John Marshall Bancorp, Inc. 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

John Marshall Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 16:31:19 EDT.

Filings

10-K filed on 2024-03-20

John Marshall Bancorp, Inc. filed an 10-K at 2024-03-20 16:31:19 EDT
Accession Number: 0001558370-24-003634

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk is a significant operational risk facing our business. Cybersecurity risks result from intentional malicious attacks or unintentional acts that result in an impact to the confidentiality, integrity or availability of our clients or third parties’ operations, systems or data. Cybersecurity risk management is an integral element of the Company s overall risk management strategy. Management assesses and manages material risks from cybersecurity threats through designated management positions and committees that are responsible for overseeing technology and information security. Our Chief Technology and Information Security Officer ensures the coordinated and consistent implementation of risk management initiatives and strategies on a frequent basis with our Chief Operating Officer and Chief Financial Officer. Results of the information and cybersecurity efforts and recommendations are reported by the Chief Technology and Information Security Officer to the IT Steering Committee, Risk Management Committee and Board of Directors no less than quarterly. The Audit Committee is primarily responsible for overseeing risk management, including risks associated with cybersecurity and potential threats thereto. Our management is directly involved in assessing and managing cybersecurity risks. The Company uses the National Institute of Standards and Technology Cybersecurity framework ( NIST CF ) for improving critical infrastructure by measuring and evaluating the effectiveness of information and cybersecurity controls. We utilize Payment Card Industry Data Security Standards, and other applicable standards, laws, and regulations. We have various processes for risk assessment, vulnerability management, threat management, independent penetration testing, security architecture, access management, network security management, and security event monitoring and security awareness. Certain processes involve the use of third parties. Risk Assessment Process . On an annual basis, a risk assessment and maturity analysis is performed for the Company based on the NIST CSF Framework. The risk assessment takes into consideration a combination of risks related to the identification, prevention, detection, response, and recovery from cyber events. The risk assessment considers the inherent risk and controls implemented at the Company and measures the residual risk to ensure it is within the Company s risk tolerance. Vulnerability Management Process . Regular internal and external vulnerability scanning is conducted at varying intervals to proactively identify configuration weaknesses, missing patches and other vulnerabilities in the Company s information systems environment. Identified vulnerabilities are classified and scored based on severity, known exploitation or malware impacting the vulnerability, and the age in the environment. We prioritize the patching of critical and severe vulnerabilities. Threat Management Process . In addition to the regular and routine vulnerability scanning, the Company relies on various threat intelligence feeds for the identification and awareness of potential threats that could impact the Company s environment. Using third party vendors to assist, threats are integrated into our monitoring solutions, email filtering, web-browsing controls, malware detection, and perimeter firewalls to proactively prevent, detect and deter threats with the 41 Table of Contents capability to impact the Company environment. We continually enhance the cybersecurity capabilities based on evolving threats. We have adopted an incident response plan that applies in the event of a cybersecurity threat or incident. Independent Penetration Testing . On an annual basis, we engage with an independent third-party provider to perform various penetration tests of the environment. The penetration tests look at our customer facing applications, how we respond to social engineering activities, overall external attack surface and internal vulnerabilities. Issues identified from the penetration tests are tracked and escalated to ensure appropriate remediation occurs before closure. Security Architecture . To ensure the secure configuration, design, and implementation of our internally hosted and third-party hosted systems, security architecture reviews are conducted. The architecture reviews entail utilizing best practices and the involvement of third party experts, as well as internal Information Security personnel and third-party vendor contacts to ensure the implementation is meeting policies, is configured with strong security practices, and utilizes appropriate access controls. Access Management . Utilizing a least privilege, need-to-know access methodology, access is controlled through a centralized user access management function responsible for the provisioning, transfer and de-provisioning of users access. Access management also performs routine reviews of application and systems access to ensure access remains appropriate. For third-party hosted environments, access management works with security architecture to ensure single sign-on controls are employed or additional factors are utilized to prevent unauthorized access to these environments. Network Security Management . The security of the Company s network infrastructure is maintained via internal and perimeter firewalls with intrusion detection, the use of some network segmentation to isolate access to certain applications and systems, virtual local area networks, email filtering to identify spam, malware, and phishing messages in received email messages, malware detection, data loss prevention controls to prevent the theft, or mass exfiltration of data, Virtual Private Networks to control remote access to our network, intrusion detection capabilities, network access controls are in place to prevent unauthorized assets from connecting to the network, and web filtering. Security Event Monitoring . The Chief Technology and Information Security Officer and Information Security personnel work together as centralized security monitoring team and are responsible for the response to alerts generated from a consolidated log collection system. Log collection occurs from various assets and hosted environments. The 24 x 7 monitoring is third-party provided security information and event management tool, and enables threat identification, detects suspicious activity in the environment using a nationally recognized, third-party framework, performs user behavior analytics, and endpoint detection and response. Alerts are investigated to ascertain whether a cyber-incident is occurring or not. Security Awareness . Quarterly training is conducted for continuing education for all employees and monthly phishing tests are administered. We also email and post articles on our intranet of common attack schemes for our employees awareness. An annual cyber report is presented to the Board of Directors with monthly cyber reports. Our Vendor Management Policy contains policies and procedures to follow when utilizing external third-parties and due diligence is performed over new vendors prior to engaging in services. Vendor Management ensures key risk components are mitigated based on acceptable Company standards. Any third parties used in any cybersecurity processes are vetted through our vendor management process. 42 Table of Contents Risks from Cybersecurity threats or previous incidents have not materially affected business strategy, results of operations, or financial condition. A vendor management report is presented to the Board of Directors on an annual basis by the Chief Technology and Information Security Officer.

Company Information