ENTERPRISE BANCORP INC /MA/ 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

ENTERPRISE BANCORP INC /MA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 17:06:25 EST.

Filings

10-K filed on 2024-03-08

ENTERPRISE BANCORP INC /MA/ filed an 10-K at 2024-03-08 17:06:25 EST
Accession Number: 0001018399-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overall Process We have developed and implemented a comprehensive multi-layered cybersecurity risk management program, consisting of a dedicated cybersecurity function, risk assessments, policies and procedures managed by internal and external resources, that we believe is reasonably designed to prevent, detect and respond to cyber risks and incidents. We utilize a set of tools and services, including regular network, endpoint and cloud monitoring, vulnerability assessments, penetration testing, SIEM, and tabletop exercises to identify and assess material risks from cybersecurity threats and to evaluate our cyber defense capabilities. Internal security controls are designed to align with standards set by the NIST. We monitor emerging data protection laws, conduct background checks of our employees in specific technology and cybersecurity roles, apply least privilege access to users, test the maturity and readiness of our cybersecurity program, conduct table top exercises based on current threat scenarios to increase awareness, conduct phishing testing, provide cybersecurity training to our Board and employees, and provide cybersecurity alerts to our customers on ongoing threats. We monitor notifications and alerts from the FS-ISAC and other industry cybersecurity sites to stay abreast of the most recent cybersecurity alerts. Enterprise Risk Management Process Integration The Company has implemented layered security approaches for all electronic delivery channels to detect, prevent and respond to rising cybersecurity risks. Management utilizes a combination of third-party information security assessments, key 35 Table of Contents technologies, and ongoing internal and external evaluations to provide a level of protection of non-public personal information, to continually monitor and attempt to safeguard information on its operating systems, in cloud-based solutions, and those of third-party service providers, and to prevent, quickly detect and respond to attacks. The Company also utilizes firewall technology, multi-factor authentication, complex password construction, and a combination of software and third-party monitoring to detect and prevent intrusion, and cybersecurity threats, guard against unauthorized access, and continuously identify and prevent computer viruses on the Company’s information solutions. To minimize debit card losses, the Company works with a third-party provider to establish parameters for allowable transaction activity, monitor transactions, and alert customers of potentially fraudulent activity. The Bank maintains a written Information Security Program based on a collection of information security policies, regulatory requirements, standards, guidelines, processes, procedures, third-party recommendations, and industry best practices. The purpose of this Program is to establish a company-wide approach for assessing and protecting the integrity, availability, and confidentiality of the Bank s information assets. Third-party Access The Company has a fully integrated third-party risk management program to identify, assess, monitor and mitigate risks associated with third-party relationships, including cybersecurity risks. Under the program, risk ratings are assigned to each of the vendors based on an assessment of the vendor and its access to networks, systems, and confidential information. An assessment is conducted on each vendor to identify and measure the risks from cybersecurity threats that could impact our customer s data and our environment. Third parties that have access to our systems or customer data must have appropriate technical and organizational security measures and security control principles based on commercially acceptable security standards, and we require third parties in this class to agree by contract to manage their cybersecurity risks. In our Risk Factors, we describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Material Incidents We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Although we have a robust cybersecurity program that is designed to assess, identify, and manage material risks from cybersecurity threats, we cannot provide absolute surety that we have properly identified or mitigated all vulnerabilities or risks of incidents. We, and the third parties that we engage, are subject to constant and evolving threats of attack and cybersecurity incidents may be more difficult to detect for periods of time. A cybersecurity incident could harm our business strategy, results of operations, financial condition, reputation, and/or subject us to regulatory actions or litigation which may result in fines, judgments or indictments. Incidents and Risks The Company has developed an Incident Response Plan to guide its actions in responding to real and suspected information security incidents. This includes unlawful, unauthorized, or unacceptable actions that involve a computer system or a computer network such as Distributed Denial of Service attacks, Corporate Account Takeover schemes, or ransomware. Additionally, an event that disrupts one of the Bank’s service channels, whether from a security incident or not, is also considered an incident requiring a response under this program. These disclosure controls and procedures compel the Company to make accurate and timely disclosures of material events and incidents to both customers and regulatory authorities. The reaction to an incident aims to reduce potential damage and loss and to protect and restore confidence through timely communication and the restoration of normal operating conditions for computers, services, and information. Management will work closely with its cybersecurity insurance provider, cybersecurity legal counsel, and forensic experts when investigating and responding to cyber or ransomware attacks. Cybersecurity Governance Cybersecurity risk management processes are an integral part of our enterprise risk management which is overseen by the Board and the Technology & Information Security Committee of the Board. The Board oversees the risk management policies of the Company and is responsible for the periodic review and approval of the risk management policies of the company and provides general oversight over the information security and technology programs. The TISC oversees the technology and cybersecurity strategies and their alignment with business strategies, the effectiveness of the information security program, monitors the results of third-party testing and risk assessments and responses to breaches of customer data, among other project management, cybersecurity, and business continuity oversight functions. The Committee meets five times during the year, or 36 Table of Contents more as needed. An information security advisor participates in the meetings and is available to provide additional insights into cybersecurity methodologies, best practices, threat trends, and resource planning. The CISO has over 17 years of banking experience, is a Certified Information Systems Security Professional, and has been involved with the management of information and cybersecurity for over ten years. The CISO regularly reports to the Board Technology & Information Security Committee on information and cybersecurity strategy, testing, training, policies, procedures, cybersecurity insurance, and overall effectiveness of the Information Security Program and would report and discuss material incidents, and ongoing mitigation status, if any should occur. The CISO is the chair of Management s Information Security Committee that meets on a monthly basis to evaluate threats, incidents, defense system effectiveness, accepted risks, results of third-party cyber assessments and engagements, and the overall adequacy of the cybersecurity program. In addition, the Chief Information Officer has over 15 years of experience in managing bank technologies, information security, and risk management, and collaborates in supporting the Information Security Program. The CISO reports directly to the Chief Risk Officer and meets on a monthly basis with the Executive Management team to discuss cybersecurity risk management matters.

Company Information