ARROW FINANCIAL CORP 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

ARROW FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 12:55:17 EST.

Filings

10-K filed on 2026-03-06

ARROW FINANCIAL CORP filed a 10-K at 2026-03-06 12:55:17 EST
Accession Number: 0000717538-26-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity Regulatory Supervision Arrow and its subsidiaries are subject to the provisions in the Gramm-Leach-Bliley Act relating to data security, as well as many federal and state laws, regulations and regulatory interpretations which impose standards and requirements related to cybersecurity. Cybersecurity Risk Management & Strategy Arrow has implemented processes designed to oversee and identify risk from cybersecurity breaches. Arrow's cybersecurity risk management and data security program is an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. Arrow employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent cybersecurity threats. Our security framework involves processes for detection, identification, protection and response to a cybersecurity incident. Additionally, we are well prepared for recovery in the case of a cybersecurity incident with proper vendor support as well as backups both online and offline. Arrow also regularly assesses and tests its security systems and disaster preparedness, including the adequacy and functionality of its backup systems. Arrow also regularly reviews and updates its existing internal controls and procedures and corporate governance policies and procedures intended to protect its business operations, which includes the security and privacy of the confidential information of its customers. In addition, Arrow engages a variety of vendors to meet data processing and communication needs, including evaluating our cybersecurity readiness and resilience through ongoing vulnerability assessments and audits. Arrow communicates and works directly with all of our critical information technology ("IT") vendors to resolve issues and install releases. We perform business continuity plan testing on a periodic basis. Additionally, as part of our third-party risk management program, we require specific security standards for third-party providers. Arrow has not experienced a material effect on the Company's business strategy, results of operations or financial condition as a result of a significant compromise, significant data loss or any material financial losses related to cybersecurity incidents or other security problems. See Item 1A., Risk Factors , "Operational Risks" above. Cybersecurity and the continued enhancement of Arrow's controls and processes to protect its systems, data and networks from cybersecurity incidents remain a priority to Arrow. Governance Arrow's senior management regularly considers the impact of cybersecurity risks when developing its business strategy and financial planning. Arrow has various policies and procedures in place to mitigate cybersecurity risks and maintains a layered, defensive program to manage and maintain cybersecurity controls. 19 Arrow's Board of Directors, Chief Information Officer, Director of IT and the Enterprise Risk Management ("ERM") committee at the senior management level all have a role in the cybersecurity risk management program. The Board receives quarterly reports from the ERM committee regarding relevant key risk indicators, which include incident response reporting, information technology and cybersecurity initiatives, and the results of ongoing vulnerability assessments and audits. The ERM Committee is chaired by the Chief Risk Officer and includes the Chief Information Officer, Director of Information Technology, and Director of Internal Audit. The members of our ERM committee collectively have expertise and insight into cybercrime prevention, social engineering, identity theft, and fraud prevention.

Company Information