CNB FINANCIAL CORP/PA 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

CNB FINANCIAL CORP/PA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:18:32 EST.

Filings

10-K filed on 2024-03-07

CNB FINANCIAL CORP/PA filed an 10-K at 2024-03-07 16:18:32 EST
Accession Number: 0000736772-24-000044

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity of this report. A pandemic and measures intended to prevent its spread, could have a material adverse effect on our business, results of operations, cash flows, and financial condition. A pandemic, such as the COVID-19 pandemic, and emergence of new variants could negatively impact the global economy, disrupt financial markets and international trade, and result in varying unemployment levels, all of which could negatively impact our business, results of operations, cash flows, and financial condition. Pandemic outbreaks could lead (and the outbreak of COVID-19 led) governments and other authorities around the world, including federal, state and local authorities in the United States, to impose measures intended to mitigate its spread, including restrictions on freedom of movement and business operations such as issuing guidelines, travel bans, border closings, business closures and quarantine orders. Our business and financial performance could be adversely affected, directly or indirectly, by terrorist activities, international hostilities or domestic civil unrest. Neither the occurrence nor the potential impact of geopolitical instabilities, terrorist activities, international hostilities or other extraordinary events beyond the Corporation s control can be predicted. However, these occurrences could adversely impact us, for example, by preventing us from conducting our business in the ordinary course. Also, their impact on our borrowers, depositors, other customers, suppliers or other counterparties could result in indirect adverse effects on us. Other indirect adverse consequences from these occurrences could result from impacts to the financial markets, the economy in general or in any region, or key parts of the infrastructure (such as the power grid) on which we and our customers rely. These types of indirect effects, whether specific to our counterparties or more generally applicable, could lead, for example, to an increase in delinquencies, bankruptcies or defaults that could result in the Corporation experiencing higher levels of nonperforming assets, net charge-offs and provisions for credit losses. They could also cause a reduction in demand for lending or other services that we provide. Risks Related to Legal and Compliance Matters The Corporation is subject to extensive government regulation and supervision, which may affect its ability to conduct its business and may negatively impact its financial results. The Corporation, primarily through the Bank and its non-bank subsidiary, is subject to extensive federal and state regulation and supervision. Banking regulations are primarily intended to protect depositors funds, the Federal Deposit Insurance Fund and the safety and soundness of the banking system as a whole, not stockholders. These regulations affect the Corporation s lending practices, capital structure, investment practices, dividend policy and growth, among other things. Congress and federal regulatory agencies continually review banking laws, regulations and policies for possible changes. Changes to statutes, regulations or regulatory policies, including changes in interpretation or implementation of statutes, regulations or policies, could affect the Corporation in substantial and unpredictable ways. Such changes could subject it to additional costs, limit the types of financial services and products the Corporation may offer, and/or limit the pricing it may charge on certain banking services, among other things. Failure to comply with laws, including the Bank Secrecy Act and USA Patriot Act, regulations or policies could result in sanctions by regulatory agencies, restrictions, civil money penalties and/or reputation damage, which could have a material adverse effect on the Corporation s business, financial condition and results of operations and/or cause the Corporation to lose its financial holding company status. While the Corporation has policies and procedures designed to prevent any such violations, there can be no assurance that such violations will not occur. See the section captioned “Supervision and Regulation” in Part I, Item 1 of this report for further information. 21 Table of Contents Federal and state governments could pass legislation responsive to current credit conditions which could cause the Corporation to experience higher credit losses. The Corporation could experience higher credit losses because of federal or state legislation or regulatory action that reduces the amount the Bank s borrowers are otherwise contractually required to pay under existing loan contracts. Also, the Corporation could experience higher credit losses because of federal or state legislation or regulatory action that limits the Bank s ability to foreclose on property or other collateral or makes foreclosure less economically feasible. The Corporation cannot assure you that future legislation will not significantly and adversely impact its ability to collect on its current loans or foreclose on collateral. General Risk Factors The Corporation relies on its management and other key personnel, and the loss of any of them may adversely affect its operations. The Corporation is and will continue to be dependent upon the services of its executive management team. In addition, it will continue to depend on its ability to retain and recruit key client relationship managers. The unexpected loss of services of any key management personnel, or the inability to recruit and retain qualified personnel in the future, could have an adverse effect on its business and financial condition. The Corporation’s risk management framework may not be effective in mitigating risk and loss. The Corporation maintains an enterprise risk management program that is designed to identify, quantify, monitor, report, and control the risks that it faces. These risks include, but are not limited to: strategic, interest-rate, credit, liquidity, operations, pricing, reputation, compliance, litigation, and cybersecurity. While the Corporation assesses and improves this program on an ongoing basis, there can be no assurance that its approach and framework for risk management and related controls will effectively mitigate all risk and limit losses in its business. If conditions or circumstances arise that expose flaws or gaps in the Corporation’s risk-management program, or if its controls break down, the Corporation’s results of operations and financial condition may be adversely affected. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Risk Management and Strategy The Corporation maintains robust processes for assessing, identifying, and managing material risks from cybersecurity threats. The Corporation s cybersecurity program is based on the Federal Financial Institutions Examination Council ( FFIEC ) framework which tailors the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework to be more financial services focused. The risk of cybersecurity threats is integrated into its Enterprise Risk Management ( ERM ) program, led by the Corporation s Chief Risk Officer. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned a risk owner to establish action plans and implement risk mitigation strategies. The cybersecurity threat risk action plan is managed at the enterprise level by the Chief Information Technology & Security Officer (the CITSO ), the VP of Information Technology, and the VP of Information Security. Each quarter, the risk owners review and update the cybersecurity threat risk action plan to provide the status on specific risk mitigation actions and to identify new threats. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third party service providers, the Corporation maintains a third-party security operations center with round-the-clock monitoring, and the CITSO receives regular reports on industry activity. Management also assesses the cybersecurity proficiency of potential third-party suppliers before utilizing their services. The assessment identifies cybersecurity-related risks and makes recommendations to enhance the security of all new computing services. The Corporation reassesses all suppliers on a regular interval. 22 Table of Contents The Corporation works closely with its internal auditors to assess, identify, and manage cybersecurity risks. In addition, the Corporation engages with third party cybersecurity specialists to provide an independent assessment of the Corporation s cybersecurity programs and to prepare a 3-year plan to maintain compliance and operational excellence. Management periodically reviews the 3-year plan and modifies it in response to changes in the threat landscape or otherwise as needed. Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Corporation, including its business strategy, results of operations or financial condition. See Item 1A. Risk Factors above for more information. Governance The Board of Directors is responsible for overseeing the assessment and management of enterprise-level risks that may impact the Corporation. The Audit Committee has primary responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. Management, including the CITSO, reports on cybersecurity matters regularly to the Board, primarily through the Audit and IT Committees, including an annual report regarding specific risks and mitigation efforts within the Bank and a 3-year cybersecurity threat assessment conducted by third party experts. Management provides benchmarking information and updates on key operational and compliance metrics to the Board. In addition, cybersecurity training is provided to the full Board of Directors to educate directors on the current cyber threat environment and measures companies can take to mitigate risk and impact of cyber attacks. The Corporation maintains a Cybersecurity Incident Response Plan (the CSIRP ), which establishes an organizational framework and guidelines intended to facilitate an effective response and handling of cybersecurity incidents that could jeopardize the availability, integrity, or confidentiality of the Corporation s assets. The CSIRP outlines roles and responsibilities, criteria for measuring the severity of a cybersecurity incident, and an escalation framework, including processes for informing the General Counsel and the Board of Directors of material cybersecurity incidents. As described above, management is actively involved in assessing and managing the Bank s material cybersecurity risks. The CITSO and the VP of Information Security primarily lead these efforts. The CITSO, who reports directly to the CEO, is responsible for the oversight of the Corporation s IT operation, including the cybersecurity program, and holds a Bachelor of Science degree in Information Technology and Security and a Master of Science in Information Security and Assurance. He also holds 20 industry recognized Technology and Security certifications. The VP of Information Security reports directly to the CITSO and has responsibility for leadership of the Bank s cybersecurity program. He holds a bachelor s degree in mathematics and computer science, as well as several industry recognized information security certifications.
ITEM 1C. CYBERSECURITY Risk Management and Strategy The Corporation maintains robust processes for assessing, identifying, and managing material risks from cybersecurity threats. The Corporation s cybersecurity program is based on the Federal Financial Institutions Examination Council ( FFIEC ) framework which tailors the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework to be more financial services focused. The risk of cybersecurity threats is integrated into its Enterprise Risk Management ( ERM ) program, led by the Corporation s Chief Risk Officer. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned a risk owner to establish action plans and implement risk mitigation strategies. The cybersecurity threat risk action plan is managed at the enterprise level by the Chief Information Technology & Security Officer (the CITSO ), the VP of Information Technology, and the VP of Information Security. Each quarter, the risk owners review and update the cybersecurity threat risk action plan to provide the status on specific risk mitigation actions and to identify new threats. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third party service providers, the Corporation maintains a third-party security operations center with round-the-clock monitoring, and the CITSO receives regular reports on industry activity. Management also assesses the cybersecurity proficiency of potential third-party suppliers before utilizing their services. The assessment identifies cybersecurity-related risks and makes recommendations to enhance the security of all new computing services. The Corporation reassesses all suppliers on a regular interval. 22 Table of Contents The Corporation works closely with its internal auditors to assess, identify, and manage cybersecurity risks. In addition, the Corporation engages with third party cybersecurity specialists to provide an independent assessment of the Corporation s cybersecurity programs and to prepare a 3-year plan to maintain compliance and operational excellence. Management periodically reviews the 3-year plan and modifies it in response to changes in the threat landscape or otherwise as needed. Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Corporation, including its business strategy, results of operations or financial condition. See Item 1A. Risk Factors above for more information. Governance The Board of Directors is responsible for overseeing the assessment and management of enterprise-level risks that may impact the Corporation. The Audit Committee has primary responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. Management, including the CITSO, reports on cybersecurity matters regularly to the Board, primarily through the Audit and IT Committees, including an annual report regarding specific risks and mitigation efforts within the Bank and a 3-year cybersecurity threat assessment conducted by third party experts. Management provides benchmarking information and updates on key operational and compliance metrics to the Board. In addition, cybersecurity training is provided to the full Board of Directors to educate directors on the current cyber threat environment and measures companies can take to mitigate risk and impact of cyber attacks. The Corporation maintains a Cybersecurity Incident Response Plan (the CSIRP ), which establishes an organizational framework and guidelines intended to facilitate an effective response and handling of cybersecurity incidents that could jeopardize the availability, integrity, or confidentiality of the Corporation s assets. The CSIRP outlines roles and responsibilities, criteria for measuring the severity of a cybersecurity incident, and an escalation framework, including processes for informing the General Counsel and the Board of Directors of material cybersecurity incidents. As described above, management is actively involved in assessing and managing the Bank s material cybersecurity risks. The CITSO and the VP of Information Security primarily lead these efforts. The CITSO, who reports directly to the CEO, is responsible for the oversight of the Corporation s IT operation, including the cybersecurity program, and holds a Bachelor of Science degree in Information Technology and Security and a Master of Science in Information Security and Assurance. He also holds 20 industry recognized Technology and Security certifications. The VP of Information Security reports directly to the CITSO and has responsibility for leadership of the Bank s cybersecurity program. He holds a bachelor s degree in mathematics and computer science, as well as several industry recognized information security certifications.

Company Information