Waterstone Financial, Inc. 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

Waterstone Financial, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 13:07:59 EST.

Filings

10-K filed on 2024-03-06

Waterstone Financial, Inc. filed an 10-K at 2024-03-06 13:07:59 EST
Accession Number: 0001437749-24-006779

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company recognizes the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving the value of the Company. The Board of Directors, through the Information Technology Steering Committee (ITSC) and Compliance Risk Management Committee (CRMC), provides direction and oversight of the risk management framework of the Company including cybersecurity risks. The ITSC and CRMC establish policies and procedures for the measurement of the effectiveness and efficiency of information security controls related to both design and operations. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cyber threats when they occur. The Committees have the authority to conduct or authorize reviews into areas within its scope of responsibility, which is all items impacting information security. The Committees focus on the following: Promote effective information technology and information security governance. Critically evaluate and assess the direction and progress of major IT-related projects, IT security decisions, IT priorities, and overall IT and IT security performance. Review and approve significant IT and information security related policies, including annual changes. Review and approve IT and information security risk assessments on an annual basis. Discuss activities and requirements pertaining to the Information Security Program. Oversee requirements of the Bank s Vendor Management Policy, including processes for approving third-party providers including the financial condition, business resilience, and IT security position of third-parties. Ensure risk assessments and New Vendor Relationship Information is completed for all vendor relationships. Review and approve risk assessments for significant, critical vendor relationships on an annual basis. Examine the Bank s Business Continuity and Disaster Recovery Plan, including updates and testing. Provide for comprehensive, effective, and, if required, independent audit coverage of IT risks and controls. Analyze all regulatory examination reports and internal and external audit reports impacting information technology as well as any required responses and/or updates. Assess the performance of the Committee and the Committee s role and responsibilities on an annual basis. Identify, analyze, and determine strategic risk tolerance and/or mitigation direction for compliance risks identified as high and/or those with an increasing risk profile. Review all regulatory examination reports impacting compliance and/or risk as well as any required responses The Company leverages regular assessments to identify current and potential threats and vulnerabilities within the Company s environment. Technical vulnerabilities are identified using automated vulnerability scanning tools, penetration testing, and system management tools, whereas non-technical vulnerabilities are identified via process or procedural reviews. The Company conducts a variety of assessments throughout the year, both internally and through third parties. Vulnerability assessment and penetration tests are performed to provide the Company with an unbiased view of its environment and controls. Vulnerabilities identified during these assessments are inventoried in a centralized tracking system and reported to management on a regular basis. A multi-step approach is applied to identify, report and remediate these vulnerabilities, and the Company adjusts its information security policies, standards, processes and practices as necessary based on the information provided by these assessments. The results of key assessments are reported in summary to the Board of Directors annually. The Board of Directors, through the ITSC and CRMC, provides direction and oversight of the enterprise-wide risk management framework of the Company, including the management of risks arising from cybersecurity threats. The Board of Directors review and approve the Information Security Policy. The Board of Directors receives regular presentations which include updates on cybersecurity risks, including the threat environment, evolving standards, projects and initiatives, vulnerability assessments, third-party and independent reviews, technological trends and information security considerations arising with respect to the Company s peers and third parties. The Board of Directors also receives information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the full Board of Directors discusses the Company s approach to cybersecurity risk management with the Company s President. The CIO works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company s incident response and recovery plans including an assessment of the potential materiality of any cybersecurity incident. The CIO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the ITSC and CRMC. Management, including the CIO, regularly reviews with the Board of Directors the Company s cybersecurity programs, material cybersecurity risks and mitigation strategies and provides updates on notable developments in the cybersecurity threat landscape. Additionally, management follows a risk-based escalation process to notify the Board of Directors outside of the cycle of regular updates when an emerging risk or material issue is identified, such as a potentially significant cybersecurity threat or incident. In 2023, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including with respect to our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity threat or incident. To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Corporation, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A, Risk Factors Operational Risks. - 37 -

Company Information