NATIONAL BANKSHARES INC 10-K Cybersecurity GRC - 2024-03-19

Page last updated on April 11, 2024

NATIONAL BANKSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-19 10:00:58 EDT.

Filings

10-K filed on 2024-03-19

NATIONAL BANKSHARES INC filed an 10-K at 2024-03-19 10:00:58 EDT
Accession Number: 0001437749-24-008428

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy The Company recognizes the risks posed by cybersecurity threats, including the risk of harm to our customers, our financial condition and results of operations, and our reputation. Following a layered defense-in-depth strategy, the Company utilizes a variety of controls and both internal and third-party resources to assess and manage identified risks. The following components of our information security program address cybersecurity risk management, and have been integrated into the Company s overall risk management systems and processes: Cybersecurity risks are identified and prioritized for resource allocation using two annual risk assessments: an internal risk assessment utilizing the Federal Financial Institutions Examination Council s ( FFIEC ) Cybersecurity Assessment Tool, and a formal risk assessment prepared in conjunction with an external consultant. A comprehensive set of security technologies constantly monitor our information systems and data, including endpoint detection and response services, intrusion detection and prevention, various filtering technologies, and event correlation technologies that alert management to potential cybersecurity threats. Skilled internal personnel manage and update cyber defense functions including engineering, configuration, data protection, identity and access management, security operations, and threat intelligence. Training programs continuously educate employees about cybersecurity risks and protection practices. Periodic social engineering testing assists management in identifying training needs. An incident response plan outlines the Company s response to a cybersecurity incident. Periodic testing of the plan ensures readiness and identifies refinements. Reputable third-party assessors are engaged to conduct various assessments on a regular basis. Supporting the Company s information security program is a third-party risk management program that manages the life cycle of external service providers and ensures that vendors meet the Company s cybersecurity requirements. This includes a periodic risk assessment of vendors and the review of vendor assessment documentation including audit reports and other independent control assessments. The Company s cybersecurity risk management and strategy are regularly reviewed and updated to support our business strategy and objectives, our overall risk management, and address evolving potential cybersecurity threats. Material Effects of Cybersecurity Threats Cybersecurity risks have the potential to materially affect the Company s business, financial condition and results of operation. The Company strengthened its cybersecurity framework in response to cyber attacks in 2016 and 2017 and does not believe that risks from cyber security threats or attacks have materially affected the Company since 2017. However, the sophistication of emerging cyber threats and the utilization of new attack methods continues to evolve. The Company s cybersecurity risk management and strategy may not protect against all cyber incidents. For more information on how cybersecurity risk may materially affect the Company s business strategy, results of operations or financial condition, please refer to Item 1A, Risk Factors of this Form 10-K. 18 Table of Contents Governance Board of Directors Oversight The Company s Board of Directors is charged with overseeing the establishment and execution of the Company s enterprise risk management framework, including cybersecurity risk, and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. The Company s Information Security Officer ( ISO ) provides the Board Risk Committee with regular updates on information security risk management and an annual comprehensive information security status report, which assesses the effectiveness of the program and updates the Risk Committee on developing trends and emerging threats. Management s Role The Company s ISO, supported by skilled internal personnel, is responsible for identifying, assessing and managing cybersecurity risks and designing, implementing and maintaining the Company s information security program. The ISO has many years of experience and holds multiple certifications appropriate to the role. The ISO reports to the Senior Vice President/Sr. Operations, Risk & Technology Officer and the Board of Directors. Management s enterprise risk management committee receives regular updates from the ISO on cybersecurity related risks, including trends and emerging threats.

Company Information