PROVIDENT FINANCIAL HOLDINGS INC 10-K Cybersecurity GRC - 2024-08-30

Page last updated on August 30, 2024

PROVIDENT FINANCIAL HOLDINGS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-30 17:23:31 EDT.

Filings

10-K filed on 2024-08-30

PROVIDENT FINANCIAL HOLDINGS INC filed a 10-K at 2024-08-30 17:23:31 EDT
Accession Number: 0000939057-24-000247

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Managing technology risks, including cybersecurity risks, is a fundamental part of the Corporation’s risk management framework and processes. The Corporation employs a variety of processes, risk assessments, and controls to assess, identify, and manage these risks. This includes estimating the likelihood and potential impact of cybersecurity incidents. To manage these risks, the Corporation designs, documents, and implements controls, which are then tested through compliance assessments and internal and external audits. In some cases, the Corporation also transfers risk, either wholly or partially, through insurance and other methods. When an incident occurs, the Corporation responds by remediating the incident while complying with regulatory obligations, and then evaluates the remediation’s effectiveness. Communication about risk management matters is conducted through documented policies and procedures, management and Board committee reporting, and employee training and communications. For a detailed description of how cybersecurity risks may materially affect the Corporation’s business strategy or results, see “Item 1A. Risk Factors.” The Corporation’s information technology risk management department consists of professionals with experience and expertise in cybersecurity, including specialists in identity and access management, cyber defense operations, security engineering, and information technology governance, risk, and compliance. This department is led by the Chief Information Officer (“CIO”), who has over 27 years of experience in technology risk management, and the Information Security Officer (“ISO”), who has a bachelor in computer science and has over 18 years of experience in cybersecurity risk management. The ISO reports to the CIO, and the CIO reports directly to the President and Chief Executive Officer. Additionally, the Corporation engages third-party experts as needed to assess, manage, and respond to cybersecurity risks through various methods, including risk assessments, IT audits based on different frameworks, penetration and vulnerability testing, social engineering, incident response, threat intelligence, education, and managed security services. The Corporation also monitors risks from third parties, such as service providers, through efforts like monitoring, information sharing, risk assessments, audits, contractual due diligence, and adherence to third-party security standards. Senior management governs risk management and is informed about and monitors the prevention, detection, mitigation, and mediation of cybersecurity incidents. This is facilitated through working review committees, on which the ISO and/or CIO serve. These committees receive risk management reports appropriate to their scope of review, covering assessment results, risk ratings, and critical issues. They report significant matters to enterprise-wide risk committees, which oversee the broader scope of risk management for the enterprise. Through these efforts, senior management makes decisions and sets priorities for allocating resources to address risk management issues. The Corporation’s Board of Directors, including the Audit Committee, oversees all risk management policies, procedures, and practices, including those related to cybersecurity. Senior management generally reports quarterly, or more frequently as necessary, to the Enterprise Risk Committee on technology risks, including those from cybersecurity threats. The Board’s Audit Committee and the Board of Directors receive these reports as part of their risk management oversight responsibilities. Board members have direct access to senior management and other relevant personnel and may direct questions and request further information as needed to fulfill their oversight responsibilities.

Company Information