Provident Bancorp, Inc. /MD/ 10-K Cybersecurity GRC - 2024-03-28

Page last updated on July 16, 2024

Provident Bancorp, Inc. /MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:07:04 EDT.

Filings

10-K filed on 2024-03-28

Provident Bancorp, Inc. /MD/ filed a 10-K at 2024-03-28 17:07:04 EDT
Accession Number: 0001778784-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As part of our overall Enterprise Risk Management strategy, we maintain a robust Information Technology and Security Management Program (“ITSM”) which includes processes to assess, identify, monitor and manage cybersecurity risks. The program includes provisions for annual cybersecurity risk assessments, ongoing monitoring and testing, as well as annual training for employees, executives, and Board Members. We use the Federal Financial Institutions Examination Council’s (“FFIEC”) cybersecurity assessment tool to identify risks and ascertain cybersecurity preparedness and the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework to benchmark our internal policies and procedures against best practices. We engage consultants and auditors to assist in the completion of our annual risk assessment and review of controls related to the ITSM. The Company also maintains a robust Vendor Risk Management program to manage risks related to third-party relationships in a manner that is consistent with the Company’s strategic goals, organizational objectives, and risk appetite. This includes comprehensive risk and control assessments with respect to the appropriate safeguarding of sensitive information. To date, there have been no cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, the Bank, our business strategy, results of operations, or financial condition. Governance The Board of Directors is responsible for overseeing the development, approval, implementation and maintenance of the ITSM, including overseeing the program’s execution in accordance with the overall strategic goals of the Bank. The Board conducts oversight, in part, through the use of committees. The Risk Management Committee (“RMC”) of the Board of Directors is charged with monitoring and reviewing risk assessments, assurance, testing, and training as well as overseeing the correction of identified deficiencies as they relate to the ITSM. The Company’s Information Security team, with input from the Information Technology and Risk departments, is responsible for incident management, disaster recovery, business continuity and cybersecurity programs and policies. The Bank’s Incident Response Manual and Cyber Incident Policy outline how potential cybersecurity threats or incidents are communicated to the RMC. The RMC is responsible for determining if cybersecurity incidents or threats should be escalated to the Board of Directors. The information security team and the RMC work together to mitigate cybersecurity threats or incidents. The information security officer (“ISO”) is responsible for cybersecurity under the ITSM and is a licensed Certified Internal Auditor, who has experience with the Massachusetts Division of Banks specializing in information technology examinations. The ISO reports directly to the VP, Operational Risk who was a former Chief Information Security Officer (“CISO”) for the United States segment of a multi-national bank. The Chief Operating Officer, who is a member of the executive team and RMC, is a former CISO and holds both a Certified Fraud Examiner and Certified Information Security Manager certification. The Chair of the RMC of the Board also has multiple certifications in information and cybersecurity, including a Certified Information Systems Security Professional certification.


Company Information

NameProvident Bancorp, Inc. /MD/
CIK0001778784
SIC DescriptionSavings Institutions, Not Federally Chartered
TickerPVBC - Nasdaq
Website
CategoryNon-accelerated filer
Smaller reporting company
Fiscal Year EndDecember 30