FIRST NORTHERN COMMUNITY BANCORP 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

FIRST NORTHERN COMMUNITY BANCORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 18:58:10 EST.

Filings

10-K filed on 2024-03-08

FIRST NORTHERN COMMUNITY BANCORP filed an 10-K at 2024-03-08 18:58:10 EST
Accession Number: 0001140361-24-012415

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Cybersecurity Risk Management and Strategy The Company recognizes the security of our banking operations and the confidentiality, security and availability of the information that the Company collects and stores, is critical to protecting our customers, maintaining our reputation and preserving the value of the Company. Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. The Company has implemented a comprehensive cybersecurity risk management program that we believe is reasonably designed to mitigate these risks and protect sensitive customer data, financial transactions and our information systems. Key components of the cybersecurity risk management program include: A risk assessment process that identifies and prioritizes material cybersecurity risks defines and evaluates the effectiveness of controls to mitigate the risks and reports results to executive management and the Board of Directors. A third-party Managed Detection and Response ( MDR ) service, which monitors the security of our information systems around-the-clock, including intrusion detection and alerting. A third-party Managed Security Service Provider ( MSSP ) covering all critical cyber defense functions such as data protection, identity and access management, insider risk management, security operations and threat intelligence. A training program that educates employees and management about cybersecurity risks and how to protect themselves from cyberattacks. An incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident, which is tested on a periodic basis. The Company engages reputable third-party auditors and security assessors to conduct various independent risk assessments on a regular basis, including cybersecurity program maturity assessments and network and systems testing to identify and address potential vulnerabilities. Following a defense-in-depth strategy, the Company leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks. Our vendor management program is designed to ensure that our vendors meet current cybersecurity and information security standards. This includes conducting periodic reviews of independent control audits of the security, infrastructure, application standards or controls, and recovery plans of our most critical vendors. The Company s cybersecurity risk management program and strategy are designed to ensure the Company s information and information systems are appropriately protected from a variety of threats, both natural and man-made. Periodic risk assessments are performed to validate control requirements and ensure that the Company s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission, to ensure the confidentiality, integrity, and availability of Company information. These controls include, but are not limited to, access control, data encryption, data loss prevention, incident response, security monitoring, third-party risk management, and vulnerability management. The Company has an incident response program in place that is designed to enable a coordinated response to mitigate the impact of cyber-attacks, recover from the attack and provide for the prompt escalation of certain cybersecurity incidents to management, including for decisions regarding timely reporting of material incidents in accordance with SEC rules. The Company s cybersecurity risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Company s business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards. Material Effects of Cybersecurity Threats While cybersecurity risks have the potential to materially affect the Company s business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company s controls are, it will not be able to anticipate all cyber security breaches, preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks, and the Company may not be able to implement effective preventive measures against cyber security breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Company s business strategy, results of operations or financial condition, please refer to Part I, Item 1A, Risk Factors in this report. 25 Table of Contents Governance Board of Directors Oversight The Company s Board of Directors is charged with overseeing the establishment and execution of the Company s cybersecurity risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility, the Board has delegated primary oversight responsibility over the Company s cybersecurity risk and cybersecurity risk management to the Information Services Steering Committee of the Board of Directors. The Information Services Steering Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Information Security Officer ( ISO ) and/or the Chief Information Officer ( CIO ). The ISO and/or CIO also provide periodic updates regarding cybersecurity risks and the cybersecurity program to the Audit Committee of the Board of Directors and to the full Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Board on an annual basis. Management s Role The ISO and the CIO are responsible for implementing and maintaining the Company s cybersecurity risk management program. Information Security is led by the ISO, who reports directly to the President/Chief Executive Officer. The Company s ISO has over 35 years of experience in IT management, information security, and cybersecurity with the Company. The ISO and CIO are responsible for ensuring the protection of electronic and physical information through the identification and management of risk activities. Information security risk is reported by the ISO or the CIO through quarterly metric reporting to the Information Services Steering Committee. This Committee establishes and oversees policies, programs, and other guidance to provide specific expectations for managing the Company s cybersecurity risk.

Company Information