NBT BANCORP INC 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

NBT BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 17:20:55 EST.

Filings

10-K filed on 2026-02-27

NBT BANCORP INC filed a 10-K at 2026-02-27 17:20:55 EST
Accession Number: 0001140361-26-007179

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy In line with our commitment to strong corporate governance and operational resilience, we continuously assess and mitigate cybersecurity risks that could impact our business, stakeholders, and the integrity of our systems. Cybersecurity risk management is integrated into our broader enterprise risk management framework and supports the continuity of our operations. We assess cybersecurity risks across our information systems, including systems and data maintained by third-party service providers, using a risk-based approach that incorporates periodic risk assessments, vulnerability scanning, penetration testing, and monitoring of emerging threats. We also consider industry-specific risks and participate in industry information-sharing initiatives to enhance our awareness of evolving threat intelligence and best practices. Our cybersecurity program emphasizes prevention, detection, and response. We provide continuous training for our employees to promote awareness of cybersecurity risks and invest in appropriate technologies, personnel and processes to support our information security objectives. Additionally, we assess cybersecurity risks associated with third-party service providers using a risk-based approach that considers the nature and scope of their services. Our comprehensive policies and procedures are designed to safeguard the integrity and security of information collected by us and our service providers. We have also implemented security measures to prevent unauthorized access to personal data and mitigate potential incidents. Furthermore, we incorporate lessons learned from any past incidents and near misses to enhance the effectiveness of our controls. NBT collaborates with external experts to conduct audits, assessments, and validations of our cybersecurity controls, aligning them with established frameworks such as the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. We adapt our cybersecurity policies, standards, processes, and practices based on insights from these reviews. Governance The Board oversees cybersecurity risk as part of its broader oversight of business strategy and enterprise risk management. It is the responsibility of the Risk Management Committee ("RMC"), a committee of the Board, to oversee efforts to develop and formally approve the written Information Security Program ("ISP"), implement, maintain and monitor the program, and review management reports and policies related to cyber incidents. The RMC is led by our Chief Risk Officer and comprised of Board members as well as the Chief Executive Officer. Cybersecurity risks are reported to the RMC at least quarterly, and those reports include key performance indicators, test results, recent threats and how the Company is managing those threats, along with the effectiveness of the ISP. The RMC receives briefings from executive management on activities, including those related to cybersecurity risk oversight. The Board reviews the overall ISP at least annually. NBT has appointed the Senior Director of Information Security ("DISO") to oversee the implementation, coordination, and maintenance of the ISP. The DISO's responsibilities include: ● Leading the initial implementation of the ISP, including assessing internal and external risks to institutional data and documenting findings through risk assessment reports and remediation plans; ● Coordinating the development, distribution, and maintenance of information security policies and procedures; ● Designing and implementing administrative, technical, and physical safeguards to protect institutional data across the company. The DISO reports to the Chief Risk Officer and has over 17 years of experience in information security, including extensive responsibility for developing, implementing and overseeing the Company's information security program . The DISO's experience includes cybersecurity risk management, cybercrime prevention, incident response, social engineering, identity theft, and fraud prevention, gained through long-term leadership in information security roles within the organization. The DISO also supervises the Incident Response Team ("IRT"), which consists of senior executives, including the Chief Audit Officer, Chief Risk Officer, General Counsel, and representatives from Information Security, Enterprise Technology, Operations, Accounting, and Communications. Upon detecting an incident, the IRT promptly convenes to assess its severity, categorizing it as low, medium, or high. The response protocol follows the Cybersecurity and Infrastructure Security Agency ("CISA") Cybersecurity Incident and Vulnerability Response Playbook (November 2021) and incorporates generally recognized cybersecurity incident response practices. The IRT has procedures and escalation protocols to escalate significant cybersecurity matters to the Executive Committee, the RMC and/or full Board, as deemed necessary. During the incident review process, senior management, in collaboration with relevant personnel from information technology, data security, and external cybersecurity firms specializing in forensic investigations, when necessary, assesses the materiality of the breach alongside the severity scale. This evaluation aims to accurately identify risks and potential operational and business impacts. Materiality determination involves an objective analysis of both quantitative and qualitative factors, including an evaluation of impact and reasonably likely impacts. We maintain cybersecurity insurance; however, such coverage may not be sufficient to cover all potential losses. As of December 31, 2025 we have not had any known instances of material cybersecurity incidents, including third-party incidents during any of the prior three fiscal years. However, cybersecurity threats continue to evolve, and there can be no assurance that future incidents will not occur. For further discussion of such risks, see the section captioned "Risks Related to Information Technology, Cybersecurity and Data Privacy" in Item 1A. Risk Factors of this Form 10-K.

Company Information