Winchester Bancorp, Inc./MD/ 10-K Cybersecurity GRC - 2025-09-17

Page last updated on September 17, 2025

Winchester Bancorp, Inc./MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-09-17 17:09:10 EDT.

Filings

10-K filed on 2025-09-17

Winchester Bancorp, Inc./MD/ filed a 10-K at 2025-09-17 17:09:10 EDT
Accession Number: 0001193125-25-206332

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity is a significant and integrated component of Winchester Bancorp’s risk management strategy, designed to protect the confidentiality, integrity and availability of sensitive information contained within the Company’s information services. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident to disrupt business operations, compromise sensitive data or both. As a proactive measure, the Company maintains insurance coverage for cybersecurity incidents experienced by the Company, however, such insurance coverage may not be sufficient to cover all losses incurred. During the year ended June 30, 2025, we did not, to our knowledge, experience a cybersecurity incident materially affecting or reasonably likely to materially affect the Company. Risk Management & Strategy (Scope) On a periodic basis, but not less than annually, the Information Security Officer (ISO), in conjunction with the Information Technology department, identifies and documents internal and external vulnerabilities that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer records. Based on the results of the risk assessment, the Company’s Information Security Program may be revised to protect against any anticipated threats or hazards to the security or integrity of such information. The Information Security Officer, CIO and IT Department regularly meet to review, monitor and address technology related threats and emerging risks. Additionally, the Company engages third parties to aid in the identification of risks and controls related to technology and technology driven product delivery channels, allowing for an independent opinion. The risk assessment process identifies data sources, threats and vulnerabilities, and ensures awareness, accountability and oversight for data protection throughout the Company and with trusted third parties to ensure that data is protected and able to be recovered in the event of a breach or failure (technical or other disaster). Risk Assessments (Detail) On a periodic basis, but not less than annually, the Information Security Officer (ISO), in conjunction with the Information Technology department, identifies and documents internal and external vulnerabilities that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer records. Risks are identified and mitigations are documented by the ISO, IT staff and business lines responsible for the assessed area. Risks related to the engagement of third-party providers are identified and reviewed by the Risk & Compliance Department, in coordination with Vendors and Business lines that engaged the vendor relationship. 39 Response to Security Vulnerabilities In response to identified risks, management may take certain steps to correct and respond to security vulnerabilities, which may include: - Eliminating unwarranted risks by applying vendor provided software fixes (patches); - Ensuring that changes to security configurations are documented, approved and tested; - Ensuring that exploitable files and services are assessed and removed or disabled based upon known vulnerabilities and business needs; - Updating and monitoring vulnerability scanning and intrusion detection tools to identify known vulnerabilities and related unauthorized activities; - Conducting penetration testing and vulnerability assessments as warranted; - Review performance with service providers to ensure that security maintenance and reporting responsibilities are operating according to contract provisions and that service providers provide notification of system security breaches that may affect the Company. Internal Controls, Audit and Testing Regular internal monitoring is integral to the Company’s risk assessment process, which includes regular testing of key controls, systems and procedures. In addition, independent third party penetration testing to test the effectiveness of security controls and preparedness measures is conducted at least annually. Management determines the scope and objectives of the penetration analysis. Aspects of the Information Security program are audited by the Company’s Internal Audit provider(s) to ensure aspects are aligned with regulatory expectations. Employee Training Employees are an integral part in the line of defense against cybersecurity risks. Every employee is responsible for protecting Company and client information. Accordingly, employees complete formal training, including regular simulated phishing assessments designed to sharpen threat detection and reporting capabilities. Our employees are supported by solutions designed to identify, prevent, detect, respond to and recover from incidents. Technologies include firewalls, intrusion detection systems, managed endpoint security automation and response capabilities, encryption, data backups and multi-factor authentication when available. Notable services include 24/7 security monitoring and response, real time vulnerability scanning, third party monitoring and threat intelligence. Service Providers The company relies on third party vendor services and solutions to support its operations. Many of these vendors have access to sensitive and proprietary information. Third party vendors continue to be a notable source of operational and informational risk. Accordingly, the Company has implemented a “Third Party” Management program, which includes a detailed onboarding process and periodic reviews of vendors with access to sensitive Company data. The program is audited as part of the Company’s internal audit program. Program Adjustments The ISO monitors, evaluates and adjusts the Information Security Program considering any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information and changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems. Incident Response Plan The Company has implemented an Incident Response Plan (IRP) to provide structure and a systematic incident response process for information security incidents that may affect any of the information technology systems, network or data. The Company’s business continuity program provides a coordinated response when responding to incidents. The IRP is 40 implemented and maintained by the ISO and is subject to annual review and approval by the IT Steering Committee and the Board of Directors. Cybersecurity metrics are reported to the Audit Committee quarterly. The IRP includes: - Identifying the Incident Response Team (IRT); - Coordinating IRT activities, including developing, maintaining and following appropriate procedures to respond to and document identified information security incidents; - Conducting post-incident reviews to gather feedback on information security incident response procedures and to address any identified gaps in security measures; - Provide training and conduct periodic exercises to promote employee and stakeholder preparedness and awareness of the IRP; - Reviewing the IRP at least annually, or whenever there is a material change in the Company’s business practices that may reasonably affect its cyber incident response procedures. Governance & Reporting The Board of Directors has designated the Vice President of Information Security as Information Security Officer (ISO). The ISO reports directly to the Senior Vice President of Risk & Compliance and works in tandem with the Chief Information Officer. On a quarterly basis, the ISO presents risks and metrics related to cyber and information security efforts to the IT Steering Committee and then to the Board’s Audit Committee. At least annually, the ISO reports to the Board of Directors the overall status of the Information Security Program and the Company’s compliance with the Interagency Guidelines for Safeguarding Customer Information. Any material findings related to risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations are discussed, as are management responses and any recommendations for program changes.

Company Information