Skyline Bankshares, Inc. 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

Skyline Bankshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 16:13:02 EDT.

Filings

10-K filed on 2024-03-27

Skyline Bankshares, Inc. filed an 10-K at 2024-03-27 16:13:02 EDT
Accession Number: 0001437749-24-009598

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions and our information systems, the Company has implemented a comprehensive cybersecurity risk management program, which is a component of its overarching enterprise risk management program. Key components of the cybersecurity risk management program include: A risk assessment process that identifies and prioritizes material cybersecurity risks defines and evaluates the effectiveness of controls to mitigate the risks and reports results to executive management and the Board of Directors. A third-party Managed Detection and Response ( MDR ) service, which monitors the security of our information systems around-the-clock, including intrusion detection and alerting. A team covering all critical cyber defense functions such as engineering, data protection, identity and access management, insider risk management, security operations, threat emulation and threat intelligence. A training program that educates employees about cybersecurity risks and how to protect themselves from cyberattacks. An awareness program that keeps employees informed about cybersecurity threats and how to stay safe online. An incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident, which is tested on a periodic basis. The Company engages reputable third-party assessors to conduct various independent risk assessments on a regular basis, including but not limited to maturity assessments and various testing. Following a defense-in-depth strategy, the Company leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks. Our Third-Party Risk Management program is designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements. The Company s cybersecurity risk management program and strategy are designed to protect the company’s information and information systems from a variety of threats, both natural and man-made. Periodic risk assessments are performed to validate control requirements and ensure that the Company s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to protect the confidentiality, integrity, and availability of Company information. These controls include, but are not limited to access control, data encryption, data loss prevention, incident response, security monitoring, third party risk management, and vulnerability management. The Company’s cybersecurity risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Company’s business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards. Material Effects of Cybersecurity Threats While cybersecurity risks have the potential to materially affect the Company’s business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company s controls are, it will not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Company s business strategy, results of operations or financial condition, please refer to Item 1A. Risk Factors above. 21 Governance Board of Directors Oversight The Company s Board of Directors is charged with overseeing the establishment and execution of the Company s risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility the Board has delegated primary oversight responsibility over the Company s risk management framework, including oversight of cybersecurity risk and cybersecurity risk management, to the Technology Committee of the Board of Directors. The Technology Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Operations Officer and the Information Security Officer and provides periodic updates regarding cybersecurity risks and the cybersecurity program to the full Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Board on an annual basis. Management’s Role The Company s information security program is primarily administered at the management level by the Information Security Officer, and is supported by the Information Technology Department, which is led by the Chief Operations Officer. The Information Security Officer is responsible for day-to-day management of the Company s information security program, including data loss prevention, access control, threat monitoring, incident response and employee education and training. The Company also maintains policies related to cybersecurity and data security that provide the required governance and technical aspects for the information security program. Each policy is mapped to applicable regulatory guidance, and is reviewed and approved by the Board annually. 22

Company Information