Village Bank & Trust Financial Corp. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

Village Bank & Trust Financial Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:31:12 EDT.

Filings

10-K filed on 2024-03-22

Village Bank & Trust Financial Corp. filed an 10-K at 2024-03-22 16:31:12 EDT
Accession Number: 0001544784-24-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Overview The cybersecurity threat environment is volatile and dynamic, requiring a robust and dynamic framework to reduce and mitigate cybersecurity risk. Cybersecurity risk includes exposure to failures or interruptions of service or security breaches resulting from malicious technological attacks that impact the confidentiality, integrity, or availability of our or third parties operations, systems, or data. We seek to mitigate cybersecurity risk and associated reputational and compliance risk by, among other things maintaining privacy policies, management oversight, accountability structures, and technology design processes to protect private and personal data actively monitoring and mitigating cybersecurity threats and risks with a three lines of defense structure to provide oversight, governance, challenge and testing using a third-party cybersecurity oversight program maintaining oversight of our information security program by senior management, our board-level Risk Committee, and our Board of Directors and We had no material cybersecurity incidents in 2023. Risk Management and Strategy Our cybersecurity risk management strategy is integrated into our enterprise risk management framework and is embedded in each of our three lines of defense. We use a combination of management expertise and Board oversight, as discussed below, as well as outside partners to assist us in overseeing our cybersecurity risk management program. We deploy safeguards designed to protect customer information and our own corporate information and technology. We have programs and processes in place designed to mitigate known attacks, and we use both internal and external resources to scan for vulnerabilities in our applications, systems, and platforms. We implement backup and recovery systems and require the same of our third-party service providers. W e use independent third-party service providers to perform penetration testing of our infrastructure to help us better understand the effectiveness of our controls, improve our defenses, and conduct assessments of our program for compliance with regulatory requirements and industry guidelines. We also engage with outside risk experts and 27 Table of Contents industry groups, including other peer institutions, as needed, to help us evaluate potential future threats and trends, particularly with respect to emerging information security and fraud risks. We generally have agreements in place with our service providers that include requirements related to cybersecurity and data privacy. We cannot guarantee, however, that such agreements will prevent a cyber incident from impacting our systems or information. Additionally, we may not be able to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. Due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers in relation to any data that we share with them. While to date, we have not experienced a significant compromise, attack, or loss of data related to cybersecurity attacks, due to the nature of our business, we are under constant threat of an attack and could experience a significant cybersecurity event in the future. Potential risks we could face from a cybersecurity event are discussed in Risk Factors above. Governance Through established governance structures, including our incident response plan, we have processes and procedures to help facilitate appropriate and effective oversight of cybersecurity risk. These processes and procedures enable our three lines of defense and management to review and manage cybersecurity risks, monitor threats, and provide for further escalation to executive management, our board-level Risk Committee, or to the full Board, as appropriate. Role of the Board of Directors Our Board of Directors plays a critical role in the oversight of risk, including risks from cybersecurity threats, and has established a risk oversight structure that seeks to ensure that cybersecurity risks are identified, monitored, assessed, and mitigated appropriately. In that regard, our Board is actively engaged in the oversight of our cyber risk profile, which includes risks from cybersecurity threats, enterprise cyber strategy, and key cyber initiatives. Our Board regularly receives reports on such matters from our Information Security Officer, and other relevant personnel. Our Board also meets with our internal and external auditors, and federal and state regulators to review and discuss reports on risk, examination, and regulatory compliance matters. Our Board Risk Committee is responsible for assisting the Board in its oversight of risk, including cybersecurity threats, and for overseeing our enterprise risk management framework. The Board Risk Committee actively engages with our Chief Risk Officer and other members of management to discuss major risk exposures, establish risk management principles, and determine our risk appetite, and regularly reports on its activities, and makes recommendations to, the full Board. The Board Risk Committee receives a quarterly summary analysis of cybersecurity risks, threats, and incidents. In addition, the Board Risk Committee is engaged, as needed, in accordance with our Incident Response Plan. Role of Management Our cybersecurity risk management program is built on three lines of defense, which collectively are designed to assess, identify, assess, and manage our material risks from cybersecurity threats. Our Chief Risk Officer is responsible for implementing our enterprise risk management framework and reports directly to our Chief Executive Officer. Our first line of defense is our employees. Employees receive training, at least annually, on information security. In addition, our Information Security Officer provides ongoing information security education and awareness for teammates, such as online training classes, mock phishing attacks and information security awareness materials. The second line of defense independently evaluates, monitors, and challenges our risk mitigation efforts to proactively identify cybersecurity risks, including early-stage engagement and risk management with emerging threats. Second line teammates provide effective challenge to the cybersecurity risk management efforts of the first line through ongoing engagement in problem incidents, regular reviews of cybersecurity risk reporting, and inquiries into the sufficiency of risk management activities. Our second line of defense leads our Management Risk and Compliance Committee, which governs our technology and operational risk tolerances, including cybersecurity and third- and fourth party provider risks. This 28 Table of Contents committee includes the Information Security Officer, the SVP of IT and the Chief Risk Officer. The Committee is responsible for escalating key risks to our Executive Leadership Team. Internal Audit serves as the third line of defense and provides independent assurance on how effectively we are mitigating, managing, and challenging our cybersecurity risks.

Company Information