Virginia National Bankshares Corp 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Virginia National Bankshares Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:01:17 EDT.

Filings

10-K filed on 2024-03-28

Virginia National Bankshares Corp filed an 10-K at 2024-03-28 16:01:17 EDT
Accession Number: 0000950170-24-038005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY . Cybersecurity Risk Management and Strategy As a corporation committed to maintaining the integrity, confidentiality, and availability of our digital assets and sensitive information, the Company recognizes the critical importance of cybersecurity in today’s interconnected business landscape. The Company’s cybersecurity measures are designed to safeguard our systems, networks, data, and information from unauthorized access, disruption, or misuse. The Company recognizes that cybersecurity is fundamental to maintaining trust with shareholders, customers, and other stakeholders. By prioritizing cybersecurity as a strategic imperative, the Company strives to safeguard business operations, sensitive information, and integrity which preserves the value delivered to all our constituents. Key components of the Company’s cybersecurity program: Risk Management: The Company continuously assesses and mitigates cybersecurity risks across the organization by leveraging industry best practices and frameworks such as NIST Cybersecurity Framework. Governance and Oversight: The Company’s Board of Directors (the Board) regularly reviews cybersecurity matters, ensuring alignment with business objectives and regulatory requirements. A designated Information Technology Strategic Committee, which includes many subject matter experts from the Board and Executive Management, meets quarterly to provide additional focus and expertise in this area. Security Controls: The Company has implemented robust technical and procedural controls to protect information assets, including firewalls, intrusion detection systems, encryption, access controls, and multifactor authentication. These controls are tested periodically by external technology audit firms with penetration tests and security audits. Policy Controls: Annually all employees sign off on the Company s data and device controls. The Company ensures that all information access points are the Company s assets and all data passing through these access points are accessible by the Company and can be deleted whenever the Company deems necessary. Employee Training and Awareness: Ongoing cybersecurity training and awareness programs are implemented to educate employees about potential threats, phishing attacks, social engineering tactics, and best practices for safeguarding company information. Incident Response: The Company maintains a comprehensive incident response plan to promptly detect, contain, and recover from cybersecurity incidents. Regular testing and simulation exercises ensure readiness and effectiveness of response capabilities. Third-Party Risk Management: The Company regularly evaluates and monitors the cybersecurity posture of third-party vendors and partners with whom data is shared or relied upon for critical services, to ensure they meet the Company’s security standards. Continuous Improvement: The Company regularly reviews and makes enhancements to the cybersecurity program to adapt to emerging threats, technological advancements, and changes in regulatory requirements. Implementation of new technologies, practices, and infrastructures to target security vulnerabilities is ongoing. Compliance and Reporting: The Company adheres to relevant cybersecurity regulations and standards applicable to our industry and maintains transparency by disclosing material cybersecurity incidents or risks in accordance with regulatory obligations. The Company had no material cybersecurity incidents in 2023. 29

Company Information