Central Plains Bancshares, Inc. 10-K Cybersecurity GRC - 2024-06-21

Page last updated on July 16, 2024

Central Plains Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-21 16:15:58 EDT.

Filings

10-K filed on 2024-06-21

Central Plains Bancshares, Inc. filed a 10-K at 2024-06-21 16:15:58 EDT
Accession Number: 0000950170-24-076246

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity is a significant and integrated component of Central Plains Bancshares, Inc. risk management strategy. As a financial services corporation, cyber threats are present and growing, and the potential exists for a cybersecurity incident to occur, which could disrupt business operations or compromise sensitive data. To date, The Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect The Company. To prepare and respond to incidents, the company has implemented a multi-layered cybersecurity strategy integrating people, technology, and processes. This includes employee training, the use of innovative technologies, and the implementation of policies and procedures in the areas of information and network security, data management, business continuity and disaster recovery, privacy, third-party risk management, and incident response. The company engages third-party consultants and independent auditors to, among other things, conduct penetration and vulnerability tests, monitor systems, perform cybersecurity risk assessments, and conduct audits. The Information Technology Department is primarily responsible for identifying, assessing, and managing material risks from cybersecurity threats. The Information Technology Department is managed by the IT Manager who reports directly to the Executive Vice President/Chief Operations Officer (COO). The IT Manager has more than seven years of experience with the company and additional years of experience in the information technology (“IT”) field. The IT Manager is assisted in overseeing Information Technology by an IT Managed Service Provider firm. The IT Manager and COO oversee the information security program, which is governed by various information security and cybersecurity, systems development, change control, disaster recovery/business continuity and physical asset classification and control policies. The Information Security & Network System Policy identifies data sources, threats and vulnerabilities and ensures awareness, accountability, and oversight for data protection throughout the company and with trusted third parties to ensure that data is protected and able to be recovered in the event of a breach or failure (technical or other disaster). The Information Technology Department conducts on-going meetings and reviews with the IT Managed Service Provider to ensure the latest threats and vulnerabilities are addressed. This includes patch management. Quarterly external penetration and vulnerability testing is conducted by a third-party IT audit firm. Business continuity/ disaster recovery testing and incident response plan testing is conducted annually by the Board appointed Disaster Recovery Committee. In addition, the company participates in annual disaster recover exercises with its core IT system provider. The Board appointed Technology Committee provides oversight of policies and receives updates including cybersecurity, systems, IT assets and control policies. The COO is a member of the Technology Committee and the Disaster Recovery Commit and information from committee meetings and testing is reported to the Board. The company has implemented an Incident Response Plan to provide a structured incident response process for information security incidents that affect any of the information technology systems, network, or data of the company. The Incident Response Plan is implemented and maintained by the COO. Risk Assessment On a periodic basis, but not less than annually, the COO, with the assistance of IT Department and Compliance/Risk Management staff, identifies and documents internal and external vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer records. Based on the results of the risk assessments, the company’s processes and policies may be revised to protect against any anticipated threats or hazards to the security or integrity of such information. Response to Security Vulnerabilities In response to identified risks, management may take certain steps to correct and respond to security vulnerabilities, which may include: - Eliminating unwarranted risks by applying vendor-provided software fixes, commonly called patches. - Ensuring that changes to security configurations are documented, approved, and tested when possible. - Ensuring that exploitable files and services are assessed and removed or disabled based upon known vulnerabilities and business needs. - Updating vulnerability scanning and intrusion detection tools to identify known vulnerabilities and related unauthorized activities. - Conducting subsequent penetration testing and vulnerability assessments, as warranted. - Reviewing performance with service providers to ensure security maintenance and reporting responsibilities are operating according to contract provisions and that service providers provide notification of system security breaches that may affect the company. Internal Controls, Audit, and Testing Regular internal monitoring is integral to the risk assessment process, which includes regular testing of internal key controls, systems, and procedures. In addition, independent third-party penetration and vulnerability testing to test the effectiveness of security controls and preparedness measures is conducted at least annually (generally quarterly for external testing and every 12 to 18 months for internal testing) or more often, if warranted by the risk assessment or other external factors. The COO and IT Manager determine the scope and objectives of the penetration and vulnerability analysis and audits. Service Providers Like many companies, the company relies on third-party vendor solutions to support its operations. Many of these vendors, especially in the financial services industry, have access to sensitive and proprietary information. In order to mitigate the operational, informational and other risks associated with the use of vendors, the company maintains a Vendor Management Program, which is implemented through a Vendor Management Program Policy and includes an onboarding process and periodic reviews of vendors with access to sensitive data. The Vendor Management Program is audited as part of IT audits. Employees and Training Employees are the first line of defense against cybersecurity measures. Each employee is responsible for protecting corporation and client information. Employees are provided training at initial onboarding and thereafter regarding information security and cybersecurity-related policies and procedures applicable to their respective roles within the company. In addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities. In addition to training, employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection systems, security automation and response capabilities, multi-factor authentication, data backups to immutable storage and business continuity applications. Notable services include 24/7 security monitoring and response, continuous vulnerability scanning, third-party monitoring, and threat intelligence. Board Reporting At least annually, the Annual Electronic Data Processing Report & Risk Assessment is presented to the Board. The report provides an overview of IT operations, core providers, IT policies, audit and testing information, and IT strategic accomplishments and future planned IT initiatives. The report also includes an IT Risk Assessment and risk matrix. IT audit findings are included on the Master Exam/Audit Tracking Report of Action Items which is presented to the Board bi-monthly. Program Adjustments The COO, with the assistance of the IT Manager, monitors, evaluates, and adjusts the Information Security & Network Systems Policy considering any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. Incident Response Plan To ensure that information security incidents can be recovered from quickly and with the least impact to the company and its customers, the company maintains an Incident Response Policy which is designed to work in conjunction with the Disaster Recover/Business Continuity Plan. The COO is responsible for implementing and maintaining the Incident Response Policy.

Company Information