FS Bancorp, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

FS Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 17:21:10 EDT.

Filings

10-K filed on 2024-03-15

FS Bancorp, Inc. filed an 10-K at 2024-03-15 17:21:10 EDT
Accession Number: 0001437749-24-008140

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management Strategy As a financial institution, cybersecurity presents significant risks. Accordingly, the protection of customer and business information is taken very seriously. Cybersecurity risk management is a component of the Company s formal Information Security Program. The Information Security Program is incorporated into the Company s Enterprise Risk Management Program, ensuring a holistic approach to risk prevention, detection, mitigation, and remediation of cybersecurity threats. The Information Security Program is based on regulation and guidance established by agencies, including but not limited to, the Federal Financial Institutions Counsel ( FFIEC ) and the Federal Deposit Insurance Corporation ( FDIC ). The Information Security Program begins with risk assessment. At least annually, the Company s Information Security team completes an information security risk assessment in accordance with regulatory guidance. While cyber threats are included in the overall information security risk assessment, a targeted cybersecurity risk assessment is also completed, utilizing the FFIEC Cybersecurity Assessment Tool ( FFIEC CAT ). The FFIEC CAT specifically assesses the maturity and effectiveness of the Bank s cybersecurity programs. In addition to the FFIEC CAT, the Bank partners with internal and external auditors to conduct various assessments throughout the year to identify, manage, and mitigate cybersecurity risks. The assessments conducted include but are not limited to: vulnerability assessments, penetration testing, social engineering, and onsite security assessments. Risk assessments consider size and complexity, are formally documented, and adapt to changes in the technology and organizational environment. Management and the Board of Directors use risk assessment data to make informed risk management decisions based on a full understanding of the risks. Management and the Board also consider the results of these assessments when overseeing operations. A strong, high-level risk assessment process provides the foundation for more detailed assessments within the functional risk management areas, as well as improves policy and internal control decisions across the organization. 45 Table of Contents Information Security Risk Assessment Information security controls result from an effective risk assessment process. The Company identifies, measures, controls, and monitors threats to avoid risks that threaten the safety and soundness of the organization. In accordance with the Gramm-Leach-Bliley Act (GLBA) and FDIC regulation 12 CFR Part 364 Appendix B III B, the objectives of the information security risk assessment include: Identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. Assessing the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information. Assessing the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. Cybersecurity Risk Assessment Cybersecurity is an integral subset of information security and refers to anything intended to protect enterprises and individuals from intentional attacks, breaches, incidents, and consequences. The foundation of this protection begins with identifying the risk of these threats and assessing the controls in place to mitigate such risks. The Company has included cyber threats in its information security risk assessment in accordance with regulatory guidance and conducts a targeted cyber risk assessment using the FFIEC CAT. Utilizing the FFIEC CAT, the Company s inherent risk profile is documented along with its maturity level and effectiveness in managing cyber risk. Both the Information Security Risk Assessment and the FFIEC CAT results are presented to, and approved by, the Audit Committee of the Board of Directors at least annually. Risk Management Plan Once risk assessments are complete, a risk management plan is prepared to ensure controls are developed or enhanced to mitigate risks to acceptable levels. The Risk Management Plan is presented to, and approved by, the Audit Committee of the Board of Directors annually and progress on remediation activities is shared quarterly. Information Security Program Vendor Management. The Company maintains a formally documented Vendor Management Program that includes an information security review of all new and existing third-party vendor relationships. The Vendor Management team ensures initial and ongoing due diligence is performed on all third- party relationships according to policy. Quarterly Vendor Management program updates are provided and the Policy is reviewed and approved annually by the Audit Committee of the Board of Directors. Implementation of a multi-faceted threat intelligence gathering process. The Information Security and Information Technology teams subscribe to several threat intelligence news feeds and regularly attend cybersecurity threat intelligence webinars, trainings, and peer groups. Information on threat gathering is included in a quarterly report to the Board of Directors. Implementation of a multi-layered defense strategy to fortify information protection. Technical, physical, and administrative control redundancies are deployed to ensure multiple layers of protection are in place against cyber threats. Control design and operating effectiveness is tested regularly by independent audit firms and reported to senior management and the Audit Committee of the Board of Directors. Comprehensive security awareness training and testing for all bank employees. Various communication strategies to communicate new and existing cybersecurity threats are used. Employees receive regular virtual and in-person security awareness training through simulated tests, online training courses, company communications, and in-person training and testing events. Training and testing efforts are included in the quarterly update to the Board of Directors. 46 Table of Contents Incident Response. A comprehensive Incident Response Plan has been developed and tested. The Plan contains information for employees to ensure they can recognize, investigate, communicate, prevent, and document an incident that threatens the confidentiality, integrity, or availability of information or systems. All incidents are reported to, and the Plan is reviewed and approved by, the Audit Committee of the Board of Directors. Independent Audit and Testing. The Company s Audit Department schedules and oversees a regular review of program design and effectiveness by independent third-party audit firms that specialize in technology and cybersecurity. Results are reported directly to senior management and the Audit Committee of the Board of Directors. Remediation Tracking. Remediation and tracking sheets are developed for all audit and assessment results. Progress is monitored by the Audit Department and reported to the Audit Committee of the Board of Directors regularly. Governance The Company s Board of Directors provides active oversight of cybersecurity threats in accordance with the Board-approved Information Security Policy and Program. Direct oversight of the Program is delegated to the Audit Committee of the Board of Directors. The Audit Committee has an established risk appetite statement that defines the Company s risk acceptance tolerance. The Audit Committee reviews and approves the Risk Appetite statement annually. The Audit Committee also plays a critical role in overseeing the Bank s efforts to develop, implement, and maintain an effective Information Security Program. With direction and oversight by the Audit Committee, the Bank s Chief Risk Officer ( CRO ) oversees the enterprise-wide risk management program, and the Chief Information Officer ( CIO ) is the Board-appointed Information Security Officer, responsible for the Information Security Program, including cybersecurity. The CRO and CIO report cybersecurity related matters directly to the Audit Committee. The Information Security team, engaged in enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes, ensures a complete approach to safeguarding the confidentiality, integrity, and availability of sensitive information. The Information Security team consists of experienced information security professionals and is led by the CIO. The CIO has more than 25 years of information technology and banking leadership experience and holds a Certified Information Systems Security Professional ( CISSP ) designation. Reporting to the CIO is the Information Security Manager who has more than 10 years of cybersecurity experience in the Financial Institution industry and possesses a master s degree in information systems management with an emphasis in cybersecurity. Complementing the independent Information Security team, is the Information Technology (IT) team. The IT System Administration & Engineering Manager has over seven years financial institution technology experience and a master s degree in information systems management with a cybersecurity management specialization and the Systems Support Manager has over 20 years of financial institution technology experience, ensuring technology operations occur with a security-focused mindset. In addition to experienced information security and information technology teams, the Company engages with industry experts for managed security services. This collaborative effort includes threat intelligence gathering, firewall management, intrusion detection system monitoring, intrusion prevention services, and security information and event management monitoring, ensuring round-the-clock protection. The Vendor Management team ensures compliance with the organization s Vendor Management Policy, including initial and ongoing due diligence of all third-party providers. Risk assessments and risk management plans are developed, communicated, and tracked. Annually, the CIO presents the Information Security Risk Assessment to the IT Steering Committee and to the Audit Committee of the Board of Directors for review and approval. Quarterly, the CIO provides an Information Security Risk Management Plan status report to the Audit Committee and an Information/Cybersecurity Status report to the full Board of Directors. Reports encompass internal information and cybersecurity assessments, business continuity plans, disaster recovery measures, incident response planning and testing, patch management and vendor management program statuses, as well as internal self-audit results. The information security risk assessment and updates on projects aimed at fortifying information security systems and emerging cybersecurity threat insights are communicated to the Audit Committee, maintaining transparency, and ensuring informed decision-making. Annual review and approval of information security-related policies by the Audit Committee underscore our commitment to governance and regulatory compliance. Audits and testing of program effectiveness are coordinated by the Company s Senior Vice President of Audit who oversees the Audit Department and reports to the Audit Committee of the Board of Directors, independent of the technology and cybersecurity functions. The Audit Department utilizes independent third-party audit firms with technology and cybersecurity expertise. Results of all audits and independent assessments are delivered directly to senior management and the Audit Committee of the Board of Directors by the SVP of Audit. 47 Table of Contents The Information Security team serves as the Bank s dedicated cybersecurity incident response team. Cybersecurity incident response is a sub-section of the Bank s Incident Response Plan. The Information Security team handles the technical aspects of the Bank s response to a cybersecurity incident. Escalation instructions are included in the Plan for engaging resources outside the Information Security team. The Board is notified immediately of cybersecurity incidents, as per the incident response instructions. Cybersecurity Incidents As of the reporting period, the Company has not experienced any material cybersecurity events or incidents. Although third-party service providers have encountered cybersecurity events or incidents, these occurrences have not resulted in a material impact on our systems, computing environments, or data.

Company Information