Northfield Bancorp, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Northfield Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:13:42 EST.

Filings

10-K filed on 2024-02-29

Northfield Bancorp, Inc. filed an 10-K at 2024-02-29 16:13:42 EST
Accession Number: 0001493225-24-000059

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our Cybersecurity Risk Management program is an integrated component of the Enterprise Risk Management strategy intended to protect the confidentiality, integrity and availability of our critical systems and information. We design and assess our program based on industry standards such as the National Institute of Standards and Technology Cybersecurity Framework and the Center for Internet Security Controls. This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use these standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is aligned with the Company s business strategy. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk, including legal, compliance, strategic, operational, and financial risks. Key elements of our cybersecurity risk management program include: implementation of policies and procedures in the areas of Information Security, Business Continuity, Disaster Recovery, Privacy, Third-Party Service Provider Risk Management, and Incident Response; risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment; an independent second line function, the Information Security Department, is principally responsible for managing our cybersecurity risk assessment processes, testing and monitoring of our security controls, and our response to cybersecurity incidents; the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls, including but not limited to penetration testing; training and awareness programs for Information Security Department members that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls; throughout the year, all employees are trained on cybersecurity awareness, confidential information protection and simulated phishing attacks, and all directors engage in interactive training modules; membership with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and annual participation in the Cyber Attacks against Payment Systems (CAPS) exercises; cybersecurity metrics and other risk management matters are reported to both management level committees and the CIT Committee; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and a third-party risk management process for service providers, suppliers and vendors that analyses, monitors, reports, and mitigates cyber risks associated with third-party vendors, suppliers, and service providers. In the last three fiscal years, the Company has not experienced any cybersecurity incident that has materially affected or is reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial conditions, and any expenses incurred from cybersecurity incidents have been immaterial. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors Risks Related to Operational Matters . Cybersecurity Governance The Board of Directors established its CIT Committee with specific responsibilities for overseeing cybersecurity threats, among other things. Our Chief Information Security Officer provides the CIT Committee with periodic reports on our cybersecurity risks and any material cybersecurity incidents. The CIT Committee retains an independent external cybersecurity consultant who regularly attends all CIT Committee meetings and reports directly to the CIT Committee Chair. In addition, the Chief Information Security Officer provides periodic training and reports to our Board of Directors. 44 Northfield Bank maintains an Information and Cybersecurity Program under the leadership of our Chief Risk Officer, the Chief Information Officer, and the Chief Information Security Officer, with timely Board oversight for identifying and mitigating information security risks. The Information Security Department is primarily responsible for identifying, assessing and managing material risks from cybersecurity threats and overseeing cybersecurity vendors. The Information Security Department is led by our Chief Information Security Officer ( CISO ). Our immediate past CISO had over 15 years of experience in the cybersecurity space and has obtained professional security certifications and advanced training in the field of cybersecurity and technology. Northfield Bank is currently onboarding a new CISO, who comes to us from a money center bank and has a similar background. Our Chief Information Security Officer and our Chief Information Officer, along with key members of their departments, regularly collaborate with peer institutions, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions. Our internal audit team, led by our Chief Internal Auditor, provides independent assurance and evaluation of processes, controls and cybersecurity risk management practices to ensure they are adequate and functioning as intended. The Information Security Department also monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the information technology environment.

Company Information