CFSB Bancorp, Inc. /MA/ 10-K Cybersecurity GRC - 2024-09-18

Page last updated on September 18, 2024

CFSB Bancorp, Inc. /MA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-18 16:30:36 EDT.

Filings

10-K filed on 2024-09-18

CFSB Bancorp, Inc. /MA/ filed a 10-K at 2024-09-18 16:30:36 EDT
Accession Number: 0000950170-24-107819

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk, Management, Strategy and Governance. Cybersecurity is a significant and integrated component of CFSB Bancorp’s risk management strategy, designed to protect the confidentiality, integrity, and availability of sensitive information contained within the Company’s information services. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident to disrupt business operations, compromise sensitive data or both. To date, we have not, to our knowledge, experienced a cybersecurity incident materially affecting or reasonably likely to materially affect the Company. To prepare and respond to incidents, the Company has implemented a multi-layered “defense-in-depth” cybersecurity strategy, integrating people, technology, and processes. This includes employee training, the use of innovative technologies, and the implementation of policies and procedures in the areas of Information Security, Data Governance, Business Continuity and Disaster Recovery, Privacy, Third-Party Risk Management, and Incident Response. Core activities supporting our strategy include cybersecurity training, technology optimization, threat intelligence, vulnerability and patch management and the testing of incident response, business continuity and disaster recovery capabilities. The Company engages third-party consultants and independent auditors to, among other things, conduct penetration tests and audits of the areas noted above, including cybersecurity-related vendors. The Board of Directors designated the Vice President Information Systems as the Information Security Office (the “ISO”) and for oversight, the full Board receives threat intelligence reports and a Cybersecurity Executive Dashboard from the ISO each month. The ISO has more than thirty years’ experience with the Company and meets with the full Board of Directors in person at least annually. The ISO works with the Company’s third-party Security Operations Center and the Company’s Compliance/Enterprise Risk Management (“ERM”) Team to identify, assess, and manage material risks from cybersecurity threats. The ISO also oversees the Company’s Information Security Program, which governs various information security and cybersecurity processes, systems development, change control, disaster recovery/business continuity, physical asset classification and control policies. The Information Security Program identifies data sources, threats, and vulnerabilities and ensures awareness, accountability, and 40 oversight for data protection throughout the Company and with trusted third parties to ensure that data is protected and able to be recovered in the event of a breach or failure (technical or other disaster). The ISO is a member of various management committees, including the quarterly Management Control meetings which serve as the Company’s IT Steering Committee. Risk Assessment On a periodic basis, but not less than annually, the ISO in conjunction with the Compliance/ERM Team, identifies and documents internal and external vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer records. Based on the results of the risk assessment, the Company’s Information Security Program may be revised to protect against any anticipated threats or hazards to the security or integrity of such information. The Team reviews changes to the program designed to monitor, measure, and respond to vulnerabilities identified. Response to Security Vulnerabilities In response to identified risks, management may take certain steps to correct and respond to security vulnerabilities, which may include: - Eliminating unwarranted risks by applying vendor-provided software fixes, commonly called patches. - Ensuring that changes to security configurations are documented, approved, and tested. - Ensuring that exploitable files and services are assessed and removed or disabled based upon known vulnerabilities and business needs. - Updating vulnerability scanning and intrusion detection tools to identify known vulnerabilities and related unauthorized activities. - Conducting subsequent penetration testing and vulnerability assessments, as warranted. - Reviewing performance with service providers to ensure security maintenance and reporting responsibilities are operating according to contract provisions and that service providers provide notification of system security breaches that may affect the Company. Employees and Training Employees are an integral part in the line of defense against cybersecurity risks. Every employee is responsible for protecting Company and client information. Accordingly, employees complete formal training including regular simulated phishing assessments designed to sharpen threat detection and reporting capabilities. Our employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection systems, managed endpoint security automation and response capabilities, user behavior analytics, multi-factor authentication when available, encrypted data backups, and business continuity applications. Notable services include 24/7 security monitoring and response, real-time vulnerability scanning, third-party monitoring, and threat intelligence. Service Providers The Company relies on third-party vendor services and solutions to support its operations. Many of these vendors have access to sensitive and proprietary information. Third-party vendors continue to be a notable source of operational and informational risk. Accordingly, the Company has implemented an Outsourcing Management Policy which includes a detailed onboarding process and periodic reviews of vendors with access to sensitive Company data. The Outsourcing Management program is audited as part of the Company’s external audit program. Board Reporting At least annually, the ISO reports to the Board the overall status of the Information Security Program and the Company’s compliance with the Interagency Guidelines for Safeguarding Customer Information. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results 41 of testing, security breaches or violations are discussed as are management’s responses and any recommendations for program changes. Program Adjustments The ISO monitors, evaluates, and adjusts the Information Security Program considering any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. Incident Response Plan The Company has implemented an Incident Response Plan (the “IRP”) to provide a structured and systematic incident response process for information security incidents that affect any of the information technology systems, network, or data. The Company’s business continuity and disaster recovery programs provide a coordinated response when responding to incidents. The IRP is implemented and maintained by the ISO and is subject to annual review and approval by the Board. Cybersecurity metrics are reported to the board monthly. The IRP includes: - Identifying the incident response team (the “IRT”) and any appropriate sub-teams to address specific information security incidents, or categories of information security incidents. - Coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information security incidents. - Conducting post-incident reviews to gather feedback on information security incident response procedures and address any identified gaps in security measures. - Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of the IRP. - Reviewing the IRP at least annually, or whenever there is a material change in Company’s business practices that may reasonably affect its cyber incident response procedures.

Company Information