Beacon Financial Corp 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Beacon Financial Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:31:28 EST.

Filings

10-K filed on 2026-03-02

Beacon Financial Corp filed a 10-K at 2026-03-02 16:31:28 EST
Accession Number: 0001628280-26-013247

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a financial services company, we face cybersecurity risks and threats, and our customers, suppliers, and third-party service providers face cybersecurity risks and threats. As part of the operation of our business, the Company uses, stores, and processes data for our customers, employees, partners, and suppliers. A cybersecurity incident impacting any of these entities could materially adversely affect our operations, performance, or results of operations. In addition, as a financial services company we are subject to extensive regulatory compliance requirements, including those established by the FRB and MDOB. The Company maintains a robust Information Security Program (the "Program") that is designed to identify, assess and mitigate risks from cybersecurity threats to the data and our systems. The Program establishes a regular cadence for review and update to the then current standards for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, disposing, and protecting sensitive information including customer information under guidelines established as part of GLBA. The Company uses or adheres to relevant standards and frameworks from the FFFIEC and NIST, among others, to assess information security risks and controls, as well as to assess the maturity and effectiveness of the Program. Risk Management Oversight and Governance The Company's Chief Security Officer ("CSO") has primary responsibility for assessing and managing the Program and reporting on cybersecurity matters to the Board of Directors. The CSO reports directly to the Chief Information Officer. The CSO is responsible for the implementation, maintenance, and enforcement of the Program. The CSO has extensive experience managing information security systems and holds the Certification Information Systems Manager (CISM) designation. Our CSO regularly updates members of executive management on developments surrounding cybersecurity. The CSO reports to the Risk Committee of the Board of Directors and provides regular reports to the Risk Committee on emerging cybersecurity issues and the Company's cybersecurity infrastructure. The Program is overseen by the Board of Directors which has delegated certain responsibilities to the Risk Committee. The Board of Directors oversees management's processes for identifying and mitigating risks, including cyber risks, to assist in the alignment of the Company's risk exposure with the Company's overall risk tolerances. The Board of Directors has also engaged an experienced information security advisor to assist with cybersecurity and data privacy oversight responsibilities. This advisor provides the Board of Directors with independent updates on external market cybersecurity threats and emerging risks on a regular basis. The Risk Committee, the Audit Committee, and the Board of Directors are active in understanding and evaluating cybersecurity risks. The Risk Committee receives and reviews a quarterly Enterprise Risk Management ("ERM") report from the Chief Risk Officer that is the cumulation of a process that involves discussions with leaders across the Company and incorporates a number of enterprise risk factors, including those related to cybersecurity threats. The Audit Committee receives the results of internal and external penetration testing as well as any other audits applicable to the Company's information security programs. The Audit Committee actively engages management in discussions surrounding the outcome of these audits. At least annually, the Risk Committee receives a report from the CSO covering the Company's Program. This report includes a review of the overall status of the Program, any material matters related to the Program, enhancements made or recommended to be made to the Program, a discussion of management's actions to identify and detect threats, Key Risk Indicators and planned action steps in the event of an incident, an overview of the results of testing, any security breaches or violations, and an overview of employee training and engagement efforts. The Chair of the Risk Committee reports to the Board of Directors on this presentation. In addition, separately, on at least an annual basis, the Risk Committee receives updates from the CSO on the Company's Incident Response Plan, which outlines steps to be followed in the event of an incident including detection, mitigation, recovery, and notification (including notification to senior management, the Board of Directors, and functional business areas), and remediation. Cybersecurity Risk Management Program The Program is designed to identify, assess, manage, mitigate, and respond to cyber threats with the goal of preventing cybersecurity incidents to the extent feasible, while also increasing our system resilience to minimize business disruption in the event we experience a cyber event. Our program is structured to be nimble and adaptable to changes in cybersecurity threats over time and to respond to emerging threats in a timely and efficient manner. Our Program consists of a layered cybersecurity approach and is incorporated into our overall ERM program. The Program is evaluated on a regular basis, at least annually, and adjustments to the Program are made based on the results of these evaluations and changes to industry standards. The Company maintains a Third-Party Risk Management program to manage risks related to third-party relationships in a manner that is consistent with the Company's risk appetite. This includes risk and control assessments to provide for the appropriate safeguarding of sensitive information. The Company has a dedicated internal Security Operations Center ("SOC") and a Managed Detection and Response ("MDR") third party service that provides 24/7/365 monitoring of its environment to investigate and respond to security alerts. Log sources are mapped to the MITRE ATT&CK framework to ensure appropriate security monitoring and gap analysis to detect and respond to attacks. Threat intelligence is used with contextual risk approaches to identify threats and prioritize response. Threat hunts operate both proactively and reactively to look for relevant behaviors and indicators of compromise from cybersecurity events or zero-day vulnerabilities. The Company maintains an Incident Response Plan that is designed to timely and effectively address the handing of security incidents. This includes providing the Company with a detailed outline of how to respond to a security incident, team responsibilities, contact information for key resources, definitions for determining the severity and escalation of security incidents, and pre-built playbooks to respond to the most common types of security incidents including ransomware. Incident response and escalation plans are tested and reviewed for improvements at least annually. An incident response retainer with an approved third party is contracted to assist in responding to security incidents and to conduct forensic investigations involving the potential compromise of sensitive data or information assets. All employees are required to complete privacy and information security awareness training upon joining the Company and on an annual basis. This includes incident response training on how to communicate potential or actual incidents. Our Company faces a number of cybersecurity risks in connection with the operation of our business which could have a material adverse effect on our business financial condition, results of operations, cash flows, or reputation. Although, to date, such risks have not materially affected us, we have, from time to time, experienced threats to and breaches of our data, including breaches caused by human error or breaches affecting third parties of the Company. For more information about the cybersecurity risks we face, see the risk factors entitled " We face continuing and growing security risks to our information base, including the information we maintain relating to our customers ." and " We rely on other companies to provide key components of our business infrastructure ." in Item 1A- Risk Factors.

Company Information