CONSUMERS BANCORP INC /OH/ 10-K Cybersecurity GRC - 2024-09-06

Page last updated on September 6, 2024

CONSUMERS BANCORP INC /OH/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-06 13:35:38 EDT.

Filings

10-K filed on 2024-09-06

CONSUMERS BANCORP INC /OH/ filed a 10-K at 2024-09-06 13:35:38 EDT
Accession Number: 0001437749-24-028613

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and the potential cyber threats. Our Chief Information Officer and Information Technology Security Officer are primarily responsible for the cybersecurity component and are key members of the risk management organization. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. The information security program is periodically reviewed by personnel with the goal of addressing changing threats and conditions. 8 We employ an in-depth, layered, defensive strategy when deploying new products, services, and technology. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections as a portion of our workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program. We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the Risk & Technology Committee of our board of directors. The Incident Response Plan is coordinated through the Information Technology Security Officer and is evaluated at least annually. Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while to date, we have not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, our systems and those of its customers and third-party service providers are under constant threat and it is possible that we could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as the expanding use of internet banking, mobile banking and other technology-based products and services by the Company and its customers. Governance Our Information Security Program consists of policies, procedures, risk assessments, monitoring, reporting and training to ensure the security, availability, and confidentiality of systems and customer information. The Information Security Program is led by our Information Technology Security Officer and is subject to oversight by the Risk & Technology Committee. The Risk & Technology Committee of our board of directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Information Technology Security Officer and our Chief Information Officer provide quarterly reports to the Risk & Technology Committee of our board of directors regarding the information security and technology programs, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The Risk & Technology Committee of our board of directors reviews and approves our Information Security Program and strategies annually. Additionally, the Information Technology Security Officer provides a cybersecurity report to the full board of directors at each board meeting. 9

Company Information