HMN FINANCIAL INC 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

HMN FINANCIAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 14:27:46 EDT.

Filings

10-K filed on 2024-03-15

HMN FINANCIAL INC filed an 10-K at 2024-03-15 14:27:46 EDT
Accession Number: 0001437749-24-008058

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data and has integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. Our information technology department continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs. Because of the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts, including cybersecurity consultants and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage their specialized knowledge and insights, ensuring our cybersecurity strategies and processes are appropriate. Our collaboration with these third parties includes ongoing system penetration testing, regular audits, threat assessments, and consultation on security enhancements. 36 Table of Contents Because the Company is aware of the risks associated with third-party service providers, management implements stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure they meet our cybersecurity standards. We are not aware of any previous cybersecurity incidents which have materially affected, or are reasonably likely to materially affect, us to date, including our business strategy, results of operations or financial condition. However, any future potential risks from cybersecurity threats, including but not limited to exploitation of vulnerabilities, ransomware, denial of service, or other similar threats may materially affect us, including our execution of business strategy, reputation, results of operations and/or financial condition. Governance The Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats and is composed of members with diverse expertise including, risk management, technology, and finance, allowing them to effectively oversee cybersecurity risks. The Director of Information Technology (DIT) plays a pivotal role in informing the Board on cybersecurity risks. He provides comprehensive briefings to the Board on a quarterly basis which include updates on the results of vulnerability testing, status of software patching installations, results of business continuity exercises, a summary of recent cybersecurity events/articles, and an update on third-party consultant activities. In addition, our external consultants meet with the Board on an annual basis to update them on the results of their reviews. Risk Management Personnel Primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with the DIT, Mr. Roberts Hoenisch. With over 30 years of experience in the information technology field, Mr. Hoenisch brings a wealth of expertise to his role. He, in conjunction with his staff and external consultants, oversees our governance programs, tests our compliance with standards, remediates known risks, and implements our employee training program. Monitor Cybersecurity Incidents The DIT is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The DIT, along with his staff and third party consultants, implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the DIT is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Reporting to Board of Directors The DIT, in his capacity, regularly informs the Chief Financial Officer (CFO) and Chief Executive Officer (CEO) of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, any significant cybersecurity matters, and strategic risk management decisions would be escalated to the Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues. 37 Table of Contents

Company Information