CENTRAL PACIFIC FINANCIAL CORP 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

CENTRAL PACIFIC FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 15:16:11 EST.

Filings

10-K filed on 2025-02-26

CENTRAL PACIFIC FINANCIAL CORP filed a 10-K at 2025-02-26 15:16:11 EST
Accession Number: 0000701347-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C for a further discussion of cybersecurity risk management, strategy and governance. General Risk Factors We are dependent on key personnel and the loss of one or more of those key personnel may materially and adversely affect our prospects. Competition for qualified employees and personnel in the banking industry is intense and there is a limited number of qualified persons with knowledge of, and experience in, the regional banking industry, especially in the Hawaii market. The process of recruiting personnel with the combination of skills and attributes required to carry out our strategies is often lengthy. Our success depends to a significant degree upon our ability to attract and retain qualified management, loan origination, finance, administrative, marketing, and technical personnel, and upon the continued contributions of our management and personnel. In particular, our success has been and continues to be highly dependent upon the abilities of key executives, including our Chairman, President and Chief Executive Officer, our Senior Executive Vice President and Chief Financial Officer, our Senior Executive Vice President and Chief Risk Officer, and our other executive officers and certain other employees. Natural disasters and other external events (including pandemic viruses or disease) could have a material adverse effect on our financial condition and results of operations. Our branch offices as well as a substantial majority of our loan portfolio is in the State of Hawaii. As a result, natural disasters and other severe weather occurrences such as tsunamis, volcanic eruptions, hurricanes, wildfires and earthquakes and other adverse external events, including the effects of any pandemic viruses or diseases (such as the COVID-19 pandemic), could have a significant effect on our ability to conduct our business and adversely affect the tourism and visitor industry in the State of Hawaii. Such events could affect the ability of our borrowers to repay their outstanding loans, impair the value of collateral securing our loans, cause significant property damage, result in loss of revenue, adversely impact our deposit base and/or cause us to incur additional expenses. Accordingly, the occurrence of any such natural disasters, severe weather events, or other occurrences over which we have no control could have a material adverse effect on our business, which, in turn, could adversely affect our financial condition and results of operations. 33 Table of C o ntents Climate change could have a material adverse effect on us and our customers. Our business, as well as the operations and activities of our customers, could be negatively impacted by climate change. Climate change presents both immediate and long-term risks to us and our clients, and these risks are expected to increase over time. Climate change presents multi-faceted risks, including: operational risk from the physical effects of climate events on our Bank and our customers’ facilities and other assets; credit risk from borrowers with significant exposure to climate risk; transition risks associated with the transition to a less carbon-dependent economy; and reputational risk from stakeholder concerns about our practices related to climate change, our carbon footprint, and our business relationships with clients who operate in carbon-intensive industries. Hawaii, where our business is located, and where a substantial portion of our customers and loan collateral is located, could be impacted by the effects of climate change, including increased frequency or severity of storms, hurricanes, floods, droughts, wildfires, and rising sea levels. These effects can disrupt business operations, damage property, devalue assets and change consumer and business preferences, which may adversely affect borrowers, increase credit risk and reduce demand for our products and services. At this time, we have not experienced material losses from climate change; however, we are aware that its impact may increase in the future. Climate change, its effects and the resulting, unknown impacts could have a material adverse effect on our financial condition and results of operations. Federal and state banking regulators and supervisory authorities, investors, and other stakeholders have increasingly viewed financial institutions as important in helping to address the risks related to climate change both directly and with respect to their clients, which may result in financial institutions coming under increased pressure regarding the disclosure and management of their climate risks and related lending and investment activities. Given that climate change could impose systemic risks upon the financial sector, either via disruptions in economic activity resulting from the physical impacts of climate change or changes in policies as the economy transitions to a less carbon-intensive environment, we may face regulatory risk of increasing focus on our resilience to climate-related risks, including in the context of stress testing for various climate stress scenarios. Ongoing legislative or regulatory uncertainties and changes regarding climate risk management and practices may result in higher regulatory, compliance, credit, and reputational risks and costs. With the increased importance and focus on climate change, we are in the process of creating governance processes around climate change-related risks and integrating climate considerations into our risk governance framework. Nonetheless, the risks associated with climate change are rapidly changing and evolving in an escalating fashion, making them difficult to assess due to limited data and other uncertainties. We could experience increased expenses resulting from strategic planning, litigation, and technology and market changes, and reputational harm as a result of negative public sentiment, regulatory scrutiny, and reduced investor and stakeholder confidence due to our response to climate change and our climate change strategy, which, in turn, could have a material adverse effect on our business, results of operations, and financial condition. 34 Table of C o ntents ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Cybersecurity remains a top financial services industry risk due to increases in the quantity and sophistication of cyberattacks, which include ransomware, malware, credential theft, supply chain, and other prevalent attack methods resulting in unauthorized access to systems or sensitive data. The Company maintains a formal and comprehensive enterprise-wide Information Security and Cybersecurity Program (the “Information Security Program”) that protects the confidentiality, integrity, and availability of the Company’s information assets and to manage reasonably foreseeable cybersecurity risks and threats. The Information Security Program, which is in compliance with banking regulations, includes a threat intelligence program, policies and procedures, multi-layered cybersecurity technical safeguards, third-party security risk assessments, a formal incident response program, mandatory trainings for employees and independent contractors upon hire and regularly thereafter, annual audits, and reviews of vendors who handle sensitive information. Governance As a regulated financial institution, the Company must adhere to the security requirements and expectations of the applicable regulatory agencies, which include requirements related to cybersecurity, data privacy, vendor security risk management, systems availability, and business continuity planning, among others. The regulatory agencies have established responsibility guidelines for the Board of Directors and senior management, which include establishing policy, appointing and training personnel, implementing review and testing functions, and ensuring an appropriate frequency of reporting. The Company is examined annually, and its Information Security Program, policies and standards are designed to meet regulatory requirements and industry standards to implement physical, administrative, and technical controls to comply with the Gramm-Leach-Bliley Act (“GLBA”), Sarbanes-Oxley Act (“SOX”) of 2002, and industry frameworks such as the Federal Financial Institutions Examination Council (“FFIEC”). The Board of Directors overall, including the Board Risk Committee more specifically, oversees cybersecurity risk. The Executive Committee overall, and the Chief Risk Officer, Chief Legal Officer, Chief Technology Officer, and Information Security Director more specifically, manages cybersecurity risk and the associated programs at the operational level. Regular updates on cybersecurity are provided to the Management Risk Committee, to the Board Risk Committee and/or the Board of Directors . Risk Management and Strategy The Company has complex information systems used for a variety of functions by customers, employees, and vendors. In addition, third parties with which the Company does business or that facilitate business activities (e.g., vendors, exchanges, clearing houses, central depositories and financial intermediaries) could also be sources of cybersecurity risk to the Company, including breakdowns or failures of their systems, misconduct by the employees of such parties, or cyberattacks which could affect their ability to deliver a product or service to the Company. Our systems are regularly targeted by attacks aimed at disrupting services, misusing or accessing customer data without authorization, seeking financial extortion, or executing fraudulent activities. To date, no such incidents have significantly impacted the Company’s operations or adversely affected our customers, nor have they materially influenced our operational results. Nevertheless, it is important to acknowledge that we cannot guarantee the prevention or detection of sophisticated cyber-attacks. In the event of significant service disruptions, unauthorized access leading to the misuse of customer information, or fraudulent activities affecting our or third-party systems , the Company may face operational, regulatory, legal, and reputational challenges, which could adversely affect our business and financial conditions. The Company’s Information Security Program includes key program stakeholders who meet regularly to discuss and execute on continually improving the Company’s Information Security Program through ongoing initiatives. The Company implements a formal Information Security Program aligning to industry best practices and focuses on the following key areas to mitigate cyber risks: i. Risk Assessment - At least annually, a risk assessment is conducted that incorporates other security assessments and testing conducted throughout the year, ongoing and completed security initiatives, evaluation of the cyber threat 35 Table of C o ntents landscape, compliance, incidents, etc. The assessment results are presented to executive management and the Board of Directors. ii. Technical Safeguards - Multi-layered controls, defenses, and continuous monitoring tools are used to protect, detect, and respond to cyber threats and incidents. External independent assessments, regular threat intelligence review, and lessons learned from incident response drive continuous tool and process improvements. iii. Incident Response and Recovery - The Company’s formal Incident Response and Business Continuity Programs establish a clear, consistent, standard, and organized process by which cybersecurity incidents will be promptly responded to by the Company’s incident response teams. iv. Third-Party Risk Management - The Company’s formal vendor management program includes security risk assessments requiring the vendor to meet or exceed appropriate security requirements prior to the hosting or sharing of sensitive information by third parties. The Company’s standard contract provisions obligate third-party compliance with industry standard security protections. v. Education and Awareness - The Company conducts cybersecurity training, both formally through mandatory courses and informally through written communications and other updates. Employees are tested periodically with phishing tests to reinforce training. The Company has held webinars and also sends periodic emails to its customers with tips and suggestions to protect themselves against cybersecurity incidents. External Assessments The Company’s Information Technology and Information Security Departments are examined annually by our financial institution regulator, which includes reviewing our cyber risk management activities to ensure we are properly and adequately managing our risks appropriate to the size and complexity of our business and operations. In addition to annual examinations, the Company’s Information Security Program, policies and practices, and cyber posture are subject to regular external independent reviews including annual audits, annual penetration tests, and quarterly third-party cyber risk assessments to ensure cybersecurity controls are adequately designed and are operating effectively.
ITEM 1C. CYBERSECURITY Cybersecurity remains a top financial services industry risk due to increases in the quantity and sophistication of cyberattacks, which include ransomware, malware, credential theft, supply chain, and other prevalent attack methods resulting in unauthorized access to systems or sensitive data. The Company maintains a formal and comprehensive enterprise-wide Information Security and Cybersecurity Program (the “Information Security Program”) that protects the confidentiality, integrity, and availability of the Company’s information assets and to manage reasonably foreseeable cybersecurity risks and threats. The Information Security Program, which is in compliance with banking regulations, includes a threat intelligence program, policies and procedures, multi-layered cybersecurity technical safeguards, third-party security risk assessments, a formal incident response program, mandatory trainings for employees and independent contractors upon hire and regularly thereafter, annual audits, and reviews of vendors who handle sensitive information. Governance As a regulated financial institution, the Company must adhere to the security requirements and expectations of the applicable regulatory agencies, which include requirements related to cybersecurity, data privacy, vendor security risk management, systems availability, and business continuity planning, among others. The regulatory agencies have established responsibility guidelines for the Board of Directors and senior management, which include establishing policy, appointing and training personnel, implementing review and testing functions, and ensuring an appropriate frequency of reporting. The Company is examined annually, and its Information Security Program, policies and standards are designed to meet regulatory requirements and industry standards to implement physical, administrative, and technical controls to comply with the Gramm-Leach-Bliley Act (“GLBA”), Sarbanes-Oxley Act (“SOX”) of 2002, and industry frameworks such as the Federal Financial Institutions Examination Council (“FFIEC”). The Board of Directors overall, including the Board Risk Committee more specifically, oversees cybersecurity risk. The Executive Committee overall, and the Chief Risk Officer, Chief Legal Officer, Chief Technology Officer, and Information Security Director more specifically, manages cybersecurity risk and the associated programs at the operational level. Regular updates on cybersecurity are provided to the Management Risk Committee, to the Board Risk Committee and/or the Board of Directors . Risk Management and Strategy The Company has complex information systems used for a variety of functions by customers, employees, and vendors. In addition, third parties with which the Company does business or that facilitate business activities (e.g., vendors, exchanges, clearing houses, central depositories and financial intermediaries) could also be sources of cybersecurity risk to the Company, including breakdowns or failures of their systems, misconduct by the employees of such parties, or cyberattacks which could affect their ability to deliver a product or service to the Company. Our systems are regularly targeted by attacks aimed at disrupting services, misusing or accessing customer data without authorization, seeking financial extortion, or executing fraudulent activities. To date, no such incidents have significantly impacted the Company’s operations or adversely affected our customers, nor have they materially influenced our operational results. Nevertheless, it is important to acknowledge that we cannot guarantee the prevention or detection of sophisticated cyber-attacks. In the event of significant service disruptions, unauthorized access leading to the misuse of customer information, or fraudulent activities affecting our or third-party systems , the Company may face operational, regulatory, legal, and reputational challenges, which could adversely affect our business and financial conditions. The Company’s Information Security Program includes key program stakeholders who meet regularly to discuss and execute on continually improving the Company’s Information Security Program through ongoing initiatives. The Company implements a formal Information Security Program aligning to industry best practices and focuses on the following key areas to mitigate cyber risks: i. Risk Assessment - At least annually, a risk assessment is conducted that incorporates other security assessments and testing conducted throughout the year, ongoing and completed security initiatives, evaluation of the cyber threat 35 Table of C o ntents landscape, compliance, incidents, etc. The assessment results are presented to executive management and the Board of Directors. ii. Technical Safeguards - Multi-layered controls, defenses, and continuous monitoring tools are used to protect, detect, and respond to cyber threats and incidents. External independent assessments, regular threat intelligence review, and lessons learned from incident response drive continuous tool and process improvements. iii. Incident Response and Recovery - The Company’s formal Incident Response and Business Continuity Programs establish a clear, consistent, standard, and organized process by which cybersecurity incidents will be promptly responded to by the Company’s incident response teams. iv. Third-Party Risk Management - The Company’s formal vendor management program includes security risk assessments requiring the vendor to meet or exceed appropriate security requirements prior to the hosting or sharing of sensitive information by third parties. The Company’s standard contract provisions obligate third-party compliance with industry standard security protections. v. Education and Awareness - The Company conducts cybersecurity training, both formally through mandatory courses and informally through written communications and other updates. Employees are tested periodically with phishing tests to reinforce training. The Company has held webinars and also sends periodic emails to its customers with tips and suggestions to protect themselves against cybersecurity incidents. External Assessments The Company’s Information Technology and Information Security Departments are examined annually by our financial institution regulator, which includes reviewing our cyber risk management activities to ensure we are properly and adequately managing our risks appropriate to the size and complexity of our business and operations. In addition to annual examinations, the Company’s Information Security Program, policies and practices, and cyber posture are subject to regular external independent reviews including annual audits, annual penetration tests, and quarterly third-party cyber risk assessments to ensure cybersecurity controls are adequately designed and are operating effectively.

Company Information