0001709442FALSE00017094422023-07-142023-07-14
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 8-K
CURRENT REPORT
Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
Date of Report (date of earliest event reported): July 14, 2023
FIRSTSUN CAPITAL BANCORP
(Exact name of registrant as specified in its charter)
| | | | | | | | |
| Delaware | 333-258176 | 81-4552413 |
(State or other jurisdiction of incorporation or organization) | (Commission File Number) | (I.R.S. Employer Identification Number) |
1400 16th Street, Suite 250
Denver, Colorado 80202
(Address of principal executive offices and zip code)
(303) 831-6704
(Registrant's telephone number, including area code)
Not applicable
(Former name of former address, if changed since last report)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
| | | | | |
☐ | Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425) |
☐ | Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12) |
☐ | Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b)) |
☐ | Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c)) |
| | | | | | | | | | | | | | |
Securities registered pursuant to Section 12(b) of the Act: None |
| | | | |
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (17 CFR § 230.405) or Rule 12b-2 of the Securities Exchange Act of 1934 (17 CFR § 240.12b-2).
Emerging growth company ☒
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Item 8.01 Other Events.
On or about May 31, 2023, software provider, Progress Software Corporation, notified FirstSun Capital Bancorp’s wholly-owned subsidiary, Sunflower Bank, N.A. (the “Bank”) of a zero-day vulnerability in Progress Software’s managed file transfer software MOVEit. Like thousands of other organizations, across many industries, around the world, the Bank utilizes MOVEit for securely transferring sensitive and confidential information and other data, including for its First National 1870 and Guardian Mortgage divisions. The MOVEit software is not part of the Bank’s core processing systems. Instead, the software operates with an on-premises server that is segmented from the Bank’s other IT systems.
Upon receiving notice from MOVEit, the Bank promptly enacted response protocols to address the MOVEit vulnerability and protect the Bank’s data. In addition, a third-party forensic expert was retained, and a comprehensive investigation was launched to determine the nature and scope of the incident.
Since receiving notice of the situation, the Bank has been in regular contact with Progress Software and has implemented all fixes to the software that Progress Software has issued. However, before Progress Software notified the Bank of the vulnerability, we believe that an unauthorized party likely took advantage of the flaw in the MOVEit software and downloaded copies of files from the on-premises server that housed the MOVEit software that contained personally identifiable information. The Bank is working to identify any potentially affected data files. The Bank is also in the process of directly notifying any likely impacted parties based on the findings of the investigation.
We reiterate that the Bank’s core processing systems operate independently from the MOVEit software dedicated server and were not impacted by this matter. There has been no material interruption to the Bank’s business operations as a result of this incident.
The Bank has incurred, and may continue to incur, certain expenses related to this MOVEit incident, including expenses to respond to, remediate and investigate this matter. Further, the Bank remains subject to risks and uncertainties as a result of this incident, including as a result of the data that was accessed. Additionally, these security and privacy incidents have led to, and may continue to lead to, litigation and additional regulatory scrutiny. The Bank is in the process of evaluating the full scope of the costs and impact of the MOVEit incident.
CAUTION REGARDING FORWARD-LOOKING STATEMENTS
This Current Report on Form 8-K may contain certain “forward looking” statements. These forward-looking statements include statements that are not statements of historical fact, may be identified by words such as “anticipates,” “believes,” “continues,” “could,” “impact,” “intends,” “may,” “plans,” “will” or “would,” or the negative of these words and phrases or similar words or phrases, and include, among other things, statements regarding our current beliefs, understanding and expectations regarding the Progress Software vendor incident and the MOVEit vulnerability (the “Vendor Incident”) and its effect on our business, financial condition and results of operations. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from any future results, performance or achievements anticipated in such statements. Factors that could cause actual results to differ materially from those expressed or implied by the forward-looking statements include legal, reputational, and financial risks, including costs to address these risks, resulting from the Vendor Incident, our ongoing investigation of the Vendor Incident, including FirstSun’s potential discovery of additional information related to the Vendor Incident in connection with its investigation, any potential regulatory inquiries and/or litigation that FirstSun may become subject to in connection with the Vendor Incident, the extent of remediation and other additional costs that FirstSun may incur in connection with the Vendor Incident, the extent of insurance coverage and contractual indemnification to which FirstSun may be entitled, and the risks set forth in our most recent Annual Report on Form 10-K and subsequent Quarterly Reports on Form 10-Q and other reports that are filed with the Securities and Exchange Commission. All forward-looking statements are qualified in their entirety by this cautionary statement.
All forward-looking statements speak only as of the date they are made and are based on information available at that time. FirstSun assumes no obligation to update forward-looking statements to reflect circumstances or events that occur after the date the forward-looking statements were made or to reflect the occurrence of unanticipated events except as required by federal securities laws. As forward-looking statements involve significant risks and uncertainties, caution should be exercised against placing undue reliance on such statements.
SIGNATURE
Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
| | | | | | | | |
| FIRSTSUN CAPITAL BANCORP |
| | |
Date: July 14, 2023 | By: | /s/ Neal E. Arnold |
| Name: | Neal E. Arnold |
| Title: | Chief Executive Officer |