FIDELITY D & D BANCORP INC 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

FIDELITY D & D BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 15:47:58 EDT.

Filings

10-K filed on 2024-03-20

FIDELITY D & D BANCORP INC filed an 10-K at 2024-03-20 15:47:58 EDT
Accession Number: 0001437749-24-008680

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY Being a financial services company, the Company encounters inherent cybersecurity risks and threats, which also affect its customers, suppliers, and third-party service providers. Throughout operations, the Company handles and processes data for its customers, employees, partners, and suppliers, understanding that a cybersecurity incident impacting any of these entities could significantly impact its operations and performance. As part of the financial services sector, the Company is held to rigorous regulatory compliance standards. To effectively manage these risks and meet regulatory demands, the Company has implemented a comprehensive, risk-based information security program. This program is designed in alignment with regulatory requirements and the guiding principles of the Federal Financial Institutions Examination Council (FFIEC) handbook and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Information Security Governance and Oversight The Board of Directors assumes ultimate responsibility for overseeing the Company’s information security program. The Company has established an Information Technology Steering Committee (ITSC), comprised of leaders from various departments across the organization, tasked with governing and overseeing the information security program. The ITSC underscores its commitment to treating cybersecurity as a business risk rather than solely a technical concern. The Chief Information Security Officer, reporting to the SVP, General Counsel, is entrusted with leading the cybersecurity risk assessment process. This includes identifying risks, assessing inherent likelihood and impact, evaluating existing mitigating controls, calculating residual risk scores, and recommending risk responses to both the ITSC and the Board of Directors. 16 Table of Contents Information Security Program The Company’s program aims to identify, protect, detect, respond, and recover from cyber threats, striving to prevent cybersecurity incidents to the extent feasible. Simultaneously, it enhances our resilience to minimize the impact of a cybersecurity event. The program is designed to be agile, proactive, and responsive to changes in the evolving threat landscape. It employs a layered cybersecurity approach, encompassing the following key elements: A Security Incident Response Plan (SIRP) detailing procedures and protocols to respond effectively and efficiently to cybersecurity events. A user awareness program featuring regular social engineering testing and training to keep our employees informed about cybersecurity best practices, potential threats, and effective responses to mitigate risks. A continuous vulnerability management program designed to validate the efficacy of our patch management strategy. It prioritizes the remediation of vulnerabilities posing risks to the organization, our customers, and partners. Protective technical security controls, reducing the likelihood of a cybersecurity incident. Detection, response, and recovery capabilities, mitigating the impact of cybersecurity incidents. A vendor management program, designed to manage and mitigate risks associated with leveraging suppliers and third-party service providers. Third-party penetration testing and internal and external vulnerability assessments, validating the effectiveness of our security controls. IT controls audits conducted by both internal and external auditors to ensure compliance with regulatory requirements, as well as our internal corporate policies and procedures. Regular reporting to the Board of Directors, providing insights into our cybersecurity posture and ongoing initiatives. By implementing these measures, the Company strives to maintain a strong cybersecurity posture, safeguarding the organization, customers, and partners from potential threats while ensuring compliance with industry standards and regulations. Notwithstanding the Company’s defensive measures and processes, the threat posed by cyber-attacks is extremely serious. The Company may not be successful in preventing or mitigating all cybersecurity incidents that could have a material adverse effect on the Company. While the Company has not, to date, detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, internal systems and those of our customers and third-party service providers are under constant threat. It is possible that the Company could experience a future significant cybersecurity event. The Company expects risks and exposures related to cybersecurity attacks to remain high for the foreseeable future. For further discussion of risks related to cybersecurity, see “Item 1A Risk Factors.”

Company Information