BOK Financial is committed to safeguarding company and client information through appropriate levels of protection integrated into all lines of business, support functions and third-party relationships. The company’s cybersecurity program is overseen by the Risk Committee of the Board, which is responsible for ensuring the program is well resourced and able to protect the security and confidentiality of our data and that of our clients. The program is managed by the Chief Information Security Officer (CISO) who reports to the Chief Risk Officer and is reviewed by regulators, as well as internal and external auditors. The CISO provides quarterly information security updates to the Risk Committee as well as the company’s executive-level Risk Council on cybersecurity programs, policies and controls; efforts to improve security; and responses to cybersecurity events.
Each employee and contractor is responsible for the security and confidentiality of company and client information. This expectation is communicated at on-boarding and through required, annual data security and privacy trainings; frequent internal publications; and annual employee attestations to the company’s Standards of Conduct.
BOK Financial regularly conducts risk assessments to evaluate internal controls implemented to prevent and detect data breaches. These controls are aligned with ISO (International Organization for Standardization) 27001:2013 and the NIST (National Institute of Standards and Technology) Cybersecurity Framework and are frequently monitored to ensure their effectiveness. Vulnerability and penetration assessments are also conducted at least annually by an independent third party.
In addition to a strong set of internal controls, the company has implemented a robust due diligence process for third party providers prior to executing an agreement. Risk assessments include evaluating the third-party’s security posture through intelligence feeds, Service Organization Controls (SOC) reports, ISO certifications and self-attestation questionnaires. Third parties processing customer data are contractually required to meet all legal obligations for protecting against anticipated security threats to customer data, protecting against unauthorized access to customer data, and ensuring proper disposal of customer data. After contract execution, third parties are continuously monitored to ensure they continue to meet their security obligations.
Intelligent endpoint technologies have been implemented to detect and respond to indicators of malicious behavior before an incident ever takes place; however, should a cybersecurity incident occur, the company has clearly defined incident response procedures for ensuring proper notification and reporting is made to the appropriate parties. These include legal and regulatory reporting requirements as well as notifications to impacted customers.
The company collaborates with peer financial institutions, local universities, threat intelligence organizations, third-party partners, law enforcement and our clients to share tactical threat intelligence and best practices in protecting against emerging threats.
Standards of Conduct
The Audit Committee of the Board of Directors annually reviews and approves the company’s Standards of Conduct on which employees are annually trained and attest to. Each member of the Board of Directors takes an annual Oath of Office prescribed by the Office of the Comptroller of the Currency (OCC) and is bound by the company’s Code of Ethics.
The company’s annual proxy statement identifies responsibilities of board committees including the company’s capital planning process.
The company’s 10-K reviews a wide array of company performance factors, including any monetary losses as a result of legal proceedings associated with fraud, insider trading, anti-trust, anti-competitive behavior, market manipulation, malpractice, or other related financial industry laws or regulations.