COMMUNITY FINANCIAL SYSTEM, INC. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

COMMUNITY FINANCIAL SYSTEM, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:48:18 EST.

Filings

10-K filed on 2026-02-27

COMMUNITY FINANCIAL SYSTEM, INC. filed a 10-K at 2026-02-27 16:48:18 EST
Accession Number: 0001104659-26-021651

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a heavily regulated financial services company, the Company has developed comprehensive cybersecurity processes that are designed to protect the security of confidential information. Two of the more significant risks to the Company, both in terms of financial and reputational harm, are a data security breach and/or ransomware attack which cause a material financial loss to the Company and/or materially harms its operational integrity or reputation with its customers as a safe and trustworthy institution. In order to mitigate this risk and comply with the regulatory standards required by the Company's and the Bank's regulators, the Company has developed a cybersecurity program and framework which is administered by a team of experienced professionals and supported by external technology and consulting services. Set forth below is an overview of the Company's risks associated with cybersecurity, its cybersecurity process, the role of management and the Board, and whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company. Risks Associated with Cybersecurity The Company is a frequent target of unauthorized attempts to access financial records, destroy data, degrade services, or sabotage systems. The sophistication and diversity of these threats is increasing. Against a backdrop of geopolitical tensions, the increasing use of AI by threat actors, and the growing involvement of organized cyber criminal groups, including state-sponsored groups, the Company expects greater frequency and sophistication of attacks in the future (malware, ransomware, phishing, supply chain compromise, and insider-assisted intrusions). Organized criminal actors include financially motivated ransomware gangs, criminal networks that monetize stolen data, and transnational fraud rings. These groups often operate at scale, use professionalized tools and affiliate ecosystems, and in some instances collaborate with nation state actors or exploit third-party vendors to gain access. The exploitation of third-party vendors and contractors increases the risk that a vendor compromise, outage, or failure to meet contractual security obligations could lead to unauthorized access or operational disruption. In addition, the Company's increasing use of analytics, machine-learning and generative AI introduces additional data and model risks, including threats to data privacy and integrity, biased or incorrect model outputs, exploitation of third-party models or vendors, and automation-enabled escalation of attacks. To date, these risks have not resulted in a material cybersecurity incident , but a successful compromise, whether internal or originating with a third-party vendor, could result in financial losses, remediation costs, regulatory penalties, customer attrition, and reputational harm. For more information on risks to the Company from cybersecurity threats, see "Risk Factors - Operational Risks". Cybersecurity Process and Management's Role Management is responsible for designing and implementing policies, processes and physical and virtual safeguards to measure, monitor, and control cybersecurity risk. The primary executives responsible for the oversight of risk and cybersecurity are the Company's Chief Risk Officer , who has over 38 years of experience in the banking industry, including 25 years as a national bank examiner for the Office of the Comptroller of the Currency, and the Company's Chief Information Security Officer ("CISO") , who has an educational and experiential background in information technology and information security for public companies (bachelor's degree in computer science and service as the Company's CISO for the past 11 years, with 10 prior years of information technology and information security experience). The CISO leads the members of the Information Security Department, some of whom maintain a variety of certifications including Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Security+ (Plus) Certification (SEC+). Both of these executives, along with the other professionals in the Information Security and Information Technology Departments, have the appropriate knowledge and expertise to effectively assess and manage the Company's cybersecurity risk and establish a system of internal controls in an effort to safeguard the Company's network and comply with regulatory requirements. The Company's cybersecurity framework includes an assessment of the Company's hardware, software, and data platforms across its lines of business; the risks associated with the Company's business; areas inside and outside of the Company that expose it to cybersecurity threats. As part of this framework, the Company employs policies, systems and safeguards to manage cybersecurity risks. The Company's CISO is responsible for identifying systems and security measures that reflect the appropriate safeguards designed to protect the Company's infrastructure and information and has implemented the majority of current cybersecurity controls in place with an emphasis on the confidentiality, integrity and availability (CIA) triad and a defense in depth methodology. The CISO uses a variety of threat intelligence resources, including law enforcement and industry groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), to help stay informed about current and emerging risks to the Company. CFSI maintains enterprise-wide AI and Data Governance frameworks designed to promote the accuracy, privacy, security, and responsible use of data and AI across our operations. Executive oversight is provided by the Management Risk Committee and IT Steering Committee, with operational accountability assigned to business and system data stewards and data asset owners. The CISO jointly oversees data and AI governance, supports validation and control requirements, and enforces security, privacy, and incident-response protocols. The Company has deployed machine learning and generative AI capabilities to enhance monitoring, automated classification of events and data, and threat- detection and prioritization. These tools support faster triage, playbook-driven remediation and realistic simulation for control validation. AI solutions are subject to formal approval, validation, and periodic re-validation proportional to their inherent risk; higher-risk applications retain a human-in-the-loop approach. Controls include encryption, role- based access, audit logging, vendor due diligence, and employee training. These programs are periodically reviewed to reflect evolving regulatory requirements and technological advances. The CISO is also responsible for supervising and monitoring certain outside professionals or third-party service providers that assist in enhancing the Company's current cybersecurity safeguards. The Company has invested meaningful resources to address cybersecurity threats and partners with leading technology companies to implement solutions to address the fast-evolving threat landscape. These solutions and services help with the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The Company's Internal Audit Department further assists the Company to ensure that the proper safeguards are in place to protect the Company's information by conducting internal audits on certain aspects of the information security program. Internal Audit engages professionals that specialize in information security to review and provide an annual examination and report on the sufficiency of the Company's cybersecurity process and information security program. The Company's independent public accounting firm also performs audit procedures regarding the information security program. In addition, the Company's and the Bank's regulators review and assess the Company's information security program on an annual basis. The Company also maintains certain management committees that further assist in the prevention, detection, and mitigation of cybersecurity risks. Specifically, the CISO works closely with the Company's IT Steering Committee which, among other things, reviews the effectiveness of key controls and provides guidance around future initiatives that strengthen the Company's overall security posture. The IT Steering Committee is comprised of key executives such as the President and Chief Executive Officer and Chief Financial Officer, as well as senior employees that specialize in technology and information security, including the Company's CISO, Chief Technology Officer, and Chief Risk Officer, and representatives from the Board. This committee also monitors current events regarding cybersecurity threats to the Company and more broadly to the financial services industry to help the Company make informed decisions around any necessary internal control enhancements or adjustments. In addition to the IT Steering Committee, the IT Subcommittee assists the CISO to prevent, detect, mitigate, and remediate cybersecurity threats and incidents. The IT Subcommittee typically meets quarterly and consists of members of the information technology and information security teams, the Director of Internal Audit, and senior management members of various business units. This committee is responsible for reviewing information technology and information security projects and the threat landscape. Given the importance of maintaining the security of the Company's systems and information, cybersecurity risks are also reviewed and addressed when assessing new products and services and any third-party service providers that may be engaged to provide systems and services to the Company. As an essential element of the Company's cybersecurity program, the Company maintains a third-party risk management program that performs initial and ongoing due diligence, evaluates SOC reports and contract safeguards, and monitors incidents at vendors that could impact Company or customer data. As part of this oversight, the Company's Risk Management, Legal and/or Information Security Departments review higher risk and material contracts with third-party service providers. Ongoing diligence is also conducted to confirm that vendors are meeting contractual and data security obligations. The CISO is also responsible for monitoring data security incidents at third parties who have access to the Company's information which may impact the Company or its customers if it was compromised. When the Company becomes aware of such events, the CISO engages with the impacted third-party service providers to understand the incident, assess the risk that the Company's information was exposed, and determine methods by which the Company can mitigate any damage and fulfill applicable notification obligations. The Incident Response Core Team, which includes representatives from IT, Risk, and Legal, coordinates the Company's response to such incidents in accordance with existing policies and supports notification, remediation, and any required regulatory reporting. In an effort to remain vigilant against cybersecurity attacks, the Company further provides annual and ongoing training to all of its employees so that they have an understanding and appreciation of the cybersecurity environment and risks and the Company's policies to combat such risks. Such training includes annual mandatory training sessions on cybersecurity for all employees, periodic informational notices regarding emerging threats, and periodic testing to ensure employees are reporting suspicious activities and are diligent in their efforts to avoid phishing attacks and cybersecurity breaches. The CISO also conducts and participates in annual table top exercises with management, and periodically with Directors, in order to be prepared in the event of a material cybersecurity event. The Company's customers are also sources of cybersecurity risk, particularly when their activities and systems are beyond the Company's own security and control systems. The Company engages in periodic outreach with its clients, customers and other external parties concerning cybersecurity risks including opportunities to improve cybersecurity and avoid scams. The Company's cybersecurity process and its ability to assess, manage, and remediate cybersecurity risks further centers around good communication among management. Management stays informed on cybersecurity risks through quarterly reports provided by the CRO and CISO to the Company's Management Risk Committee, comprised of executives and senior leadership, as well as open communication with the Risk Management team, including through various reports and weekly reporting by the Chief Risk Officer to the Senior Management Committee about cybersecurity matters, as necessary. In the event there is a material cybersecurity incident, the Company's policies and procedures set forth an action plan, which includes notification of the appropriate personnel and management within the Company as well as regulators and impacted customers, as applicable. For certain cybersecurity incidents, including, but not limited to, incidents that are deemed material pursuant to SEC cybersecurity disclosure rules or that significantly impact vital services provided by the Company, notification is also provided to the Chair of the Board Risk Committee and/or the Chair of the Board. Less severe incidents will be reported by management at the next Board or Risk Committee meeting. Board of Directors' Role in Cybersecurity An integral part of Company's risk management oversight, which includes information security, is the role of the Board. This is reinforced by the independence and reporting structure of the Chief Risk Officer, who oversees the CISO and reports to the Board Risk Committee and administratively to the President and Chief Executive Officer. In addition, cybersecurity risk is a fundamental risk of the Company which is overseen by the Risk Committee of the Board , including Directors with experience in risk management, internal audit, cybersecurity and/or the operations of financial service companies. In particular, the Chair of the Board, Eric E. Stickels, has experience with the risks associated with operating a financial institution based upon his prior service as the President of Oneida Financial Corp. In addition, the Chair of the Risk Committee, Director Kerrie D. MacPherson, has received the Cyber-Risk Oversight Certification issued by the National Association of Corporate Directors ("NACD"), and utilize their business experience and cyber-risk expertise to assist the Risk Committee in its evaluation of management's cybersecurity systems. Directors Knauss and Singh also serve as Board representatives on the Company's IT Steering Committee and provide valuable oversight and insight to the committee based on their knowledge and business experience across the digital, technology and/or artificial intelligence sectors. The Risk Committee meets five times a year during which management provides updates to the committee regarding the material risks facing the Company. As part of this reporting, the Chief Risk Officer and the Risk Management Department have created a risk management program that identifies and evaluates the risks associated with various aspects of the Company's business and report their assessments to the Risk Committee for review or approval. Within the risk management process, cybersecurity risks are specifically reviewed and addressed, including risks related to current or proposed products and services to be offered by the Company, as well as the efforts taken or to be taken to mitigate such risks. In addition, on at least a quarterly basis, the CISO presents an Information Security report to the Risk Committee, which includes the Company's cybersecurity alert level, controls rating, current and emerging cybersecurity risks, threats and trends, mitigation efforts and projects and audit and regulatory updates. On an annual basis, the Board's Audit Committee also receives reports from outside consultants who perform various IT related audits, and the Company's independent registered public accounting firm regarding the effectiveness of the Company's cybersecurity program in connection with its review of the Company's financial statements.

Company Information