Burke & Herbert Financial Services Corp. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

Burke & Herbert Financial Services Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 09:06:56 EDT.

Filings

10-K filed on 2024-03-22

Burke & Herbert Financial Services Corp. filed an 10-K at 2024-03-22 09:06:56 EDT
Accession Number: 0001964333-24-000079

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The federal bank regulatory agencies have adopted guidelines for establishing information security standards and cybersecurity programs for implementing safeguards under the supervision of a financial institution s board of directors. These guidelines, along with related regulatory materials, increasingly focus on risk management and processes related to information technology and the use of third parties in the provision of financial products and services. The federal bank regulatory agencies expect financial institutions to establish lines of defense and to ensure that their risk management processes address the risk posed by compromised customer credentials, and also expect financial institutions to maintain sufficient business continuity planning processes to ensure rapid recovery, resumption, and maintenance of the institution s operations after a cyberattack. If the Company or the Bank fails to meet the expectations set forth in this regulatory guidance, the Company or the Bank could be subject to various regulatory actions and any remediation efforts may require significant resources of the Company or the Bank. On November 18, 2021, the federal bank regulatory agencies issued a final rule, with compliance required as of May 1, 2022, imposing new notification requirements for cybersecurity incidents. The rule requires financial institutions to notify their primary federal regulator as soon as possible and no later than 36 hours after the institution determines that a cybersecurity incident has occurred that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the institution s: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business, (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value, or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. To date, we have not experienced a material cyber-attack that would require such reporting, though there can be no guarantee that such will not occur in the future, and any such attack could have a negative effect on our business and results of operations. Cybersecurity risk is a key factor in assessing the Company s overall operational and regulatory risk and is a component of our overall information security protocols. The Company maintains a formal information security management program designed, in part, to identify risks to sensitive information, protect that information, detect threats and events, and maintain an appropriate response and recovery capability to help ensure resilience against information security incidents. The program includes, among other things, 24/7 monitoring of all critical infrastructure, active threat hunting, and endpoint Extended Detection and Response ( XDR ) capabilities, to assist with prevention of attacks from advanced adversaries. This monitoring and response is reinforced with regular vulnerability scanning/remediation and penetration testing and includes an annual risk assessment that looks to threats on the Company s own information technology platforms, and also assesses potential threats, owing to our use of third-party information technology platforms and services. As part of these processes, we engage well-established and professional third-party information security consultants to aid in the assessment and development of our monitoring and threat-detection processes and work with our internal teams. All employees receive security training upon hiring, annual refresher training for all employees, and phishing exercises to raise employee awareness. Information security protocols are a part of the Company s Information Security Policy that is reviewed and approved annually by the Company s Board. The ongoing oversight of cybersecurity risk is accomplished primarily through the Information Technology Steering Committee, comprised of management, the Regulatory Risk Committee, and the Enterprise Risk Management Committee, both comprised of management and members of the Board. Through these committees the Company keeps abreast of significant matters of actual, threatened, or potential breaches of cybersecurity protocols, monitors the effectiveness of the information security program through regular review of key metrics and assessment reports, discusses topical events requiring consideration, and if necessary, recommends changes to the Information Security Policy for approval by the Company s Board, which retains the ultimate responsibility for overseeing our enterprise risk management, including cybersecurity. In addition to regular reports from these committees, the Board receives regular reports from management on material cybersecurity risks and the Company’s efforts to combat threats to its digital infrastructure. The Company also maintains specific cyber insurance through its corporate insurance program, the adequacy of which is subject to review and oversight by the Company s Board. With the increase in cyber-threat vectors and enhanced focus on 51 Table of Contents cybersecurity, the Company and the Bank continue to monitor legislative, regulatory, and supervisory developments related thereto. 52 Table of Contents

Company Information