Cyber Incident Victim: Sunflower Bank

On or about May 31, 2023, Progress Software Corporation, a software provider, notified Sunflower Bank, N.A., a wholly-owned subsidiary of FirstSun Capital Bancorp, of a zero-day vulnerability within its managed file transfer software, MOVEit. The bank utilized this software, like thousands of other organizations across various global industries, for the secure transfer of sensitive, confidential information, and other data. This usage extended to the bank’s First National 1870 and Guardian Mortgage divisions. The MOVEit application was not integrated into the bank's core processing systems. Instead, it operated on a dedicated, on-premises server that was segmented from the rest of the bank's IT infrastructure, creating a degree of network isolation.

Upon receiving the notification from Progress Software, Sunflower Bank promptly enacted its established response protocols to directly address the identified MOVEit vulnerability and to protect the institution's data. As part of this immediate response, the bank retained a third-party forensic expert to assist in the situation. A comprehensive investigation was launched to determine the precise nature and full scope of the security incident. The bank maintained regular contact with Progress Software throughout this process and implemented all software fixes and patches issued by the vendor to remediate the vulnerability.

The investigation determined that prior to the notification from Progress Software regarding the vulnerability, an unauthorized third party had likely exploited the flaw in the MOVEit software. This exploitation resulted in the actor downloading copies of files from the on-premises server that housed the MOVEit application. These files contained personally identifiable information. The bank’s core processing systems, which operated independently from the segmented MOVEit server, were confirmed not to have been impacted by this incident. Consequently, there was no material interruption to the bank’s standard business operations as a direct result of the security event.

Following the investigation's findings, Sunflower Bank began working to identify all potentially affected data files that were stored on the compromised MOVEit server. The bank initiated a process to directly notify any parties likely impacted based on the evidence uncovered during the forensic review. A public notice was published on the bank's website to inform customers of the third-party data breach, reiterating that the incident was part of a widespread global cybersecurity event. The notice encouraged all customers to take proactive steps to protect their information, such as monitoring financial accounts and credit scores, and considering fraud alerts or credit freezes with the major credit bureaus: Equifax, Experian, and TransUnion. The bank also highlighted existing fraud monitoring tools available to customers, including a fraud text alert program and Credit Sense for personal banking debit cardholders, as well as fraud mitigation services for business customers through Treasury Management services.

The incident led to the bank incurring certain expenses related to its response, remediation efforts, and the investigation. It was acknowledged that the bank may continue to incur additional costs associated with the matter. The accessed data also subjected the bank to ongoing risks and uncertainties. These security and privacy events led to litigation and additional regulatory scrutiny, with the potential for such challenges to continue. The bank was engaged in a process to evaluate the full scope of the costs and impacts resulting from the MOVEit incident. A formal statement regarding the event was included in a Current Report on Form 8-K filed by FirstSun Capital Bancorp with the Securities and Exchange Commission on July 14, 2023. Any required future public updates regarding the incident were to be posted on the bank's dedicated notice page.