PFS Bancorp, Inc. 10-K Cybersecurity GRC - 2024-03-26

Page last updated on July 16, 2024

PFS Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 17:19:31 EDT.

Filings

10-K filed on 2024-03-26

PFS Bancorp, Inc. filed a 10-K at 2024-03-26 17:19:31 EDT
Accession Number: 0001558370-24-003964

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy Our risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Information Technology Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization, reporting directly to the President and, as discussed below, periodically to our board of directors. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our system or information. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence fees to facilitate and promote program effectiveness. Our Information Technology Officer and Information Security Officer, who report directly to our board of directors, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is reviewed by such personnel with the goal of addressing changing threats and conditions. We employ an in-depth, layered, defensive strategy that embraces a “trust by design” philosophy when designing new products, services, and technology. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and reliance tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using third-party cybersecurity experts. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections. We leverage external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program. We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees, as discussed further below, and to the board of directors. The Incident Response Plan is coordinated through the Information Technology Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually. Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, risks from cybersecurity threats have not materially affected our company. Governance Our Information Technology Officer is accountable for managing our enterprise information security function and delivering our information security program. The responsibilities of this position include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business resilience. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the Information Security Officer, provides guidance, oversight, monitoring and challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the board of directors. The function, as a whole, consists of information security professionals with varying degrees of education and experience. Individuals responsible, including third-party vendors, are generally subject to professional education and certification requirements. Our board of directors has approved management committees including the Information Technology Committee, which focuses on technology impact, and its business impact. This committee provides oversight and governance of the technology program and the information security program. This committee is chaired by the Information Technology Officer and includes the Information Security Officer and the Chief Operations Officer. This committee generally meets monthly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings occur from time to time in accordance with the Incident Response Plan in order to facilitate timely informing and monitoring efforts. The Information Technology Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the board of directors on a quarterly basis (or more frequently as may be required by the Incident Response Plan). The board of directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Information Technology Officer Information Security Officer provide quarterly reports to the board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The board of directors reviews and approves our information security and technology budgets and strategies annually. Additionally, the board of directors reviews our cybersecurity risk profile on a quarterly basis.


Company Information

NamePFS Bancorp, Inc.
CIK0001967656
SIC DescriptionSavings Institutions, Not Federally Chartered
TickerPFSB - OTC
Website
CategoryNon-accelerated filer
Smaller reporting company
Emerging growth company
Fiscal Year EndDecember 30