BROOKLINE BANCORP INC 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

BROOKLINE BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 06:53:46 EST.

Filings

10-K filed on 2024-03-04

BROOKLINE BANCORP INC filed an 10-K at 2024-03-04 06:53:46 EST
Accession Number: 0001049782-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a financial services company, we face cybersecurity risks and threats, and our customers, suppliers, and third-party service providers face cybersecurity risks and threats. As part of the operation of our business, the Company uses, stores, and processes data for our customers, employees, partners, and suppliers. A cybersecurity incident impacting any of these entities could materially adversely affect our operations, performance, or results of operations. In addition, as a financial services company we are subject to extensive regulatory compliance requirements, including those established by the FRB, MDOB, RIDBR, and NYDFS. To address these risks and regulatory requirements, the Company implemented a Cybersecurity Risk Management Program (the Program ) that is designed to identify, assess and mitigate risks from cybersecurity threats to the data and our systems. The Program adheres to regulatory requirements and the tenets of the Federal Financial Institutions Examination Council ( FFIEC ) handbook and the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ). 21 Table of Contents Risk Management Oversight and Governance Our Chief Information Security Officer ( CISO ), assisted by our Information Security team, has primary responsibility for assessing and managing the Program and reporting on cybersecurity matters to the Company s Board of Directors and members of executive management. Our CISO has extensive experience managing information technology systems and information security systems, previously served as the Company s Chief Information Officer, and holds the Certified Information Systems Security Professional ( CISSP ) and Certified Information Security Manager ( CISM ) certifications. Our CISO regularly updates members of executive management on developments surrounding cybersecurity. The CISO reports to the Risk Committee of the Board of Directors and provides regular reports to the Board of Directors and Risk Committee on emerging cybersecurity issues and the Company s cybersecurity infrastructure. Our Program is overseen by the Company s Board of Directors, which has delegated certain responsibilities to the Audit Committee and the Risk Committee. The Chairs of the Audit Committee and Risk Committee, in turn, report to the Board of Directors a summary of the presentations they have received relative to the Program. The Board of Directors oversees management s processes for identifying and mitigating risks, including cyber risks, to assist in the alignment of our risk exposure with our overall strategic business objectives. The Board of Directors has also engaged an experienced information security advisor to assist them with cybersecurity and data privacy oversight responsibilities. This advisor provides the Board of Directors with independent updates on external market cybersecurity threats and emerging risks on a regular basis. The Risk Committee, Audit Committee, and the Board of Directors are active in understanding and evaluating cybersecurity risks. The Risk Committee receives and reviews a quarterly Enterprise Risk Management ( ERM ) report from the Chief Risk Officer that is the cumulation of a process that involves discussions with leaders across the Company and incorporates a number of enterprise risk factors, including those related to cybersecurity threats. The Audit Committee receives the results of internal and external penetration testing as well as any other audits applicable to the Company s information security programs. The Audit Committee actively engages management in discussions surrounding the outcome of these audits. At least annually, the Board of Directors receives a report from the CISO covering the Company s information security program. This report includes a review of enhancements to the Company s programs, a discussion of management s actions to identify and detect threats and planned action steps in the event of an incident, and an overview of employee training and engagement efforts. In addition, separately, on at least an annual basis, the Board of Directors receives updates from the CISO on the Company s Incident Response Plan, which outlines steps to be followed in the event of an incident including detection, mitigation, recovery, and notification (including notification to senior management, the Board of Directors, and functional business areas), and remediation. Cybersecurity Risk Management Program The Program is designed to identify, assess, manage, mitigate, and respond to cyber threats with the goal of preventing cybersecurity incidents to the extent feasible, while also increasing our system resilience to minimize business disruption in the event we experience a cyber event. Our program is structured to be nimble and adaptable to changes in cybersecurity threats over time and to respond to emerging threats in a timely and efficient manner. Our Program consists of a layered cybersecurity approach and is incorporated into our overall ERM program. Our Information Security team, led by our CISO, is responsible for monitoring our information systems for vulnerabilities and mitigating any issues. The Information Security team works collaboratively across the Company to understand the potential impacts of a cybersecurity incident and prioritize mitigation and other measures based on, among other things, the materiality to our business. The Information Security team has established processes designed to monitor threats in the cybersecurity landscape which include interacting with intelligence networks, working with researchers, discussions with peers at other companies, monitoring social media, reviewing government alerts and other news items and attending industry specific security conferences and trainings. The team regularly monitors our internal network and customer-facing network to identify any security issues. In addition, the Company augments the team s monitoring via the engagement of external vendors who provide continuous threat monitoring services of the Company s environment. As part of our assessment of the risks to our Company, the Information Security team conducts annual cybersecurity risk assessments to evaluate the inherent risk of our applications and the strength of our controls, and identify the residual risk for each application. In addition, we conduct regular reviews and testing of critical network and application systems to monitor their security. We have adopted internal Company-wide Information Technology and Information Security policies which are reviewed and updated annually and approved by our Board of Directors. Our employees and the Board of Directors attend annual trainings that are designed to raise awareness about cybersecurity threats, reduce our vulnerability, and encourage consideration of cybersecurity threats across the Company. Additional trainings are required for employees in certain roles; these additional trainings are tailored to the employees specific duties. 22 Table of Contents We regularly review and update our investments in information technology security to identify and protect critical assets, provide monitoring and alerts, and, as needed, engage third-party experts. To assess the effectiveness of our Program, we have engaged consultants to conduct penetration testing and other vulnerability assessments. Additionally, our Internal Audit department and external auditors conduct assessments of different systems to provide the Audit Committee with information on our risk management processes, including cybersecurity risk management. We also test our defenses internally and conduct regular cybersecurity simulations and tabletop exercises with members of executive management present. These tests and assessments provide useful insights into the strengths and weaknesses of our cybersecurity framework. Our cybersecurity framework is designed to protect our customers, employees, investors, and our intellectual property. Before purchasing third-party technology or other solutions that could expose the Company s assets and electronic information, our Information Security and Information Technology teams complete security reviews on the vendors. We also conduct ongoing reviews of cybersecurity risks associated with our third-party service providers. As part of the Company s Vendor Management Program, annual reviews are conducted for certain third-party vendors. Members of our Information Security team work with our Vendor Management team to review System and Organization Controls ( SOC ) 1 or SOC 2 reports. In the event a third-party vendor is unable to provide either a SOC 1 or SOC 2 report, this group conducts additional reviews to assess the cybersecurity preparedness of the specific vendor. This assessment of the risks associated with the use of third-party service providers is part of our overall vendor management and cybersecurity risk management framework. Our Company faces a number of cybersecurity risks in connection with the operation of our business which could have a material adverse effect on our business financial condition, results of operations, cash flows, or reputation. Although, to date, such risks have not materially affected us, we have, from time to time, experienced threats and breaches to our data and systems. For more information about the cybersecurity risks we face, see the risk factors entitled We face continuing and growing security risks to our information base, including the information we maintain relating to our customers . and We rely on other companies to provide key components of our business infrastructure . in Item 1A- Risk Factors.

Company Information