RIVERVIEW BANCORP INC 10-K Cybersecurity GRC - 2025-06-12

Page last updated on June 12, 2025

RIVERVIEW BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-06-12 17:20:47 EDT.

Filings

10-K filed on 2025-06-12

RIVERVIEW BANCORP INC filed a 10-K at 2025-06-12 17:20:47 EDT
Accession Number: 0000939057-25-000159

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecu rity Risk Management and Strategy Our cybersecurity risk management and strategy are integrated into our enterprise-wide risk management program , which leverages a “three lines of defense” model to manage risk within the organization. Such model incorporates 1) day-to-day/operational activities and controls that are managed at the business unit level; 2) identification, measurement and mitigation of inherent security risks via the use of internal control and cybersecurity maturity frameworks, operating policies, independent monitoring, risk management and compliance oversight; and 3) internal audit designed to provide objective and independent validation of the design and operating effectiveness of cybersecurity and information security controls. Technology risk (including cybersecurity and overall operational risk) is identified as a key risk area for the Company, and utilizes a combination of manual and automated methods as well as internal and external resources to monitor, measure and mitigate cybersecurity risks. The ability to mitigate cybersecurity risks is dependent upon an effective risk assessment process that identifies, measures, controls, and monitors material risks stemming from cybersecurity threats. These threats include any potential unauthorized activities occurring through the Company’s information systems that could adversely affect the confidentiality, integrity, or availability of the Company’s information systems or the data contained therein. The Company’s Information Security Program includes a comprehensive information security risk assessment process that incorporates the following elements: ● Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information or information systems. ● Assessment of the likelihood and potential damage of these threats, taking into consideration the sensitivity of confidential information. ● Assessment of the sufficiency of policies, procedures, information systems, and other arrangements in place to control risks. The risk assessment process is designed to identify assets requiring risk reduction strategies and includes an evaluation of the key factors applicable to the operation. The Company conducts a variety of information security assessments throughout the year, both internally and through third-party specialists. These assessments include regular penetration testing and periodic third-party audits to validate the effectiveness of our controls. In designing our Information Security Program, we refer to established industry frameworks - in particular, the Federal Financial Institutions Examination Council (FFIEC) and guidance and best practices from the National Institute of Standards and Technology (NIST). The FFIEC framework offers a set of guidelines to help financial institutions effectively manage and mitigate cybersecurity risks. The framework focuses on ensuring the confidentiality, integrity, and availability of sensitive information and systems. NIST is part of the U.S. Department of Commerce and among other initiatives, develops cybersecurity standards, guidelines, and other resources to meet the needs of U.S. industry, federal agencies and the broader public. Activities range from producing specific information that organizations can put into practice immediately to longer-term research that anticipates advances in technologies and future challenges. The Company utilizes these frameworks to assist with the design of our Information Security Program, including risk mitigation controls and processes. While we believe our information security program is well-designed and appropriate for our organization, the sophistication of cyber threats continues to increase and no matter how well designed or implemented the Company’s controls are, it may not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may affect the Company’s business strategy, results of operations or financial condition , please refer to Item 1A. Risk Factors - Risks Related to Cybersecurity, Data and Fraud. The Company uses a cross-functional approach to identify, prevent, and mitigate cybersecurity threats and incidents. We have adopted controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. We have developed a formal cybersecurity incident response plan that summarizes the steps the Company will take to respond to a cybersecurity incident. The plan includes an Information Security Incident Response Team (ISIRT), which is responsible for addressing and coordinating all aspects of the Company’s response to cybersecurity events. The ISIRT is supported by operating procedures and guidelines designed to outline the expectations and processes to be followed when responding to incidents of unauthorized access to confidential information maintained by the Company or its service providers. The ISIRT may consult legal counsel and other external experts in connection with their respective activities. An escalation process has been established for engaging other resources and appropriate reporting protocols at both the management and Board of Directors levels. Governance Our Board of Directors articulates the Company’s attitude towards risk. Associated risk metrics are monitored quarterly by Management and reported to the Audit Committee of the Board and the Board of Directors. Management measures and reports inherent risk, mitigating controls, residual risk and emerging risk for various key risk categories, inclusive of cybersecurity and information security risks, on at least a quarterly basis. The Company’s governance and oversight of cybersecurity risks are facilitated through our Information Security Program, which establishes administrative, technical, and physical safeguards designed to protect the confidential information and records of all the Bank’s clients in accordance with FDIC regulations. Our Information Security Program, along with its associated policies and guidelines, takes into account FDIC and FFIEC regulations and guidance on sensitive information protection as well as information system security. It is tailored to align with the Company’s risk assessment results, and the size, complexity, nature and scope of our activities. We maintain relevant expertise within the Bank’s management team to manage cybersecurity risks. In particular, the Board has appointed a Chief Information Security Officer (CISO). Together with the Director of Risk Management, they provide direction and oversight for information and cyber-security related activities across the Company-including existing and emerging initiatives, service provider arrangements, incident response, business continuity management, staff training, monitoring of key controls and adjusting the information security program in response to changes in operations and internal/external threats and vulnerabilities. In this role, the CISO leverages 24 years of information technology experience and has maintained various applicable cybersecurity and IT audit certifications. Our Information Security Management team , among other things, is responsible for conducting risk assessments , designing the Information Security Program to manage identified risks based on information sensitivity and the Company’s operational complexity, overseeing service provider arrangements, and managing risks associated with third-party service providers by conducting due diligence prior to engagement and ongoing monitoring of vendors’ security practices, including their ability to prevent, detect, and respond to cybersecurity threats. They also establish risk-based response programs for incidents of unauthorized access, providing staff training, conducting testing of key controls, systems, and procedures, and adjusting the program in response to changes in people, processes, technology, sensitive information, threats, and the business environment (e.g., mergers, acquisitions, alliances, joint ventures, or outsourcing arrangements). The Board of Directors plays a crucial role, annually reviewing and approving our Information Security Program. The Board oversees efforts to develop, implement, and maintain an effective Information Security Program, including reviewing management’s reporting on program effectiveness. Additionally, the Board of Directors’ Technology Committee considers information technology and cybersecurity expertise when assessing potential director candidates, to help ensure the Board of Directors has the capability to appropriately oversee management’s activities in these areas. The Board receives regular updates from the CISO and Director of Risk Management regarding cybersecurity threats and program enhancements. In evaluating its oversight capabilities, the Board considers relevant cybersecurity expertise among its members and provides ongoing training where appropriate. As of the date of this report, the Company has not experienced any cybersecurity incidents that have had a material impact on its business strategy, financial condition, or results of operations.

Company Information