STI 2018 Annual Report

59 business operations. We use a wide array of techniques to secure our operations and proprietary information such as Board approved policies and programs, network monitoring, access controls, and dedicated security personnel, as well as consultation with third party data security experts. To control cybersecurity risk, we maintain an active information security program that is designed to conform with FFIEC guidance. This information security program is designed to mitigate operational risks and is overseen by executive management, the Board, and our independent audit function. This program continually monitors and evaluates threats, events, and the performance of our business operations and continually adapts and modifies its risk mitigation activities accordingly. We also utilize appropriate cybersecurity insurance that controls against certain losses, expenses, and damages associated with cyber risk. In addition, our Board devotes significant time and attention to oversight of cybersecurity risk. Further, we have adopted the National Institute of Standards and Technology's Cybersecurity Framework ("CSF") and perform periodic assessments against the framework to measure cybersecurity maturity. We also fully participate in the federally recognized financial sector information sharing organization structure, known as the Financial Services Information Sharing and Analysis Center. Digital technology is constantly evolving, and newand unforeseen threats and actions by othersmay disrupt operations or result in losses beyond our risk control thresholds. Although we invest substantial time and resources to manage and reduce cyber risk, it is not possible to completely eliminate this risk. Our BRC reviews and approves policies relating to enterprise technology risk, business continuity management, information security, and enterprise data quality governance. The BRC also reviews and approves key technology risks and associated action plans. To ensure the integrity of our crisis management program, routine testing simulations are utilized to validate the viability of our plans. These ongoing tests are designed to provide assurance that our action plans are effective, valuable, and usable in the event of a significant business disruption. Crisis exercises are scenario-driven exercises that simulate impacts and consequences. Scenarios are developed through analysis of technology incidents, known cyber threats, internal stakeholder input, and industry trends. We maintain an information security education and awareness program to provide consistent messaging to all users that may require access to our information about the need to maintain the security and privacy of that information. All users (i.e., full-time teammates, contractors, third parties, etc.) must complete this training before being granted access to our information systems. The content of the training program is reviewed annually to ensure that it addresses the current needs of our organization. In addition, communications to teammates through our intranet site, newsletters, email broadcasts, and targeted emails to select teammates, as necessary, foster awareness of information security risks. See Item 1A, “Risk Factors,” in this Form 10-K for additional information regarding the risks associated with a failure or breach of our operational systems or infrastructure, including as a result of cyber-attacks. Market Risk Management Market risk refers to potential losses arising from changes in interest rates, foreign exchange rates, equity prices, commodity prices, and other relevant market rates or prices. Interest rate risk, defined as the exposure of net interest income and MVE to changes in interest rates, is our primary market risk and mainly arises from changes in the structure and composition of our balance sheet. Variable rate loans, prior to any hedging related actions, were approximately 57% of total loans at December 31, 2018, and after giving consideration to hedging related actions, were approximately 50% of total loans. Less than 5% of our variable rate loans at December 31, 2018 had coupon rates that were equal to a contractually specified interest rate floor. In addition to balance sheet related interest rate risk, we are also exposed to market risk in our trading portfolios and other financial instruments measured at fair value. Our ALCO meets regularly and is responsible for reviewing ourALMand liquidity risk position in conformance with the established policies and limits designed to measure, monitor, and control market risk. Market Risk from Non-Trading Activities The primary goal of interest rate risk management is to control exposure to interest rate risk within policy limits approved by the Board. These limits reflect our appetite for interest rate risk over both short-term and long-term horizons. No limit breaches occurred during the year ended December 31, 2018. The major sources of our non-trading interest rate risk are timing differences in the maturity and repricing characteristics of assets and liabilities, changes in the absolute level and shape of the yield curve, as well as the embedded optionality in our products and related customer behavior. We measure these risks and their impact by identifying and quantifying exposures through the use of sophisticated simulation and valuation models, which, as described in additional detail below, are employed by management to understand net interest income sensitivity and MVE sensitivity. These measures show that our interest rate risk profile is modestly asset sensitive at December 31, 2018. MVE and net interest income sensitivity are complementary interest rate risk metrics and should be viewed together. Net interest income sensitivity captures asset and liability repricing differences over one year and is considered a shorter term measure. MVE sensitivity captures the change in the discounted net present value of all on- and off-balance sheet items and is considered a longer term measure. Positive net interest income sensitivity in a rising rate environment indicates that over the forecast horizon of one year, asset based interest income will increase more quickly than liability based interest expense. A negative MVE sensitivity in a rising rate environment indicates that the value of financial assets will decrease more than the value of financial liabilities. One of the primary methods that we use to quantify and manage interest rate risk is simulation analysis, which we use to model net interest income from assets, liabilities, and derivative positions under various interest rate scenarios and balance sheet structures.We measure the sensitivity of net interest income over a one-year time horizon, as reflected in Table 21, as well as for multi-year time horizons. Key assumptions in this form of simulation analysis (and in the valuation analysis discussed below) relate to the behavior of interest rates and spreads, the