HarborOne Bancorp, Inc. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

HarborOne Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 17:08:04 EST.

Filings

10-K filed on 2024-03-07

HarborOne Bancorp, Inc. filed an 10-K at 2024-03-07 17:08:04 EST
Accession Number: 0001558370-24-002743

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Introduction: Our business operations rely on the secure collection, storage, transmission, and other processing of confidential and sensitive data through our information systems. In addition, as a financial services company, we are subject to extensive regulatory compliance requirements concerning the treatment of such data. To ensure the security, confidentiality, integrity, and availability of our information systems, we have implemented a comprehensive cybersecurity risk management program (the Information Security Program ). The program is designed to identify, assess, manage, and mitigate risks and secure Company and customer information against threats. This is achieved through monitoring, threat management strategies, policies and procedures, security awareness, oversight, and governance. Risk Management Oversight and Governance : The Chief Risk Officer ( CRO ) and Chief Information Security Officer ( CISO ) provide direct oversight and management of the cybersecurity risk management program. The CISO and the Information Security team assess and manage the day-to-day cybersecurity and threat management programs. Our CISO has more than 20 years of relevant experience in leading and building risk management and cybersecurity programs. Our CISO maintains the following credentials: Certified Information Systems Auditor and 31 Table of Contents Certification in Risk Management Assurance. The CRO and CISO report periodically on important updates related to the Information Security Program and threat landscape to the Board of Directors and its designated committee with responsibility for oversight of risk management. There are also several Management committees that are responsible for oversight of the Information Security Program. These include: Information Security Committee; and Risk Management Committee. The Information Security Committee ( ISC ) is chaired by the CISO and is responsible for overseeing cybersecurity risk, including information security policies and procedures, information security audits, social engineering testing, vulnerability management, penetration testing, information security projects, business continuity, incident response planning, and current threats and security advisories related to the bank s information systems and data assets. The ISC members include the CRO, Chief Information Officer, and General Counsel, with broader attendance from representatives of Risk Management, Technology, Operations, Internal Audit, and Retail. The ISC, in turn, provides a summary update and points of escalation to the Risk Management Committee ( RMC ), who is chaired by the CRO. The RMC serves as the primary Management committee in fulfilling enterprise risk management oversight responsibilities, including cybersecurity risk. The RMC provides quarterly updates to the Audit Committee. The Board of Directors holds oversight responsibility over the Company s risk management program, including material risks related to cybersecurity threats. This oversight may be executed directly by the Board of Directors or through its committees. The Board of Directors has delegated oversight of Risk Management to the Audit Committee of the Board of Directors. The Audit Committee engages in regular discussions with Management regarding the Company s risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. These discussions include evaluating current trends, internal risk assessments, and risk management policies. Annually, a comprehensive report on the state of the Information Security Program, including cybersecurity risk management, is provided to the Board of Directors by the CRO and CISO. This report includes: Risk assessment results; Third- and fourth-party vendor oversight; Results of security monitoring and testing; Security incidents or violations (if applicable); Material changes to Information Security Program; and Internal and external audit results. Cybersecurity Risk Management The Information Security Program employs various information security controls, tools, and strategies to combat threats and to ensure the Company s information and systems remain secure. The Information Security Program contains specific provisions for identifying, assessing, and mitigating cyber threats, including but not limited to social engineering, credential theft, and vulnerability exploitation. Due to the dynamic nature of risks, threats, vulnerabilities, and the information systems themselves, all information systems that store, process, or transmit sensitive and confidential information are protected by defense-in-depth strategies that include strong authentication techniques, firewalls, network security settings, end point protection, physical security measures, and security awareness training. The Information Security Program is periodically reviewed to ensure that internal controls are designed appropriately and operating as expected. The Information Security Program is reviewed and approved by the Board of Directors annually. Periodic audits are performed by internal and external auditors to confirm adherence to the security program and regulatory guidelines and 32 Table of Contents requirements. The Information Security team performs an annual assessment of cybersecurity risk and maturity using the FFIEC Cybersecurity Assessment Tool and reports the results to the Board of Directors as part of the annual report. The Information Security Program complies with all applicable regulations, including Section 501(b) of the Gramm Leach Bliley Act and Section 216 of the Fair and Accurate Credit Transactions Act of 2003. The Information Security Program aligns with National Institute of Standards and Technology Cybersecurity Framework and the Center for Internet Security (benchmarks for device hardening. The Information Security team is responsible for monitoring and identifying all vulnerabilities and suspected threats and implementing corrective actions, if required. The Information Security team conducts risk assessments on the technology stack, determines effectiveness of internal controls, and develops remediation plans. The Information Security team utilizes specialized service providers to perform continuous monitoring, alerting and containment of potential threats, and penetration testing. The Information Security team maintains a Vendor Management Program and performs ongoing periodic risk assessments on third- and fourth-party vendors and their associated technologies, if applicable. While extensive cybersecurity controls and procedures are in place, the risk of experiencing an incident can never be eliminated completely. We maintain and regularly review and update an Incident Response Plan designed to address adverse events that could impact the security of information, that affect our ability to conduct secure financial transactions, or that present reputational risk.

Company Information