risk Committee oversees our Information Security Program, including management’s actions to identify and evaluate, material cyber vulnerabilities, threats, and risks as well as the development and implementation of mitigating and remediating actions.
Our Chief Information Security Officer (“CISO”) presents quarterly reports to the Risk Committee regarding our information security program, including relevant information on key risk and performance indicators related to cybersecurity matters as well as significant cybersecurity and privacy events. In addition, our information security risk profile is presented to the Risk Committee on a semi-annual basis.
Our CISO belongs to our risk management unit and reports directly to the Chief Risk Officer, who in turn, reports directly to our Chairman and Chief Executive Officer. Several management committees, including our Executive Management Committee, manage our information security program and meet periodically to review and discuss information security matters. In general, summaries of key matters discussed are reported to the Risk Committee.
Our Information Security Program is structured and aligned with the Federal Financial Institution Examination Council (“FFIEC”) guidelines for information security, regulatory guidance, and other industry standards. To promote the continued effectiveness of our information security program, we periodically conduct risk assessments, complete audits and test, participate in industry associations, and review information from threat intelligence feeds. Our CISO and relevant members of his team keep collaborative relationships with peer banks and policymakers.
We leverage knowledge, people, processes, and technology to develop, implement, manage, and maintain cybersecurity controls. Our Information Security Program employs several detective and defensive tools designed to monitor, alert, and block suspicious activity, as well as to identify, report and address any suspected advanced persistent threats.
Our Information Security Program also continuously promotes cybersecurity awareness and culture across the organization, including regular education and training, testing and tabletop exercises. Our systems, processes, procedures, and controls are reviewed periodically by internal and external auditors, and Federal bank examiners to assess design and operating effectiveness. We also maintain information security risk insurance coverage.
We have also developed an enterprise-wide vendor management and third-party risk management program designed to identify, assess, and manage information security, operational and technology risks associated with third-party vendors. We have also developed an incident response plan that provides a documented procedure to respond and address cybersecurity incidents, including notification of the Risk Committee. The incident response plan provides for the interaction and coordination of executive, strategic and tactical teams, depending on the severity level of the incident, aimed at facilitating coordination across multiple units and departments of the Company. The incident response plan is tested at least annually.
Risks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to be elevated for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers. See Item 1A. Risk Factors in our Annual Report on Form 10-K for the year ended December 31, 2022 for a further discussion of risks related to cybersecurity.
Environmental, Social and Governance
Amerant has a long and proud history of community involvement and engagement. In 2021, we launched our environmental, social, and governance (“ESG”) program and formalized our ESG framework to identify opportunities that can make a positive impact on sustainability, in the short term and over the long term. We conducted extensive research and considered ideas from a diverse group of stakeholders, including customers, Amerant team members, investors, and community leaders. We also analyzed our operations and defined five areas of focus as pillars for our ESG program, and set specific goals, metrics and targets that will allow us to measure our progress along the way. In 2022, we established a sustainability unit and appointed a Head of Sustainability. We advanced our program and created “Impact”, the brand identity of our ESG program that aims to tell a story of what Amerant means to do and accomplish as a community bank. We want to create social and environmental value for our people, communities, and customers. With our “Impact” program, we have a framework to identify opportunities that can make a positive impact in everything that we do through our operations, products, and services.
22