F&M BANK CORP 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

F&M BANK CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 14:10:48 EDT.

Filings

10-K filed on 2024-03-27

F&M BANK CORP filed an 10-K at 2024-03-27 14:10:48 EDT
Accession Number: 0001654954-24-003726

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity for more information. 8 Table of Contents Future Regulation. Congress may enact legislation from time to time that affects the regulation of the financial services industry, and state legislatures may enact legislation from time to time affecting the regulation of financial institutions chartered by or operating in those states. Federal and state regulatory agencies also periodically propose and adopt changes to their regulations or change the application of existing regulations. The substance or impact of pending or future legislation or regulation, or the application thereof, cannot be predicted, although enactment of the proposed legislation could impact the regulatory structure under which the Company and the Bank operate and may significantly increase costs, impede the efficiency of internal business processes, require an increase in regulatory capital, require modifications to business strategy, and limit the ability to pursue business opportunities in an efficient manner. Management expects that financial institutions will remain heavily regulated, and that additional laws or regulations may be adopted further regulating specific banking practices. Effect of Governmental Monetary Policies. The Company s operations are affected not only by general economic conditions but also by the policies of various regulatory authorities. In particular, the Federal Reserve uses monetary policy tools to impact money market and credit market conditions and interest rates to influence general economic conditions. These policies have a significant impact on overall growth and distribution of loans, investments, and deposits they affect market interest rates charged on loans or paid for deposits and can significantly influence employment and inflation rates. Federal Reserve monetary policies have had a significant effect on the operating results of commercial banks, including the Company, in the past and are expected to do so in the future. Operating Revenue The following table displays components that contributed 15% or more of the Company s total operating revenue for the years ended December 31, 2023 and 2022: Period Class of Service Percentage of Total Revenues December 31, 2023 Interest and fees on loans held for investment 72.14% December 31, 2022 Interest and fees on loans held for investment 66.13% Executive Officers of the Company Aubrey Michael (Mike) Wilkerson, 65, has served as Chief Executive Officer of the Company and the Bank since April 2023. Prior to that he served as Executive Vice President/Chief Lending Officer from January 2022 to April 2023, and Executive Vice President/Chief Strategy Officer and Northern Shenandoah Valley Market Executive since January 2021. Mr. Wilkerson began his banking career at Wachovia Bank on January 4, 1982. Mr. Wilkerson s banking includes experience in Dealer Financial Services, Retail Banking, Private Banking, Commercial Banking and senior strategic leadership positions. From 2012 to 2018, Mr. Wilkerson was the Business Banking Division Executive for Virginia, Maryland and Washington, DC at Wachovia. Most recently, Mr. Wilkerson served as the Commercial Banking Market Executive from 2018 through 2020 for Western Mid-Atlantic Region at Wells Fargo. Barton E. Black, 53, has served as the Executive Vice President/Chief Operating Officer of the Company and the Bank since June 2020. Prior to that he served as Executive Vice President/Chief Strategy & Risk Officer from March 2019 to May 2020. Prior to joining the Company, he served as Managing Director at Strategic Risk Associates, a financial services consulting company based in Virginia, from August 2012 through February 2019. Lisa F. Campbell, 56, has served as Executive Vice President/Chief Financial Officer of the Company and the Bank since October 2022. Prior to joining the Company, she served as Group Vice President and Chief Financial Officer for Fidelity Bancshares N.C., Inc. in Fuquay-Varina, North Carolina from August 2014 to October 2022. Previously, she served as Executive Vice President, Chief Operating Officer and Chief Financial Officer for New Century Bancorp, Inc. in Dunn, North Carolina from March 2000 to August 2014 and as Senior Vice President and Controller for Triangle Bancorp, Inc. in Raleigh, North Carolina from September 1997 to March 2000. Ms. Campbell also worked in public accounting from September 1990 through September 1997. 9 Table of Contents Charles C. Driest, 46, has served as Executive Vice President, Chief Experience Officer since April 2023. Prior to that he served as Senior Vice President, Director of Digital Banking of the Bank and the Company from January 2022 to April 2023. Prior to joining the company, he served as Senior Vice President, Director of Digital Banking at Essex Bank from July 2017 to January 2022. Mr. Driest holds a Master of Business Administration (MBA) Finance from St. John s University. Paul E. Eberly, 42, has served as Executive Vice President/Chief Development Officer since September 2022, Executive Vice President/Chief Credit Officer from September 2020 until September 2022, Senior Vice President/Agricultural & Rural Programs Leader from January 2020 until September 2020, and Vice President/Agricultural & Rural Programs Leader from January 2019 until January 2020. He also served in various sales, lending, credit, risk management and other leadership roles within the Farm Credit System from June 2005 until January 2019. Mr. Eberly has been in the banking and finance industry since 2005. Melody Emswiler, 50, has served as Executive Vice President/Chief Human Resources Officer since January 2022, Senior Vice President/Human Resources Director from January 2019 to December 2021, Vice President/Director of Human Resources from February 2015 to December 2018, and Assistant Vice President/Human Resources Manager from February 2011 to January 2015. Ms. Emswiler has been in the human resources profession since 1997. Kevin Russell, 47, has served as the Executive Vice President/President of Mortgage, Title and Financial Services at the Bank and the Company since June 16, 2020. Prior to that he served as the President of F&M Mortgage since 2000. Jason C. Withers, 41, has served as Executive Vice President/Chief Credit Officer since September 2022, and Senior Vice President/Credit Manager since March 2021. Prior to joining the Company, he served as a Senior Credit Analyst at Blue Ridge Bank, from April 2017 to March 2021, and as a Credit Analyst for CresCom Bank from March 2010 to March 2017. Item 1A. Risk Factors. Not required. Item 1B. Unresolved Staff Comments. None Item 1C. Cybersecurity. Risk Management and Strategy The Company recognizes the importance of a cybersecurity risk management program designed to assess, identify, and manage risk associated with cybersecurity threats. Our cybersecurity risk management program (the Program ) is consistent with the Federal Financial Institutions Examination Council ( FFIEC ) Cybersecurity Assessment Tool, which incorporates bank regulatory guidance and principles from the National Institute of Standards and Technology Cybersecurity Framework and includes the following risk-based principles: Identification, measurement, mitigation, monitoring and reporting of cybersecurity threats based on internal and external information sharing and resources Safeguards designed to protect against identified threats, including documented policies and procedures, controls, and employee education and awareness Processes to detect cybersecurity events and improve incident response, including routine testing of incident response, recovery and business continuity plans and processes and Third-party risk management process to manage cybersecurity risk with service providers, suppliers, and vendors. The Program is designed to adapt to an evolving landscape of emerging cybersecurity threats and advancing technology to determine the Company s cybersecurity preparedness. Through routine data gathering, emerging risks, internal incidents, technology investments and internal controls, our Program and overall cybersecurity risk strategy is adjusted as needed. The Program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees through which we communicate our cybersecurity policies, standards, processes, and practices to foster a culture of cybersecurity risk management across the Company. 10 Table of Contents Integrated Risk Management The Program is integrated into the Company s enterprise risk management framework and functions to identify risk, form a strategy to manage risk, implement the strategy, test the implementation, and monitor our technology environment to control risk. The information technology team works closely with stakeholders across security, risk, compliance, operations, other business stakeholders, and senior leadership to conduct an annual cybersecurity risk assessment utilizing the FFIEC Cybersecurity Assessment Tool. Engagement of Third Parties in Connection with Risk Management The Company engages various third parties to evaluate the effectiveness and maturity of the Program. The Company engages an independent third party to audit the cybersecurity risk strategy and preparedness. The Company also maintains cybersecurity insurance, however, the costs related to cybersecurity threats or disruptions may not be fully insured. The Company also engages third parties to perform regular penetration tests, vulnerability scans, disaster recovery tests and cyber exercises to simulate threat actor attacks. Our relationships with third parties enable us to leverage their cybersecurity expertise and industry knowledge to assess our Program and adjust as needed. Oversight of Third-party Risks Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact the Company in certain circumstances. In response, we have implemented processes for overseeing and managing these risks. The processes include limiting the exposure of our information systems to external systems to the least practical amount, assessing the third parties information security practices before allowing them to access our information systems or data, requiring third parties to implement appropriate cybersecurity controls in our agreements with them, conducting ongoing monitoring of their compliance with those requirements, and requiring third parties to agree to contractual requirements designed to ensure cybersecurity concepts are appropriately addressed. Risks from Cybersecurity Threats As of the date of this report, we have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Governance Board of Directors Oversight Our Board s Operational Risk Committee oversees cybersecurity risk. Management’s Role in Cybersecurity Risk Management Given the important role of technology in the Company s operations and customer service, the Company has established an Information Technology Steering Committee, which consists of our IT Manager, President, Chief Financial Officer, Chief Experience Officer, Director of Risk Management and Information Security Officer. The Information Technology Steering Committee reviews, monitors, aligns, and prioritizes all significant strategic information technology initiatives and security risks. The Information Technology Steering Committee reports to the Operational Risk Committee and minutes of the committee s meetings are subsequently reported by the Operational Risk Committee to the Company s Board of Directors. Our IT Manager, in collaboration with our Information Security Officer, makes quarterly reports to the Information Technology Steering Committee. Such reports include updates related to key metrics, key risk indicators, key performance indicators, penetration test results, risk assessment results, project updates, incident reports, compliance matters, and operational issues. Risk Management Personnel The Information Security Officer has the primary responsibility for managing the Program to identify, assess, manage, and control cybersecurity risk. The Information Security Officer reports directly to the President. The Information Security Officer has approximately 15 years of experience in cybersecurity, information security risk management, identity and access management, security architecture, vulnerability management, threat intelligence, security operations and incident management and response. 11 Table of Contents Monitoring Cybersecurity Incidents The Information Security Officer is continually informed of and monitors cybersecurity risks and incidents. In the event of a cybersecurity incident, the Company has developed an incident response plan to timely report cybersecurity incidents to the executive management team, the Operational Risk Committee and Board of Directors, as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this plan also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as monitoring post-incident mitigation and remediation. Reporting to Board of Directors The Operational Risk Committee receives reports from the President, Information Security Officer, and Director of Risk Management, and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, bank regulatory examinations and evaluations, as well as maturity assessments of our information security program.
Item 1C. Cybersecurity. Risk Management and Strategy The Company recognizes the importance of a cybersecurity risk management program designed to assess, identify, and manage risk associated with cybersecurity threats. Our cybersecurity risk management program (the Program ) is consistent with the Federal Financial Institutions Examination Council ( FFIEC ) Cybersecurity Assessment Tool, which incorporates bank regulatory guidance and principles from the National Institute of Standards and Technology Cybersecurity Framework and includes the following risk-based principles: Identification, measurement, mitigation, monitoring and reporting of cybersecurity threats based on internal and external information sharing and resources Safeguards designed to protect against identified threats, including documented policies and procedures, controls, and employee education and awareness Processes to detect cybersecurity events and improve incident response, including routine testing of incident response, recovery and business continuity plans and processes and Third-party risk management process to manage cybersecurity risk with service providers, suppliers, and vendors. The Program is designed to adapt to an evolving landscape of emerging cybersecurity threats and advancing technology to determine the Company s cybersecurity preparedness. Through routine data gathering, emerging risks, internal incidents, technology investments and internal controls, our Program and overall cybersecurity risk strategy is adjusted as needed. The Program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees through which we communicate our cybersecurity policies, standards, processes, and practices to foster a culture of cybersecurity risk management across the Company. 10 Table of Contents Integrated Risk Management The Program is integrated into the Company s enterprise risk management framework and functions to identify risk, form a strategy to manage risk, implement the strategy, test the implementation, and monitor our technology environment to control risk. The information technology team works closely with stakeholders across security, risk, compliance, operations, other business stakeholders, and senior leadership to conduct an annual cybersecurity risk assessment utilizing the FFIEC Cybersecurity Assessment Tool. Engagement of Third Parties in Connection with Risk Management The Company engages various third parties to evaluate the effectiveness and maturity of the Program. The Company engages an independent third party to audit the cybersecurity risk strategy and preparedness. The Company also maintains cybersecurity insurance, however, the costs related to cybersecurity threats or disruptions may not be fully insured. The Company also engages third parties to perform regular penetration tests, vulnerability scans, disaster recovery tests and cyber exercises to simulate threat actor attacks. Our relationships with third parties enable us to leverage their cybersecurity expertise and industry knowledge to assess our Program and adjust as needed. Oversight of Third-party Risks Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact the Company in certain circumstances. In response, we have implemented processes for overseeing and managing these risks. The processes include limiting the exposure of our information systems to external systems to the least practical amount, assessing the third parties information security practices before allowing them to access our information systems or data, requiring third parties to implement appropriate cybersecurity controls in our agreements with them, conducting ongoing monitoring of their compliance with those requirements, and requiring third parties to agree to contractual requirements designed to ensure cybersecurity concepts are appropriately addressed. Risks from Cybersecurity Threats As of the date of this report, we have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Governance Board of Directors Oversight Our Board s Operational Risk Committee oversees cybersecurity risk. Management’s Role in Cybersecurity Risk Management Given the important role of technology in the Company s operations and customer service, the Company has established an Information Technology Steering Committee, which consists of our IT Manager, President, Chief Financial Officer, Chief Experience Officer, Director of Risk Management and Information Security Officer. The Information Technology Steering Committee reviews, monitors, aligns, and prioritizes all significant strategic information technology initiatives and security risks. The Information Technology Steering Committee reports to the Operational Risk Committee and minutes of the committee s meetings are subsequently reported by the Operational Risk Committee to the Company s Board of Directors. Our IT Manager, in collaboration with our Information Security Officer, makes quarterly reports to the Information Technology Steering Committee. Such reports include updates related to key metrics, key risk indicators, key performance indicators, penetration test results, risk assessment results, project updates, incident reports, compliance matters, and operational issues. Risk Management Personnel The Information Security Officer has the primary responsibility for managing the Program to identify, assess, manage, and control cybersecurity risk. The Information Security Officer reports directly to the President. The Information Security Officer has approximately 15 years of experience in cybersecurity, information security risk management, identity and access management, security architecture, vulnerability management, threat intelligence, security operations and incident management and response. 11 Table of Contents Monitoring Cybersecurity Incidents The Information Security Officer is continually informed of and monitors cybersecurity risks and incidents. In the event of a cybersecurity incident, the Company has developed an incident response plan to timely report cybersecurity incidents to the executive management team, the Operational Risk Committee and Board of Directors, as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this plan also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as monitoring post-incident mitigation and remediation. Reporting to Board of Directors The Operational Risk Committee receives reports from the President, Information Security Officer, and Director of Risk Management, and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, bank regulatory examinations and evaluations, as well as maturity assessments of our information security program.

Company Information