GREENE COUNTY BANCORP INC 10-K Cybersecurity GRC - 2024-09-06

Page last updated on September 6, 2024

GREENE COUNTY BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-06 16:27:52 EDT.

Filings

10-K filed on 2024-09-06

GREENE COUNTY BANCORP INC filed a 10-K at 2024-09-06 16:27:52 EDT
Accession Number: 0001140361-24-040469

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy Overall Process The Company regards information and data as valuable assets. As a result, safeguards implemented protect corporate informational and data assets. Associated and established technology resources maintain the integrity, availability, and privacy of confidential information of the respective assets. Additionally, we maintain a similar risk-based approach to our third-party vendors including identifying and overseeing cybersecurity risks they present. The Company employs comprehensive methodologies for risk assessment and diligently identifies and evaluates potential cybersecurity threats and vulnerabilities across our systems, networks and data assets. This process involves regular examinations of emerging threats, conducting penetration tests, vulnerability scanning and thorough analysis of industry-specific risks. The Company continues to expand investments in information technology security, including continuous end-user training, layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting. The Company’s Information Security Officer and Chief Information Officer are responsible for completing additional mandatory training to understand the processes, procedures, and technical requirements for securing information assets across the Company. The Company has developed an Incident Response Plan to guide its actions in responding to real and suspected information security incidents. This includes unlawful, unauthorized, or unacceptable actions that involve a computer system or a computer network such as Distributed Denial of Service attacks, Corporate Account Takeover schemes, or ransomware. Cybersecurity threats that are identified and deemed material are escalated and communicated directly to the Incident Response Team, in collaboration with relevant information technology personnel, insurance providers, legal counsels and when necessary, external cybersecurity firms specializing in forensic investigations. 21 Index The Company sets forth enterprise-wide coordinated responses to identified threats, ensuring timely mitigation and remediation, and facilitating awareness and communication. Tabletop exercises are held regularly at the senior and executive management levels, and annually at the Board of Directors level, to validate roles and responsibilities, and response protocols respective to cybersecurity threats. Third-party Access The Company has a fully integrated third-party risk management program to identify, assess, monitor and mitigate risks associated with third-party relationships, including cybersecurity risks. Under the program, risk ratings are assigned to each of the vendors based on an assessment of the vendor and its access to networks, systems, and confidential information. An assessment is conducted on each vendor to identify and measure the risks from cybersecurity threats that could impact our customer’s data and our environment. Third parties that have access to our systems or customer data must have appropriate technical and organizational security measures and security control principles based on commercially acceptable security standards, and we require third parties in this class to agree by contract to manage their cybersecurity risks. Material Cybersecurity Threat Risks The Company has not experienced any material losses relating to cybersecurity threats or incidents for the year ended June 30, 2024. We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Although we have a robust cybersecurity program that is designed to assess, identify, and manage material risks from cybersecurity threats, we cannot provide absolute surety that we have properly identified or mitigated all vulnerabilities or risks of incidents. The Company, and the third parties that the Company engages, are subject to constant and evolving threats of attack and cybersecurity incidents may be more difficult to detect for periods of time. A cybersecurity incident could harm our business strategy, results of operations, financial condition, reputation, and/or subject us to regulatory actions or litigation which may result in fines, judgments or indictments. Governance The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has oversight responsibilities to ensure effective governance in managing these risks because it recognizes the significance of these threats to our operational integrity, shareholder and customer confidence and reputation. Board of Directors Oversight The Board is responsible for the oversight of cybersecurity risk management and is composed of members with expertise in risk management, technology, and finance, thereby equipping them to manage and prevent cybersecurity risks effectively. Management’s Role in Managing Risk The Chief Information Security Officer (“CISO”), and the Chief Information Officer (“CIO”), each play a pivotal role in informing the Board of Directors on cybersecurity risks. They provide comprehensive briefings to both the Board and the Audit Committee as part of managements reporting. These briefings encompass a broad range of topics, including: - Current cybersecurity landscape and emerging threats; - Status of ongoing cybersecurity initiatives and strategies; - Incident reports and issues identified from any cybersecurity events; and - Compliance with regulatory requirements and industry standards. In addition to our regularly scheduled Board meetings, the CISO and the CIO regularly communicate regarding emerging or potential cybersecurity risks. They discuss any significant developments in the cybersecurity domain, which when reported to the Board, ensures the Board’s oversight is proactive and responsive. The Board actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of the Company. The Board closely reviews these reports of the Bank’s cybersecurity posture and the effectiveness of its risk management strategies prior to approval. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. Cyber Risk Management Personnel The CISO directly reports to the Chief Administrative Officer (“CAO”). The CISO and CAO meet regularly to discuss both internal and external cybersecurity risks and incidents. The CIO and CAO also regularly meet with the Chief Executive Officer (“CEO”) to update and discuss any cybersecurity risks and incidents affecting the Company. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, all significant cybersecurity matters and strategic risk management decisions are promptly escalated to the Board of Directors, ensuring that they have an up-to-date, comprehensive understanding of and can provide guidance on critical cybersecurity issues. 22 Index Primary responsibility for assessing and providing strategic direction to our cybersecurity program resides with our CISO. The CISO experience includes prior leadership roles within the Company, where they developed an expert level of understanding of the intersection between financial regulations and cloud-based technologies. Their in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. The CIO and CISO oversee our governance programs, work with our technology-focused leaders and partners to align security and compliance, and has developed our employee security awareness training program. Monitoring Cybersecurity Incidents The CIO and CISO utilize vendor relationships, the Financial Services Information Sharing and Analysis Center and various other internet based daily updates for the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This knowledge is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The CIO provides structure for clear processes to ensure the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we believe we are equipped with a well-defined Incident Response Plan that is adequately resourced. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevent future incidents.


Company Information

NameGREENE COUNTY BANCORP INC
CIK0001070524
SIC DescriptionSavings Institutions, Not Federally Chartered
TickerGCBC - Nasdaq
Website
CategoryNon-accelerated filer
Smaller reporting company
Fiscal Year EndJune 29