OHIO VALLEY BANC CORP 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

OHIO VALLEY BANC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:26:29 EDT.

Filings

10-K filed on 2024-03-15

OHIO VALLEY BANC CORP filed an 10-K at 2024-03-15 16:26:29 EDT
Accession Number: 0001140361-24-013512

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Ohio Valley recognizes the critical importance of assessing, identifying, and managing material risks from cybersecurity threats and safeguarding the security of its banking operations and data, including protecting its customers information. As a result, the Company has devoted significant financial and personnel resources to assessing, identifying, and managing cybersecurity risks and threats, including: Maintaining policies and procedures regarding security operations and governance through the implementation of the Company s Information Security Program Implementing multi-layered controls to avoid reliance on single controls Utilizing both preventative and detective tools to monitor and block suspicious activity and to alert us of potential threats Keeping abreast of new technology and evaluating tools to help respond to threats to cybersecurity in an efficient and effective manner Collaborating with third-party cybersecurity consultants that perform regular penetration testing, vulnerability assessments, and other procedures to identify potential weaknesses in our systems and processes Utilizing a third-party risk management program for purposes of identifying, assessing, and managing risks involved with external service providers Conducting thorough due diligence concerning our third-party service providers, including evaluating their cybersecurity practices and Providing regular cybersecurity training for both our employees and our Board of Directors. 30 The Board, through the Information Technology Steering Committee, works with senior management and other employee committees to oversee the development, implementation, maintenance, and administration of the Information Security Program, which is aligned and integrated into Ohio Valley s overall risk management system and processes. The Information Technology Steering Committee itself is comprised of diverse directors and officers of the Bank with vast knowledge and years of banking experience. The Information Security Officer of the committee has 25 years of banking experience including 24 IT related years as well as continuing education including a BA in Management Information Systems and Network+ and A+ certifications. The purpose of the Information Security Program is to: Identify and analyze cybersecurity risks Provide the Company with direction on effectively managing such risks Approve information security plans, policies, and programs Assess whether the Company s current security programs are effective and Provide recommendations for corrective action. The Company has also implemented an Incident Response Plan which is reviewed and updated at least annually in response to an ever-changing threat landscape. The purpose of the Incident Response Plan is to provide long-term strategies for the remediation and prevention of, and resiliency to, cybersecurity threats and incidents. Our Incident Response Plan is executed through the incident response team comprised of both cybersecurity experts and select members of management, including one or more Information Security Officers, who are responsible for monitoring potential threats and identifying events that may warrant Board notification and/or public disclosure. Additionally, our Information Security Officers are responsible for responding to security events by ordering emergency actions to protect the Company and its customers managing negative effects on the confidentiality, integrity, and availability of information and minimizing the disruption and degradation of critical services. Notwithstanding the strength of Ohio Valley s defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date, Ohio Valley has not detected a significant compromise, significant data loss, or any material financial losses related to cybersecurity attacks, Ohio Valley s systems and those of its customers and third-party service providers are under constant threat, and it is possible that Ohio Valley could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking, and other technology-based products and services by us and our customers.

Company Information