CB Financial Services, Inc. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

CB Financial Services, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 14:09:39 EDT.

Filings

10-K filed on 2024-03-13

CB Financial Services, Inc. filed an 10-K at 2024-03-13 14:09:39 EDT
Accession Number: 0001605301-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Our risk management program is designed to identify, assess and mitigate risks across our company. When considering financial, operational, regulatory, reputational and legal risk, our program is well matched for our size and complexity. Our Chief Technology Officer, in conjunction with the Chief Operating Officer, is currently responsible for managing our information security program. Given the increasing risk involving cybersecurity and the Bank s evolving needs and reliance on technology, our strategy involves the addition of a Chief Information Security Officer. The Chief Information Security Officer will be primarily responsible for the cybersecurity component of our risk program. These responsibilities include performing and maintaining a cyber risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, access levels, third party risk and vendor management and business continuity planning. This key role will be developed as we expand our overall risk management program. Our objectives for managing cybersecurity risk is to greatly minimize the impacts of external threats. This includes, but is not limited to, efforts to penetrate, disrupt or misuse our systems or information. Our information security program is designed to comply with industry standards, such as the National Institute of Technology Cybersecurity Framework. We successfully leverage several associations, industry groups, audits and enhanced monitoring to promote the effectiveness of our program. Our Chief Technology Officer, who reports to our Chief Operating Officer, collaborates regularly with peer banks and other industry groups to identify and implement best practices. Our program is regularly reviewed in an effort to address emerging trends and threats. We maintain multiple controls in an effort to manage cybersecurity threats. We employ various preventative and detective controls to monitor, block and prevent suspicious activity including those that provide real-time alerts and response. We have systems designed to mitigate cyber risk, which includes ongoing training for employees, preparedness and tabletop exercises, and recovery testing. We maintain a robust vendor management program that identifies, assesses and documents risk associated with external service providers. We proactively monitor email servers for malicious activity and limit remote work only to qualified positions. We leverage internal and external auditors to review processes, systems and controls related to our information security program to ensure they are operating effectively. Management proactively responds to all recommendations designed to strengthen or improve our operating environment. We maintain a detailed Incident Response Plan which outlines the steps we would implement in the event of an actual or potential cybersecurity event. The Incident Response Plan includes timely notification of an escalation to the appropriate levels of management and Board of Directors. The Incident Response Plan is reviewed and updated at least annually and mandates coordination and collaboration across all levels of management and all areas of the Bank. The Board of Directors reviews components of the information security program on annual basis including policies, procedures, risk assessments, table top testing results, attestations, budgets and strategies. These components are presented by Executive Management as part of the regular board meeting schedule and strategic planning process. 24

Company Information