PEOPLES BANCORP OF NORTH CAROLINA INC 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

PEOPLES BANCORP OF NORTH CAROLINA INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 14:30:30 EST.

Filings

10-K filed on 2024-03-07

PEOPLES BANCORP OF NORTH CAROLINA INC filed an 10-K at 2024-03-07 14:30:30 EST
Accession Number: 0001654954-24-002793

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity 25-26 N/A
ITEM 1C. CYBERSECURITY Risk Management and Strategy Our risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Chief Information Officer is primarily responsible for this cybersecurity component and is a key member of Bank management, reporting directly to the Chief Operating Officer and, as discussed below, periodically to the Bank Board. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our cybersecurity program is designed around the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence to facilitate and promote program effectiveness. Our Chief Information Officer and our Information Security Officer, report directly to our Chief Operating Officer, along with key members of their teams, who collaborate with peer banks and industry groups to review cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions. We employ an in-depth, layered, defensive strategy that embraces a trust by design philosophy when designing new products, services, and technology. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections. We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate management committees and Bank Board. The Incident Response Plan is coordinated through the Chief Information Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually. Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks. At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. For further discussion of risks from cybersecurity threats, see the section captioned Cybersecurity incidents could disrupt business operations, result in the loss of critical and confidential information, and adversely impact our reputation and results of operations and Our business continuity plans or data security systems could prove to be inadequate, resulting in a material interruption in, or disruption to, our business and a negative impact on our results of operations in Item 1A. Risk Factors. 25 Table of Contents Governance Our Chief Information Officer and Information Security Officer, along with their departments, are accountable for managing our enterprise information security and delivering our information security program. Their responsibilities include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business resilience. Their departments, as a whole, consists of information security professionals with varying degrees of education and experience. Certain individuals within their departments are generally subject to professional education and certification requirements. In particular, our Chief Information Officer and Information Security Officer have relevant expertise in the areas of information security and cybersecurity risk management. The Bank s Technology Steering Committee provides oversight and governance of the Bank s technology program and the information security program. Members of this committee include executive management, our Chief Information Officer, and our Information Security Officer. This committee meets monthly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. The Chief Operating Officer regularly reports summaries of key issues that would include cybersecurity incidents or other related information from the Technology Steering Committee to the Bank Board. The Bank Board is responsible for overseeing our information security and technology programs, including management s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Chief Information Officer and our Information Security Officer provide reports to the Bank Board, at least annually, regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The Bank Board reviews and approves our information security and technology policies annually.

Company Information