Primis Financial Corp. 10-K Cybersecurity GRC - 2025-04-29

Page last updated on April 30, 2025

Primis Financial Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-29 16:44:13 EDT.

Filings

10-K filed on 2025-04-29

Primis Financial Corp. filed a 10-K at 2025-04-29 16:44:13 EDT
Accession Number: 0001558370-25-005861

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy The Bank’s information security program is designed to protect sensitive, confidential, and non-public personal information from unauthorized access, use, disclosure, alteration, or destruction, and to maintain the confidentiality, integrity, and availability of our information assets, including employee and customer non-public personal information, financial data, and internal operational information. Our Chief Information Officer (“CIO”) manages our information security strategy and development as overseen by our overarching Enterprise Risk Management (“ERM”) program. The Bank’s cybersecurity program, including our information security policies, is designed to align with regulatory guidance and industry practices. To protect our information systems, network, and information assets from cybersecurity threats, we use various security tools, products, and processes that help identify, prevent, investigate, and remediate cybersecurity threats and security incidents. The Bank’s Network Team monitors threat intelligence sources to research evolving threats, investigates the potential impact to financial services companies, examines company controls to detect and defend against those threats, and proactively adjusts company defenses against those threats. The Network Team also actively monitors the Bank’s networks and systems to detect suspicious or malicious events, and contracts with third-party consultants to perform penetration testing and routine vulnerability scans. A third-party managed security service provider supplements our efforts to provide 24 hours a day, seven days a week coverage. We maintain policies and procedures for the safe storage, handling, and secure disposal of customer and employee information. Each employee is expected to be responsible for the security and confidentiality of customer information, and we communicate this responsibility to employees upon hiring and regularly throughout their employment. Annually, we provide employees with mandatory security awareness training. The curriculum includes the recognition and appropriate handling of potential phishing emails, which could place sensitive customer or employee information at risk. We employ a number of technical controls to mitigate the risk of phishing emails targeting employees. As part of our information security program, we have adopted a Cyber Incident Response Plan (“Incident Response Plan”) which is administered by our CIO who closely coordinates with the Bank’s Information Technology team. The Incident Response Plan describes the Bank’s processes, procedures, and responsibilities for responding to cybersecurity incidents, and identifies those team members responsible for assessing potential security incidents, declaring an incident, and initiating a response. The Incident Response Plan outlines action steps for investigating, containing, and remediating a cybersecurity incident, and includes procedures for escalation and reporting of potentially significant cybersecurity incidents to the Bank’s Executive Management, including the Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), Chief Risk Officer (“CRO”), and the Board of Directors. We regularly test the Incident Response Plan, including through tabletop exercises, and document lessons learned. As necessary, the Company may retain a third-party firm to assist with forensic investigation and management of cybersecurity incidents . The Bank conducts due diligence prior to engaging third-party service providers which have access to the Bank’s networks, systems, and/or customer or employee data. Risk assessments are performed using Service Organization Controls (SOC) reports, self-attestation questionnaires, and other tools. Third-party service providers are required to comply with the Bank’s policies regarding non-public personal information and information security. Third parties processing non-public personal information are contractually required to meet legal and regulatory obligations to protect customer data against security threats or unauthorized access. After contract execution, Primis conducts ongoing monitor of third-party service providers/vendors on a risk-based approach. We continue to optimize our business continuity and disaster recovery plans aligned to the pervasive nature of cybersecurity incidents and threats. We also increased our cyber insurance which aligned to strengthen our internal systems. While the Bank has encountered, and will continue to encounter, cyber incidents in the normal course of business, to date, the Bank has not experienced a cybersecurity incident that has materially impacted our business strategy, financial condition, or results of operation. Despite our ongoing efforts to continually strengthen our cybersecurity program, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in safeguarding our systems and information. We face risks from certain cybersecurity threats that, if realized, could reasonably be expected to materially affect our business strategy, financial condition, or results of operation. See “Item 1A. Risk Factors - Operational Risks” in this 10-K for additional information. Cybersecurity Governance Our Board of Directors is responsible for overseeing the Bank’s business and affairs, including risks associated with cybersecurity threats. The ERM Committee (“ERMC”) of the Board has primary responsibility for overseeing the Bank’s comprehensive ERM program, including its cybersecurity program. The ERM program assists the Executive Management in identifying, assessing, monitoring, and managing risk, including cybersecurity risk, in a rapidly changing environment. Cybersecurity matters and assessments are regularly included in both Audit Committee (“AC”) and ERMC meetings. The Board’s oversight of cybersecurity risk is supported by our CIO. The CIO attends ERMC meetings and provides cybersecurity updates to these Board committees on a quarterly basis. Our CRO, in conjunction with our CIO, facilitates the involvement of the ERMC in oversight of potentially significant cybersecurity incidents. The Bank’s CIO directs the Bank’s information security program and our information technology risk management. In this role, in addition to the responsibilities discussed above, the CIO manages the Bank’s information security and day-to-day cybersecurity operations and supports the information security risk oversight responsibilities of the Board and its committees . The CIO is also responsible for the Bank’s information technology governance, risk, and compliance program and ensures that high level risks receive appropriate attention. Led by our CIO, the Network Team examines risks to the Bank’s information systems and assets, designs and implements security solutions, monitors the environment, and provides responses to threats. Our CIO has worked in the financial services industry for over 20 years and held similar roles at other financial institutions including four years as a Chief Information Officer. Our CRO has over three decades of experience in risk management, and our Network Team collectively has over 19 years of experience in cybersecurity operations .

Company Information