ARROW FINANCIAL CORP 10-K Item 1C. Cybersecurity - 2026-03-06

Get alerts

ARROW FINANCIAL CORP disclosed their cybersecurity strategy, risk management and governance process in an annual SEC Filing 10-K filing on 2026-03-06 12:55:17 EST

Company Summary
Filings
- 10-K filed on 2026-03-06
Company
- Profile

Company Summary

Arrow Financial Corporation is a bank holding company that owns and supervises Arrow Bank and various non-bank subsidiaries (including an insurance agency, a registered investment adviser and a REIT). Through Arrow Bank it provides commercial and consumer banking, lending (including indirect auto lending), deposit, trust and wealth management services primarily in upstate New York (and indirect consumer lending in New York and Vermont).

Looking for governance insights? View the comprehensive Cyber Governance Profile for ARROW FINANCIAL CORP.

Filings

10-K filed on 2026-03-06

ARROW FINANCIAL CORP filed an SEC Filing 10-K filing on 2026-03-06 12:55:17 EST.
Accession Number: 0000717538-26-000037

Item 1C. Cybersecurity

Item 1C - Cybersecurity

Item 1C . Cybersecurity

Regulatory Supervision

Arrow and its subsidiaries are subject to the provisions in the Gramm-Leach-Bliley Act relating to data security, as well as many federal and state laws, regulations and regulatory interpretations which impose standards and requirements related to cybersecurity.

Cybersecurity Risk Management & Strategy

Arrow has implemented processes designed to oversee and identify risk from cybersecurity breaches. Arrow's cybersecurity risk management and data security program is an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. Arrow employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent cybersecurity threats. Our security framework involves processes for detection, identification, protection and response to a cybersecurity incident. Additionally, we are well prepared for recovery in the case of a cybersecurity incident with proper vendor support as well as backups both online and offline. Arrow also regularly assesses and tests its security systems and disaster preparedness, including the adequacy and functionality of its backup systems.

Arrow also regularly reviews and updates its existing internal controls and procedures and corporate governance policies and procedures intended to protect its business operations, which includes the security and privacy of the confidential information of its customers. In addition, Arrow engages a variety of vendors to meet data processing and communication needs, including evaluating our cybersecurity readiness and resilience through ongoing vulnerability assessments and audits. Arrow communicates and works directly with all of our critical information technology ("IT") vendors to resolve issues and install releases. We perform business continuity plan testing on a periodic basis. Additionally, as part of our third-party risk management program, we require specific security standards for third-party providers.

Arrow has not experienced a material effect on the Company's business strategy, results of operations or financial condition as a result of a significant compromise, significant data loss or any material financial losses related to cybersecurity incidents or other security problems. See Item 1A., Risk Factors , "Operational Risks" above.

Cybersecurity and the continued enhancement of Arrow's controls and processes to protect its systems, data and networks from cybersecurity incidents remain a priority to Arrow.

Governance

Arrow's senior management regularly considers the impact of cybersecurity risks when developing its business strategy and financial planning. Arrow has various policies and procedures in place to mitigate cybersecurity risks and maintains a layered, defensive program to manage and maintain cybersecurity controls.

Arrow's Board of Directors, Chief Information Officer, Director of IT and the Enterprise Risk Management ("ERM") committee at the senior management level all have a role in the cybersecurity risk management program. The Board receives quarterly reports from the ERM committee regarding relevant key risk indicators, which include incident response reporting, information technology and cybersecurity initiatives, and the results of ongoing vulnerability assessments and audits.

The ERM Committee is chaired by the Chief Risk Officer and includes the Chief Information Officer, Director of Information Technology, and Director of Internal Audit. The members of our ERM committee collectively have expertise and insight into cybercrime prevention, social engineering, identity theft, and fraud prevention.

Company

Profile

Name	ARROW FINANCIAL CORP
CIK	717538
SIC Description
Industry
Ticker	AROW
Website	https://www.arrowfinancial.com
Category
Fiscal Year End	December 31