Northfield Bancorp, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Northfield Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 15:29:23 EST.

Filings

10-K filed on 2026-03-02

Northfield Bancorp, Inc. filed a 10-K at 2026-03-02 15:29:23 EST
Accession Number: 0001493225-26-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is aligned with the Company's business strategy and is integrated into the Company's Enterprise Risk Management ("ERM") framework. The program is designed to identify, assess, manage, and monitor risks to the confidentiality, integrity, and availability of the Company's identified critical systems and information. The program leverages common methodologies, reporting channels and governance processes used across other enterprise risk areas, including third-party relationships, legal, compliance, strategic, operational, and financial risks. Key elements of the Company's enterprise cybersecurity risk management program include: - implementation of policies and procedures addressing areas including, but not limited to, Information Security, Business Continuity, Disaster Recovery, Privacy, Third-Party Relationship Risk Management, Enterprise-Risk 45 Management , and Incident Response, which are periodically reviewed and updated in response to evolving threats and regulatory requirements; - cybersecurity risk assessments designed to help identify material cybersecurity risks to our identified critical systems, data, products, services, and our broader information technology environment, with identified risks prioritized based on potential impact and likelihood and escalated through established ERM governance processes; - an independent second-line risk management function, the Information Security Department, which is primarily responsible for managing our cybersecurity risk assessment processes, coordinating execution of the incident response plan, and monitoring the performance and operations of security controls; - the use of external service providers, where appropriate, to assess, test and enhance our security controls, including penetration testing, employee training, and table top exercises; - Company-wide employee training and awareness program that includes periodic security assessments to test knowledge and reinforce adherence to security processes and controls, including simulated phishing exercises; - membership in the Financial Services Information Sharing and Analysis Center (FS-ISAC) and annual participation in the Cyber Attacks against Payment Systems (CAPS) exercises; - periodic reporting of cybersecurity metrics and threat intelligence to both the Management Risk and CIT Committees; - a cybersecurity incident response plan that includes procedures for the detection, containment, remediation, recovery, and post-incident review of cybersecurity incidents, coordinated with legal, compliance, and applicable regulatory requirements; and - a third-party relationships risk management process that evaluates, monitors, reports on, and mitigates cybersecurity risks associated with service providers, suppliers, and vendors throughout the vendor lifecycle, including onboarding, ongoing monitoring, and termination. The Board of Directors, through its CIT Committee, provides oversight of the Company's cybersecurity risk management program, including review of material cybersecurity risks, incidents, and management's mitigation activities. Cybersecurity risks and incidents are evaluated through the Company's disclosure controls and procedures to determine whether public disclosure is required. Based on management's current assessment, risks from cybersecurity threats, including any previous cybersecurity events, have not materially affected and are not reasonably likely to materially affect the Company's business strategy, results of operations, or financial condition. Any expenses incurred from cybersecurity incidents to date have been immaterial. While the Company has not experienced material cybersecurity incidents to date, the cybersecurity threat landscape continues to evolve, and risks may increase due to factors such as heightened fraud activity, increased reliance on third-party technology providers, and broader systemic or geopolitical events. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, refer to Item 1A. Risk Factors - "Risks Related to Operational Matters." Cybersecurity Governance The Board of Directors has established the CIT Committee with specific responsibilities for overseeing the Company's cybersecurity risk management program, among other things. The Chief Information Security Officer ("CISO") provides the CIT Committee with periodic reports regarding cybersecurity risks, threats activity, and any cybersecurity incidents determined to be material. The CIT Committee also retains an independent external cybersecurity consultant who, at the Committee's request, periodically attends the CIT Committee meetings and provides independent perspectives directly to the Committee Chair. The external cyber-security consultant also provides periodic cybersecurity education and training to the CIT Committee and the full Board of Directors. The Company maintains an Information and Cybersecurity Program led by our Chief Risk Officer ("CRO"), Chief Information Officer ("CIO"), and CISO . The program is designed to identify and mitigate information security risks and to provide, timely Board oversight. The CRO briefs the Board of Directors on cybersecurity and information security matters during regular Board meetings to ensure alignment with the Company's risk profile and ERM framework. 46 The Information Security Department is primarily responsible for identifying, assessing, and managing material cybersecurity risks and overseeing cybersecurity risks associated with third-party relationships . The department is led by the CISO, who has cybersecurity experience, training, and professional certifications . The CISO and our CIO, along with members of their teams, regularly engage with peer institutions, industry groups, and public- and private-sector partners to discuss cybersecurity trends, emerging threats, and industry practices. The cybersecurity risk management program is periodically reviewed and updated in response to evolving threats and conditions. The internal audit function, led by our Chief Internal Auditor , provides independent assurance over cybersecurity-related processes, controls, and risk management practices to assess whether they are appropriately designed and operating effectively. The Information Security Department monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, including briefings with internal security personnel, threat intelligence obtained from governmental, public or private sources, information provided by external consultants, and alerts and reports generated by security tools deployed within the Company's information technology environment. Management has authority to escalate significant cybersecurity risks or incidents to the CIT Committee or the full Board of Directors between scheduled meetings, as appropriate.

Company Information