Prime Meridian Holding Co 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Prime Meridian Holding Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 11:34:16 EDT.

Filings

10-K filed on 2024-03-21

Prime Meridian Holding Co filed an 10-K at 2024-03-21 11:34:16 EDT
Accession Number: 0001437749-24-008801

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity General Overview Information, including but not limited to proprietary information and personally identifiable information, is one of the Company s most important assets. Protection of our information assets is necessary to establish trust with our clients, fulfill our fiduciary responsibilities, maintain regulatory and legal compliance, and protect our reputation. Our Information Security Program outlines the process of protecting and securing our digital systems that contain and process information vital to our operations. Our cybersecurity management program is a subset of our larger Information Security Program. It provides protection of both client and bank information by preventing, detecting, and responding to cyber-attacks, managing vulnerable access points, practicing active governance, and adhering to risk and compliance regulations. Both programs are managed by our Chief Information Officer ( CIO ) who reports directly to the Company s Chief Executive Officer ( CEO ) and both are overseen by the Board s Information Technology ( IT ) Committee and Audit Committee. The Company has established an information security culture that promotes and communicates the role of all employees in protecting the Company s information and systems. The program defines information security responsibilities and accountability throughout the organization. We communicate these responsibilities to employees upon hiring and regularly throughout employment. We have established policies and procedures, including our Incident Response Plan ( IRP ) for identifying and assessing potential threats, responding to cybersecurity incidents and security breaches, informing executive leadership and the Board, and reporting incidents within the approved timeline adopted by the FDIC in 2021 and the Securities and Exchange Commission in December 2023. In addition, the Company complies with the following reporting requirements: FDIC Computer-Security Incident Notification Rule State statutes and laws regarding cybersecurity Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) Rules adopted by the SEC on Cybersecurity Risk Management, Strategy, Governance and Incident Response disclosure and All other applicable regulations. Strategy In order to provide proper management of cybersecurity risk, management has committed to the following plan: (1) foster an environment that values cybersecurity initiatives in order to accomplish business and operational goals (2) review and update the cybersecurity program on an annual basis (3) perform a cybersecurity risk assessment on an annual basis requiring that the performance of the assessment meets standards set forth by the Federal Financial Institutions Examination Council ( FFIEC ) guidelines and external auditors (4) foster awareness and training for all employees (5) enlist additional support of third-party experts in the event of cybersecurity incidents (6) subscribe to cybersecurity forums where information is distributed (7) monitor and respond to cybersecurity threats and alerts (7) review and update the business continuity plan, IRP, and vendor management plan, focusing on cyber-resiliency and third-party management of cyber activities and (8) keep the Audit Committee, IT Committee and Board informed on the status of cybersecurity. On an annual basis the Company s IT Committee and Board will review and approve the information security and cybersecurity program, review and approve the business continuity plan and testing, and approve the risk assessment guidelines and methodologies. Enterprise Risk Management Our policies and procedures related to Cybersecurity are a vital component of the Company s enterprise risk management program ( ERM ) which is managed by the Company s Chief Risk Officer ( CRO ) and is overseen by Audit Committee. Our ERM program includes periodic activities to assess cybersecurity risks that could result in material disruption to the Company such as data breaches, malfunction of critical systems to operate key banking functions, information hostage incidents, and interference with key vendor programs. Any cybersecurity risks identified are tracked through the ERM program and their assessments are assigned risk owners at the senior leadership level. Cybersecurity training is a key component of annual employee training and is conducted through the year utilizing different methods such as training sessions with the CIO, on-demand third-party cybersecurity and phishing exercise campaigns, and periodic third-party-conducted social engineering testing. Third Party Service Providers The Bank has implemented a third-party management policy (Vendor Management Policy) within the Information Security and Cybersecurity Program which requires due diligence and consideration of cyber risk prior to contract signing. As deemed necessary, vendors identified within the program are reviewed at least annually, and in-depth reviews of critical vendors are documented and presented to management as needed. The overall program is presented to the Board of Directors each year. Governance The Board and IT Committees oversee the responsibility in developing, implementing, and maintaining the information security program and cybersecurity program, and hold senior management accountable for its actions. To accomplish this, the Board maintains a reasonable understanding, and is informed through Committee minutes and Board meetings. The Board of Directors receives annual training on cybersecurity and information security. The IT Committee has direct oversight responsibilities for our cybersecurity program and receives reports on the Company s cybersecurity program from our CIO at each of our regular meetings which occur quarterly. These reports include analyses of any recent cybersecurity threats and incidents at the Company and across the industry, along with a review of internal controls, risk mitigation strategies and third-party service providers. At least annually, the Board of Directors receives reports on the Company s cybersecurity program and a briefing of recent developments from the CIO. Management Our senior executive management team is actively engaged in the oversight of our cybersecurity program and its future strategy. The CIO has been with the Company since 2011 and in the banking industry since 2002 holding various positions in operations, compliance and information technology. He has a background in software programming and hacking/intrusion and holds various certifications and designations such as Certified Information Systems Security Professional, Certified Data Privacy Solutions Engineer, Certified Regulatory Compliance Manager, Accredited ACH Professional and others in technology, security, risk, and compliance. The CIO has a Bachelor of Science in Electrical Engineering and a Master of Science in Cybersecurity and Information Assurance. Additionally, the CIO participates in Infragard (a partnership between the Federal Bureau of Investigation (“FBI”) and the private sector and the American Banker’s Association (“ABA”) cyber forums. He also participated in the FBI Chief Information Security Officer (“CISO”) Academy, Class 10. Senior management documents and reports to the Board (or a Board-appointed subcommittee) on the status of the information security program, which includes, but is not limited to, the following: Risk assessment process, including threat identification and assessment Risk management and control decisions, including risk acceptance and avoidance Third-party service provider arrangements Results of testing If applicable, security incidents and/or breaches or violations of law or regulation and management’s response to such incidents and Recommendations for updates and improvements to the overall information security program. 22 Detection, Mitigation and Remediation The Bank has implemented automated systems designed to detect potential malware and anomalies, and notify management of threats. These systems include anti-virus/anti-malware, network log reporting, network-based intrusion detection and incident response systems, external firewall intrusion detection and prevention systems, endpoint protection, and data leakage protection. Anti-virus/anti-malware systems are designed to be updated as needed and definitions are distributed to Bank computers. Network Log Reporting is consolidated and retained in read-only formats with limited access. Logs are gathered from critical systems on the network and consolidated within a security information and event management (“SIEM”) solution. A third-party monitored network-based intrusion detection and incident response program has been contracted. This system draws logs from systems and firewalls, and is driven by classification and risk-based threat analysis of network traffic. This system automatically analyzes network traffic against a world-wide threat exchange to increase the awareness of newly introduced threats and vulnerabilities. All monitoring efforts are expected to communicate directly with the Bank through the IT department. Staff has adequate experience and subject matter knowledge to address or elevate issues, and is entrusted with making final determinations of risk and threats, and escalating issues through management or to third-parties. Where appropriate, the Bank will disseminate information to organizations such as the Financial Services Information Sharing and Analysis Center ( FS-ISAC ) or Cybersecurity & Infrastructure Security Agency (“CISA”) and other similar incident management user groups. The Bank has implemented an IRP that identifies roles and responsibilities for Bank employees, as well as general scenarios for management and containment of incidents. The Plan is reviewed and updated at least annually by senior management and reviewed by either the IT Committee or the Board of Directors prior to approval by the Board of Directors. Incidents and Risks We have not experienced a material cybersecurity incident and although we are subject to ongoing and evolving cybersecurity threats, management is not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. Please see Item 1A “Risk Factors” for further discussion of the material risks associated with the interruption or breach of our information systems or information assets.

Company Information