Eagle Bancorp Montana, Inc. 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

Eagle Bancorp Montana, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 16:03:40 EST.

Filings

10-K filed on 2024-03-06

Eagle Bancorp Montana, Inc. filed an 10-K at 2024-03-06 16:03:40 EST
Accession Number: 0001437749-24-006812

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber criminals are becoming more sophisticated and effective every day, and they are increasingly targeting financial institutions. We recognize the critical importance of maintaining the safety and security of our systems and data and employ a multi-layered strategy for overseeing and managing cybersecurity and related risks. Our board of directors (the Board) and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. We believe we have not experienced any cybersecurity incidents that have materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. Risk Management and Strategy Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC), and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas: Collaboration Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing, and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner. Risk Assessment At least annually, we conduct a cybersecurity risk assessment using the FFIEC Cybersecurity Assessment Tool that considers information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee, and members of management. 21 Table of Contents Technical Safeguards We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence, and incident response experience. Multi-Layered Defense and Continuous Monitoring - We work to protect our computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We utilize data analytics to detect anomalies and search for cyber threats. We use a third-party Managed Security Service Provider (MSSP) to provide comprehensive cyber threat detection and response capabilities and maintain a 24x7 monitoring system which complements the technology, processes, and threat detection techniques we use to monitor, manage, and mitigate cybersecurity threats. At least annually, we engage third party consultants or auditors to assist in assessing, identifying and/or managing cybersecurity threats. Information Sharing and Collaboration - We work with government, customer, industry and/or supplier partners, such as the Financial Services Information Sharing and Analysis Center and other government-industry partnerships, to gather and develop best practices and share information to address cyber threats. These relationships enable the rapid sharing of threat and vulnerability mitigation information across the defense industrial base and supply chain. Training and Awareness - We provide awareness training to our employees to help identify, avoid, and mitigate cybersecurity threats. Our employees participate quarterly in required training, including privacy, phishing, and other awareness training. We also periodically host tabletop exercises with management and other employees to practice rapid cyber incident response. Third-Party Service Provider Management We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Incident Response and Recovery Planning We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address and guide our employees, management, and the Board on our response to a cybersecurity incident. External Assessments Our cybersecurity policies, standards, processes, and practices are regularly assessed by external auditors and regulatory examiners. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of significant assessments are reported to management, the Board and Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments. Governance Board Oversight Our Board of Directors has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program. The Board receives regular reports from our Vice President Director of Information Security on various cybersecurity efforts, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. In addition, we have an escalation process in place to inform senior management and the Board of Directors of material issues. Management s Role Our cybersecurity program is coordinated by our Vice President Director of Information Security, who reports to our Senior Vice President Chief Risk Officer and Chief Administrative Officer, in partnership with our Director of Information Systems and Technology (“IS&T”). Our Director of Information Security started with us in 2012 and holds numerous credentials including: Certified Information Systems Security Professional, Certified Public Accountant, and Certified Fraud Examiner. The Director of Information Security is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from the IS&T team and our Managed Services Provider, who is overseen by the Director of IS&T. The Director of IS&T started with us in 2020, holds a Bachelor of Science in Business Administration, Information Technology and has over 14 years of direct experience managing information systems and technology. The Director of IS&T is responsible for implementing and maintaining the systems and tools to protect the technology stack we use. The Director of IS&T reports to the Senior Vice President, Chief Operating Officer. 22 Table of Contents

Company Information