FIRST KEYSTONE CORP 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

FIRST KEYSTONE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 17:25:36 EDT.

Filings

10-K filed on 2024-03-29

FIRST KEYSTONE CORP filed an 10-K at 2024-03-29 17:25:36 EDT
Accession Number: 0000737875-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The risks associated with the cybersecurity landscape are vast and ever-changing. Additionally, as a financial institution, the Corporation is subject to extensive federal and state regulatory and compliance requirements, many of which are associated with the protection and privacy of customer information. In response, the Corporation has created a layered and adaptable Information Security Program to protect the confidentiality, integrity, and availability of proprietary information and customer data. Continuous assessment and improvement of Information Security procedures and controls remains an integral part of the Corporation s overall risk management strategy and on-going business operations. Risk Management Oversight and Governance The Corporation s Information Security Officer (ISO), with assistance from the Information Technology team, has the primary responsibility in maintaining, assessing, and updating the Information Security Program and for reporting cyber and information security matters to the Corporation s executive management and Board of Directors. The ISO maintains a presence on a variety of committees that work together to monitor and manage the Corporation s risk profile and approve any changes or enhancements to the risk management strategies, including the Board of Directors IT Committee and Audit Committee, and the Corporation s IT Steering Committee, Enterprise Risk Management Committee, and Vendor Management Committee. At least annually, the ISO also presents to the Board of Directors on the state of the Information Security Program. This includes an overview of the Program s strategy and processes for identifying and mitigating risks, employee security awareness and training efforts, and any enhancements or changes to the program since the previous report. 18 Table of Contents Cybersecurity Risk Management Program The Information Security Program is designed with a defense-in-depth mentality, using a variety of techniques, tools, policies, and procedures to create a layered security posture against the various methods of cybersecurity attack and compromise. The day-to-day management and monitoring of the program s technical aspects are handled by the ISO and the Information Technology team. They are responsible for user access and permissions control, system and network monitoring, vulnerability detection and mitigation, employee security awareness and training, and creating and maintaining technology and information security policies. The Corporation does engage with third parties, including a managed security service provider, to assist with or enhance aspects of the day-to-day Information Security Program. The ISO and IT team are currently in the process of strengthening the overall program by aligning controls and procedures with the Cybersecurity Frameworks established by the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST). Business Continuity and Incident Response Plans are maintained to ensure that critical business functions maintain uptime or can be restored as quickly as possible in the event that a natural or technological event occurs that impacts the Corporation or any of its service providers. The Information Security Officer and Information Technology Manager work together to maintain these plans and perform testing exercises that ensure the Corporation s back up technologies and procedures are working as intended and are available if the need should arise. To help mitigate risks associated with third party vendors and service providers, the Corporation has implemented an extensive Vendor Management process, overseen by the Vendor Management Committee. All new vendors undergo due diligence analysis by the Corporation s Vendor Management team, including review of their cybersecurity, data and privacy protection, and business continuity practices of those vendors with access to Corporation or customer data. Annual due diligence follow-up reviews are performed for all existing vendors on an ongoing basis and the results are reported to the Vendor Management Committee. Notwithstanding the Corporation s defensive measures and processes, the threat posed by cyber-attacks is extremely serious. The Corporation may not be successful in preventing or mitigating all cybersecurity incidents that could have a material adverse effect on it. While the Company has not, to date, detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, its systems and those of its customers and third-party service providers are under constant threat. It is possible that the Corporation could experience a significant cybersecurity event. The Corporation expects risks and exposures related to cybersecurity attacks to remain high for the foreseeable future. Refer to Item 1A. Risk Factors for additional information related to cyber security risks.

Company Information