Rhinebeck Bancorp, Inc. 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

Rhinebeck Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 16:03:21 EDT.

Filings

10-K filed on 2024-03-26

Rhinebeck Bancorp, Inc. filed an 10-K at 2024-03-26 16:03:21 EDT
Accession Number: 0001751783-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Rhinebeck Bank recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. As a financial services company, cyber threats are ever present and growing, and the potential exists for a cybersecurity incident disrupting business operations and compromising sensitive data. Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and the potential of cyber threats. Our objective for managing cybersecurity risk is to avoid or minimize the impact of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the Federal Financial Institutions Examination Council Cybersecurity Guidelines, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits and threat intelligence feeds to facilitate and promote program effectiveness. Managing Material Risks & Integrated Overall Risk Management Rhinebeck Bank has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our internal risk management team works closely with our IT department to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including ongoing education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. Engaging Third Parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, Rhinebeck Bank engages with a range of independent external data security professionals, including cybersecurity risk assessors, consultants, internal and external auditors, and insurance professionals to obtain a holistic view of our cybersecurity landscape. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third parties includes regular audits, threat assessments, and consultations on cybersecurity enhancements to proactively address new and evolving risks and strengthen our cyber security program. Mitigating Third-Party Risk Because we are aware of the risks associated with third-party service providers, Rhinebeck Bank implements stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with strict cybersecurity standards. Risks from Cybersecurity Threats We have not encountered any cybersecurity incidents, directly or indirectly, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. 43 Table of Contents Governance The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established oversight mechanisms to ensure effective governance in managing these risks because it recognizes the significance of these threats to our operational integrity, shareholder and customer confidence and reputation. Board of Directors Oversight The Board is responsible for the oversight of cybersecurity risk management and is composed of members with diverse expertise in risk management, technology, and finance, thereby equipping them to manage and prevent cybersecurity risks effectively. Management s Role in Managing Risk The General Counsel and Chief Risk Officer ( CRO ), the SVP, Information Technology, the virtual Chief Information Security Officer ( vCISO ) employed by DeepSeas Security, a cyber defense services business that partners with customers to reduce cybersecurity risks and the related costs. The vCISO and the CEO each play a pivotal role in informing the Board of Directors on cybersecurity risks. They provide comprehensive briefings to both the Board and the Audit Committee at least once per year and more frequent as needed. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats Status of ongoing cybersecurity initiatives and strategies Incident reports and issues identified from any cybersecurity events and Compliance with regulatory requirements and industry standards. In addition to our regularly scheduled Board meetings, the General Counsel and CRO, the SVP, Information Technology, the vCISO and the CEO regularly communicate regarding emerging or potential cybersecurity risks. They discuss any significant developments in the cybersecurity domain, which when reported to the Board, ensures the Board s oversight is proactive and responsive. The Board of Directors actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of Rhinebeck Bank. The Board of Directors closely reviews the annual vCISO report of the Bank s cybersecurity posture and the effectiveness of its risk management strategies prior to approval. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. Risk Management Personnel The vCISO directly reports to the General Counsel and CRO. The vCISO, CRO and the SVP, Information Technology meet regularly to discuss both internal and external cybersecurity risks and incidents. The CRO and the SVP, Information Technology also regularly meet with the CEO to update him on any cybersecurity risks and incidents affecting us. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing Rhinebeck Bank. Furthermore, all significant cybersecurity matters and strategic risk management decisions are promptly escalated to the Board of Directors, ensuring that they have an up-to-date, comprehensive understanding of and can provide guidance on critical cybersecurity issues. Primary responsibility for assessing and providing strategic direction to our cybersecurity program resides with our vCISO at DeepSeas Security. With over 20 years of global leadership and management experience in the field of cybersecurity, our vCISO brings a wealth of expertise to his role. His experience includes prior CISO leadership roles in the fintech sector, where he developed an expert level of understanding of the intersection between financial regulations and cloud-based technologies. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our vCISO oversees our governance programs, works with our technology-focused leaders and partners to align security and compliance, and has helped define our employee security awareness training program. 44 Table of Contents Monitoring Cybersecurity Incidents The vCISO is informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This knowledge is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The vCISO provides structure for clear processes to ensure the regular monitoring of our information systems. At Rhinebeck Bank, this includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, our partnership with DeepSeas Security allows us to be equipped with a well-defined incident response plan that is adequately resourced. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevent future incidents.

Company Information