MID PENN BANCORP INC 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

MID PENN BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 12:43:10 EDT.

Filings

10-K filed on 2024-03-28

MID PENN BANCORP INC filed an 10-K at 2024-03-28 12:43:10 EDT
Accession Number: 0000879635-24-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Mid Penn places an emphasis on managing risks effectively to achieve its business goals and maintain the confidence of its shareholders. Cybersecurity is one of the company’s most critical risks and is an integral part of our Risk Management program. We are open about our willingness to take risks and regularly review and update our risk management policies to keep up with the ever-changing financial landscape. Our risk committees, made up of experienced professionals, carefully evaluate the risks associated with our business activities, ensuring that our risk-taking aligns with our overall corporate goals. Mid Penn engages a team of external assessors, auditors, and consultants to support our cybersecurity and risk management efforts. We seek information and guidance from reputable third-party organizations such as CISA, RMA, and FS-ISAC to aid in making responsible decisions and mitigating risks. We utilize threat detection and prevention technologies to analyze network traffic and identify atypical behavior that may indicate a potential cyber threat. This proactive approach is intended to enable us to detect threats before they can cause harm to our systems or compromise sensitive information. Additionally, we conduct regular penetration testing and vulnerability assessments to identify and remedy potential deficiencies in our systems. Mid Penn protects and monitors its technology environment with industry leading security tools including next-generation firewalls with intrusion prevention services, intrusion detection and response tools, email security gateway, log and event monitoring software, and an industry-leading antivirus solution. Each system is administered and monitored by members of our Information Technology and Information Security staff. Real-time alerts received from these systems are responded to by staff and worked until the threat is determined to be mitigated. Impactful computer security events would be subject to the guidance provided in our Incident Response Program, that is tested annually so we are ready to respond if needed. Mid Penn relies on several reputable service providers who provide systems or support to our technology environment. Service providers are selected carefully and monitored closely through our Vendor Management program. With routine, ongoing service provider reviews that exist throughout the relationship with the service provider, and with alerting for notable events for our service providers in place, we can quickly identify potential threats and mitigate threats with our service providers as needed. We have created a robust Information Security Awareness Program to deliver our employees pertinent and timely educational content. Mindful that human error can be a significant factor in cybersecurity incidents, our employees undergo regular training to stay informed about the latest threats and best practices. This reduces the risk of inadvertent security breaches and cultivates a culture of security throughout the organization. Additionally, we regularly conduct social engineering tests on our employees to keep them sharp and alert for threats through email, text messages, and voice calls. Mid Penn did not experience a material incident to our computer systems or networks in 2023. Mid Penn’s Information Technology and Security management team is responsible for implementing and executing the company’s cybersecurity strategy on a day-to-day basis. This team of cybersecurity experts specializes in managing risks for financial services providers. The Chief Information Security Officer has 20 years of experience and is accompanied by an Information Security Officer with ten years of experience in the field. With over twenty years of experience providing secure networks for the banking industry, the Information Technology Operations Manager is highly skilled in network security and risk mitigation. Information Technology and Security management hold a monthly meeting to assess the organization’s cybersecurity position and distributes information to the Board of Directors. The Board of Directors oversees the risk management process, while executive leadership implements risk mitigation and cybersecurity strategies. The company’s cybersecurity strategy is actively overseen and guided by the Board of Directors through a quarterly subcommittee meeting with the full Board engaged annually. Executive management provides cybersecurity and risk management updates to the Board through the Risk Committee and the Technology Steering Committee. Information Technology knowledge is considered a core competency by eight of fifteen Board members. They guide the full Board in setting cybersecurity objectives, approving policies, and allocating resources. We acknowledge that risk is a natural part of the financial industry. The threat landscape is ever-changing, and with increasingly sophisticated techniques, threat actors pose a greater risk to Mid Penn and its customers, leaving us vulnerable to cyberattacks and information security incidents. However, our commitment is to maintain a careful balance between innovation and risk mitigation. To achieve this, we have developed a risk appetite that aligns with our strategic goals and regulatory requirements. This framework encourages innovation while ensuring our risks are well-understood, measured, and managed. 28 MID PENN BANCORP, INC.

Company Information