Amalgamated Financial Corp. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Amalgamated Financial Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:24:50 EST.

Filings

10-K filed on 2024-03-07

Amalgamated Financial Corp. filed an 10-K at 2024-03-07 16:24:50 EST
Accession Number: 0001823608-24-000076

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company s Board recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to enterprise risk management ( ERM ). The Company s cybersecurity policies, standards, processes and practices are fully integrated into the Company s ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the Federal Financial Institutions Examination Council (the FFIEC ), the International Organization for Standardization and other applicable industry standards and regulations, including regulations promulgated by the NYDFS. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the data and information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. The Company s strategy is informed by determinations of inherent risk and risk maturity level that are made in connection with an independent cybersecurity awareness assessment prepared for the FFIEC. As one of the critical elements of the Company s overall ERM approach, the Company s Information Security Program is focused on the following key areas: Protecting the confidentiality, integrity, and availability of information systems and the nonpublic information stored on them. Identifying risks, defending against unauthorized access, and detecting, responding to, and recovering from cybersecurity incidents. Risk Management, Strategy and Governance Role of Management The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. The Company has also established a governance structure and organization to manage cybersecurity risk. This includes escalation and reporting of cybersecurity incidents through the Chief Risk Officer s organization to an Executive Response Team and the Board, and periodic reporting on the Information Security Program to the Information Cyber Security Subcommittee of the Enterprise Risk Management Committee, an executive committee that oversees the Information Security Program, and the Enterprise Risk Oversight Committee (the EROC ), the Board committee that oversees the ERM framework. The Chief Information Security Officer ( CISO ), under the supervision of the Company s Chief Risk Officer ( CRO ) in coordination with the Company s executive team, which includes our CEO, CFO, Chief Technology Officer ( CTO ) and Chief Legal Officer ( CLO ), works collaboratively across the Company to implement the Information Security Program, which is designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company s incident response and recovery plans. The CISO coordinates all aspects of the Information Security Program and presents a report on the Information Security Program to the Information Cyber Security Subcommittee on a quarterly basis so that the Subcommittee is made aware of a wide range of topics including recent developments in the Information Security Program, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company s peers and third parties. In the absence of a permanent CISO at December 31, 2023, the Company contracted an interim CISO who previously had served as the Company’s interim CTO from July of 2022 through October of 2023. Additionally this contractor served in various roles in information technology and information security for over 25 years, including serving as the Chief Information Officer and Chief 48 Technology Officer of two large public financial services companies. The interim CISO has also performed Information Security leadership roles in two technology companies assessing and managing cyber risk on large amounts of data. The current CTO holds an undergraduate degree in computer science and a master s degree in business administration. and has served in various roles in information technology for over 30 years, including serving as either the Chief Technology Officer or Chief Information Officer of four public companies. Role of the Board of Directors The Board s oversight of cybersecurity risk management is supported by the EROC, which regularly interacts with the Company s ERM function and the CISO. The EROC oversees the Company s ERM process, including the management of risks arising from cybersecurity threats. The EROC receives regular presentations and reports on the Information Security Program, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company s peers and third parties. The EROC receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Although we have not historically experienced significant cybersecurity incidents, we and other banks are subject to attacks of increasing frequency and sophistication. Any significant breach, interruption or failure of our information systems could adversely affect our business operations and our financial condition, operating results and liquidity. Technical Safeguards The Company deploys technical safeguards that are designed to protect Company s data and information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. The Company engages in the periodic assessment and testing of the Company s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, stress testing based on top cyberattack scenarios and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning and by leveraging the Federal Reserve Bank of New York methodology for cyber risk ( FFIEC CyberSecurity Assessment Tool ). The Company regularly engages third parties to perform independent assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the EROC, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Incident Response and Recovery Planning The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company s timely and effective response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the Executive Response Team of the Company and as guided by the Company s Chief Risk Officer, to the Risk Committee when appropriate. The Company s Security Incident Response Team ( SIRT ) structure includes an Executive Response Team ( ERT ). The ERT is composed of all members of the Executive Management Team, the Head of Business Continuity Management, and the CISO (if the incident is due to a cyber breach), and it oversees a Management Response Team ( MRT ). In the event of a security incident, the Company s designated Response Coordinator, who is the Information Security Manager or the CISO s designee, shall investigate the reported security incident and assign an initial severity level. They will gather initial facts about the security incident, analyze information it has received, identify those entities affected by the security incident, assess the preliminary severity and extent of the damage (which can be financial or reputational). If the severity is assessed as Low or Medium in accordance with criteria identified in the incident response and recovery plans, the Response Coordinator will report the incident to the CISO and complete the remediation actions for the cybersecurity incident and 49 report the final outcome to the CISO. The CISO will report to the ERT remediation of Low or Medium cybersecurity incidents at least on a quarterly basis. If the cybersecurity incident is classified as a High, or at the Response Coordinator s discretion, the Response Coordinator will report the cybersecurity incident to the CISO and promptly convene the ERT. The ERT will determine the appropriate steps necessary to respond to the cybersecurity incident and oversee the MRT s execution of the response. The ERT will determine whether the cybersecurity incident needs to be escalated to the Board. Third-Party Risk Management The Company s Vendor Management Program provides a risk-based approach to the assessment, measurement, monitoring, and control of risks related to third parties with whom the Company does business, including vendors, service providers and other external users of Company s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. In particular, the Company confirms that new and existing service providers are implementing appropriate measures to protect customer information and customer information systems in conformance with the Company s requirements. Education and Awareness Through its Information Security Awareness Program, the Company provides regular, mandatory training regarding cybersecurity threats as a means to equip the Company s personnel with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and effective practices.

Company Information