Burke & Herbert Financial Services Corp. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Burke & Herbert Financial Services Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:02:39 EST.

Filings

10-K filed on 2026-02-27

Burke & Herbert Financial Services Corp. filed a 10-K at 2026-02-27 16:02:39 EST
Accession Number: 0001964333-26-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The federal bank regulatory agencies have guidelines establishing information security standards and cybersecurity programs for implementing safeguards under the supervision of a financial institution's board of directors. These guidelines, along with related regulatory materials, increasingly focus on risk management and processes related to information technology and the use of third parties in the provision of financial products and services. The federal bank regulatory agencies expect financial institutions to establish lines of defense and to ensure that their risk management processes address the risk posed by compromised customer credentials. The federal bank regulatory agencies also expect financial institutions to maintain sufficient business continuity planning processes to ensure rapid recovery, resumption, and maintenance of the institution's operations after a cyberattack. The federal bank regulatory agencies require financial institutions to notify their primary federal regulator as soon as possible, and no later than 36 hours after the institution determines that a cybersecurity incident has occurred that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the institution's: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business, (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value, or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. SEC rules also require disclosure of material cybersecurity incidents. The Bank maintains a documented process to evaluate the materiality of cybersecurity incidents for purposes of SEC and banking-regulator reporting. This process considers potential impacts on financial results, operations, customer harm, legal and regulatory exposure, and investor decision-making, and supports timely reporting obligations under applicable rules. To date, we have not experienced a cybersecurity incident that we believe has, or is reasonably likely to, materially affect our business, operations, strategy, or financial condition. However, we continually assess the potential impact of cybersecurity threats, ensuring that any incident is evaluated for materiality in relation to our business strategy, operational results, and financial condition. Cybersecurity risk is a key factor in assessing the Company's overall operational and regulatory risk and is a component of our overall information security protocols. The Company maintains a formal, Board-approved Cybersecurity and Information Security Program aligned with the Federal Financial Institution Examination Council Information Security Handbook, the National Institute of Standards and Technology Cybersecurity Framework, and the GLB Act Safeguards Rule. This program is designed to identify risks to sensitive information, protect that information, detect threats and events, and maintain a robust response and recovery capability to ensure resilience against cybersecurity incidents. Our processes for assessing, identifying, and managing material cybersecurity risks include: enterprise-wide risk assessments and control testing; 24/7 monitoring of critical infrastructure; active threat hunting; endpoint Extended Detection and Response (XDR); continuous security monitoring and alerting; vulnerability scanning, remediation, and penetration testing; identity and access management with multi-factor authentication; data-loss prevention and information classification; oversight of third-party and vendor information security practices; and a documented Incident Response Plan governing detection, containment, investigation, recovery, and post-incident review. These processes apply across our on-premises and cloud environments, critical business functions, customer data, and third-party service providers. To support these activities, the Bank engages established third-party information security consultants to assist in monitoring, threat detection, and program development, and collaborates closely with internal information technology and audit teams. All employees receive security training at onboarding, annual refresher training, and regular phishing simulations to strengthen awareness and reduce human-related risk. The Bank's cybersecurity program is led by the Chief Information Security Officer , who has served in this capacity for 10 years and possesses an additional 18 years of experience in information security program management, global cybersecurity operations, and incident response. His expertise includes the strategic design, implementation, and management of security programs tailored to mitigate emerging risks and is supported by a Certified Information Systems Security Professional (CISSP) credential and multiple technology certifications. Information security protocols are a part of the Company's Information Security Policy that is reviewed and approved annually by the Company's Board. The ongoing oversight of cybersecurity risk is accomplished primarily through the Information Technology Steering Committee, comprised of management, the Regulatory Risk Committee, Technology Committee and the Enterprise Risk Management Committee, each comprised of management and members of the Board. Through these committees the Company keeps abreast of significant matters of actual, threatened, or potential breaches of cybersecurity protocols, monitors the effectiveness of the information security program through regular review of key metrics and assessment reports, discusses topical events requiring consideration, and if necessary, recommends changes to the Information Security Policy for approval by the Company's Board, which retains the ultimate responsibility for overseeing our enterprise risk management, including cybersecurity. In addition to regular reports from these committees, the Board receives regular reports from management on material cybersecurity risks and the Company's efforts to combat threats to its digital infrastructure. The Company also maintains specific cyber insurance through its corporate insurance program, the adequacy of which is subject to review and oversight by the Company's Board. However, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all. With the increase in cyber-threat vectors and enhanced focus on cybersecurity, the Company and the Bank continue to monitor legislative, regulatory, and supervisory developments related thereto.

Company Information