Citizens Community Bancorp Inc. 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

Citizens Community Bancorp Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 16:02:31 EST.

Filings

10-K filed on 2024-03-05

Citizens Community Bancorp Inc. filed an 10-K at 2024-03-05 16:02:31 EST
Accession Number: 0001367859-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain an information security program and governance framework that are designed to protect our information systems against operational risks related to cybersecurity. Risk Management and Strategy Cyber risk management is a critical component of our risk management framework. Processes for assessing, identifying, and managing material risks arising from cybersecurity threats are integrated in our policies and procedures, including our enterprise risk appetite, risk assessment, risk treatment, risk acceptance or exceptions, and third party risk management policies. Our cybersecurity program ( Cybersecurity Program ) provides a framework for compliance with applicable cybersecurity and data protection laws. Our program is designed to ensure the security and confidentiality of customer information, protect against known or evolving threats to the security or integrity of customer records and personal information and protect against unauthorized access to or use of such information. We work with our regulators to ensure that these policies are adequately designed to appropriately safeguard personal information. We use a variety of processes and technologies to monitor for and identify cybersecurity threats, including vulnerabilities scans, endpoint and network monitoring software, and email scanning software. We also have a Cyber Incident Response Policy and detailed plans. We conduct annual cybersecurity risk assessments which drive strategic decisions. Employees are required to abide by our cybersecurity and data protection policies. We maintain a corporate cyber risk insurance policy as part of our cybersecurity risk strategy that is reviewed annually. To date, the Company has not experienced a material cybersecurity incident. Governance Cybersecurity and data protection are important for the Company to maintain the trust of our customers, team members and stakeholders. Overseen by the Board of Directors and its Risk Committee, we regularly review, and as appropriate, adapt our Cybersecurity Program to an evolving landscape of emerging threats, evaluate effectiveness of key security controls, and assess cybersecurity best practices. The Chief Information Security Officer ( CISO ) and the Chief Technology Officer ( CTO ) are key management roles responsible for assessing and managing material risks from cybersecurity threats. The CISO reports to the Risk Committee and is responsible for implementing and maintaining our enterprise cybersecurity organization. The CISO will maintain an Incident Response Plan. The CISO ensures that the Incident Response Plan is tested annually and will present testing results to the Risk Committee. The CISO and/or its delegate will share applicable threat information to ensure Board members and staff are informed on the evolving threat environment. The CISO is responsible for ensuring the Board of Directors and staff are trained annually on cybersecurity and information security awareness. Additionally, the CISO ensures staff is adequately trained on Incident Response Plan procedures. The CISO will ensure security incidents are logged and maintained. The CTO provides our Cybersecurity Program with the technical and functional resources to achieve its strategic goals and objectives, and partners and collaborates with the CISO. The Risk Committee is responsible for overseeing the Company s management of cybersecurity risk, including oversight into appropriate risk mitigation, strategies, processes, systems, and controls. The CISO has regular and direct communication with the Risk Committee, providing a written cybersecurity report to the Risk Committee and a written cybersecurity report and briefing to the full Board on an annual basis (more frequently as necessary), in order to inform the Risk Committee of the state of the Company s Cybersecurity Program. These reports cover, but are not limited to, the Company s cybersecurity posture, overall status of the Company s compliance with the Cybersecurity Program, threat environment, material cybersecurity risks and events, Cybersecurity Program improvements and effectiveness, and other material matters related to the Cybersecurity Program. 20

Company Information