CAMDEN NATIONAL CORP 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

CAMDEN NATIONAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 16:05:41 EST.

Filings

10-K filed on 2024-03-08

CAMDEN NATIONAL CORP filed an 10-K at 2024-03-08 16:05:41 EST
Accession Number: 0000750686-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy The Company has developed and implemented a comprehensive cybersecurity risk management program that is intended to protect the secure processing, transmission and storage of confidential information in its computer systems and networks. The Company s cybersecurity risk management program, a component of the Company s Enterprise Risk Management ( ERM ) Program, is based on the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, regulatory guidance and other industry standards. The Company s process for identifying, assessing, managing and prioritizing cybersecurity risks throughout the Company includes: A third party risk assessment program for the Company s third party vendors that access the Company s data (each, a Vendor ) to ensure that all Vendors meet the Company s cybersecurity requirements, including, periodic risk assessments of Vendors, monitoring Vendor compliance with the Company s cybersecurity requirements, and a requirement that all contracts with Vendors include provisions requiring the Vendor to notify the Company of any cyber incident, and/or to maintain minimum levels of cybersecurity insurance; A security awareness program that includes training employees on best practices for securing the Company s data, as well as regular social engineering testing to keep employees informed of cybersecurity threats and to train them to look for malicious emails and other potential cybersecurity threats; A dedicated information security team that monitors threats and vulnerabilities that arise, and regularly performs threat intelligence and vulnerability management; The Company s engagement of a third party to conduct periodic independent testing of the Company s cybersecurity defenses to confirm that the defenses are effective; A Managed Detection and Response ( MDR ) service that continuously monitors the Company s systems and alerts the Company s information security team of any detected anomalies or suspicious activity and stops any event that is deemed dangerous to the Company s systems or networks; An Incident Response Plan ( IRP ) and Business Continuity Plan ( BCP ) which outline steps to be taken during a cyber incident and to recover systems and continue business operations following a cyber incident; and 30 A Cybersecurity Incident Response Team ( CSIRT ) that tracks cyber incidents, including those that affect third parties that are handling the Company s data. Cybersecurity Threats During the fiscal year ended December 31, 2023, the Company did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or that are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition other than the risks described in Item 1A. Risk Factors . Cybersecurity Governance Board of Directors Oversight. The Company s Board of Directors oversees the Company s cybersecurity program, including the oversight of risks related to cybersecurity through various committees that are responsible for monitoring and testing the Company’s information security. The Board of Directors conducts an annual review of the Company s cybersecurity- related policies. Quarterly, the Company s Senior Vice President, Director of Information Security ( DIS ) presents reports to the Audit Committee on vulnerability management and cybersecurity testing effectiveness, emerging threats and industry and regulatory changes that affect cybersecurity, and responds to inquiries from the Audit Committee. In addition, the Technology Committee receives and evaluates quarterly updates from the DIS on cybersecurity performance and on cybersecurity trends and strategies. The Board of Directors receives quarterly updates from the EVP, Chief Risk Officer ( CRO ) on cybersecurity metrics and the cybersecurity risk management program s performance. Management Oversight. While the Board of Directors and its Audit and Technology Committees oversee management s processes related to cybersecurity risks, management is responsible for identifying, monitoring and mitigating the material cybersecurity risks that face the Company. The Company s CRO is directly responsible for the overall cybersecurity risk management program which is a part of the Company’s ERM Program. The CRO and the DIS oversee the information security department s implementation and maintenance of the cybersecurity security risk management program, including oversight of Vendors and regular reporting to the Board of Directors and its Audit and Technology Committees on the effectiveness of the cybersecurity risk management program. The DIS updates the CRO as appropriate, including as new developments or information related to cyber incidents arise. The Company s CRO has over 27 years of experience in cybersecurity and information technology. The CRO joined the Company in 2011 and became CRO in July 2023. Prior to becoming CRO, he served as SVP and Director of Information Security & ERM for six years and prior to that served five years as Vice President and Senior Information Security Officer of the Company. Prior to joining the Company, the CRO had a ten year career in information technology and began his career serving with the United States Air Force, specializing in information technology, cybersecurity, risk mitigation, and encrypted communications. The Company s DIS joined the Company in 2023 and has over 20 years of experience in information technology and cybersecurity. The DIS has held senior management positions in information security for the past ten years. The DIS holds several industry certifications including Certified Information Systems Security Professional ( CISSP ), Certified Information Systems Auditor ( CISA ), Certified in Risk and Management Systems Controls ( CRISC ) and Certified Data Privacy Solutions Engineer ( CDPSE ).

Company Information