TIMBERLAND BANCORP INC 10-K Cybersecurity GRC - 2025-12-09

Page last updated on December 9, 2025

TIMBERLAND BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-09 14:12:17 EST.

Filings

10-K filed on 2025-12-09

TIMBERLAND BANCORP INC filed a 10-K at 2025-12-09 14:12:17 EST
Accession Number: 0000939057-25-000319

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy Safeguarding the confidentiality, integrity and availability of customer and sensitive financial data, records and transactions is essential to Timberland and Timberland Bank. Our risk management program is designed to identify, assess and mitigate risks across various aspects of the Bank, including financial, operational, regulatory, reputational and legal. Cybersecurity is a critical component of our risk management program; thus, we have implemented a Cyber and Information Security Program to protect the confidentiality, integrity and availability of our information and information technology 45 environment. Our program aligns with applicable federal and state regulations, industry frameworks such as the Federal Financial Institutions Examination Council ("FFIEC") and best practices from the National Institute of Standards and Technology ("NIST"). The FFIEC framework offers a set of guidelines to help financial institutions effectively manage and mitigate cybersecurity risks. The framework focuses on ensuring the confidentiality, integrity and availability of sensitive information. NIST is part of the U.S. Department of Commerce, which develops cybersecurity standards, guidelines and other resources. We have employed a multi-layered, risk-based approach to cyber and information security, incorporating a variety of tools and processes to aid in risk identification, assessment and management. The Bank conducts a variety of information security risk assessments throughout the year. We employ a defense in depth strategy that incorporates preventive, detective, and administrative safeguards including but not limited to, configuration hardening, robust patch management and vulnerability scanning, advanced anti-malware firewall technologies, anti-phishing and web filtering controls. These controls are tested annually by an independent third-party audit firm. Quarterly employee training is performed on cybersecurity, information security, identify theft prevention and data privacy. The Bank has not experienced any material losses relating to cybersecurity threats or incidents as of September 30, 2025. Material cybersecurity incidents are escalated to the Board and evaluated for disclosure in accordance with SEC reporting requirements. Incident Response Response to cyber incidents is guided by the Bank's Incident Response Policy. The Bank's plan is based on the National Infrastructure Protection Center ("NIPC") guidelines, with the addition of specific reporting and notification requirements required by regulation. The Incident Response Policy prescribes points of escalation and mechanisms for collaboration should the need arise to engage outside partnerships such as external counsel, cybersecurity forensic examiners, cyber insurance vendors, government agencies and regulatory bodies. The Incident Response Policy also specifies that material incidents are promptly reported to the Board and considered for disclosure under applicable SEC rules. Third Party Service Provider Monitoring The Bank maintains a robust Vendor Management Program to appropriately measure, monitor and control risks associated with outsourcing products and services, including cybersecurity risks. Under the program, vendors are assigned a risk rating based on an assessment of the vendor and its access to network, systems and confidential information. Critical and high-risk vendors are reassessed at least annually, and remediation plans are implemented for identified deficiencies. The Bank's Information Security Officer ("ISO")conducts regular periodic reviews of the adequacy of its oversight of controls over third party relationships. Cybersecurity Governance Timberland Bank's Board of Directors ("Board") recognizes the significance of cybersecurity risks and provides oversight of the Bank's Cyber and Information Security Program. The Bank's Board of Directors is currently comprised of the Chief Executive Officer and seven non-employee directors; one of which has completed and received Cybersecurity Oversight Certification from the National Association of Corporate Directors ("NACD"). The Board receives cybersecurity updates at least quarterly, including risk metrics, incident reports, and progress on mitigation strategies. The Bank's primary responsibility for managing cyber risk is vested in the Bank's Information Security Officer ("ISO") . The Bank's ISO, who reports to the Chief Risk Officer, has four years of experience in information security and risk management. The ISO is responsible for the day-to-day management of the Cyber and Information Security Program, including oversight of risk assessments, incident response, employee training, and third-party vendor cybersecurity controls. The Chief Technology Officer ("CTO") has over 13 years of experience in IT and cybersecurity leadership, including managing enterprise IT operations and technology risk. The CTO also holds a Certified Community Bank Information Technology Officer designation from the ICBA, and a CompTIA Security+ certification and has completed the Graduate School of Banking at the University of Wisconsin's Bank Technology Management program. Members of the Technology Steering Committee bring substantial experience in IT operations, cybersecurity, and risk management, providing guidance on technology strategy, operational performance, and cybersecurity oversight. The Technology Steering Committee meets on a regular basis and is tasked with providing oversight and guidance regarding both information technology and cybersecurity related issues of strategic importance to the Bank. The Technology Steering 46 Committee is comprised of numerous members of the management team, the CTO and the ISO. The Technology Steering committee reports to the Board of Directors through Committee minutes. The Board Technology Committee assists the Board of Directors in fulfilling its oversight responsibilities with respect to the overall role of technology in executing the business strategy of the institution, including but not limited to major technology investments, technology strategy, operational performance and technology trends that may affect customers. The Board Technology Committee meets regularly and receives reports from the CTO and the ISO on cybersecurity and information technology risks. The Board Technology Committee reports to the Board of Directors through Committee minutes. The Board's Audit Committee also has oversight responsibility for audits related to information technology, security and information technology governance.

Company Information