Pioneer Bancorp, Inc./MD 10-K Cybersecurity GRC - 2024-09-25

Page last updated on September 26, 2024

Pioneer Bancorp, Inc./MD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-25 17:10:42 EDT.

Filings

10-K filed on 2024-09-25

Pioneer Bancorp, Inc./MD filed a 10-K at 2024-09-25 17:10:42 EDT
Accession Number: 0001558370-24-013020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy The Company maintains an information security program and governance framework that is designed to identify, assess, manage, mitigate, and respond to cybersecurity risks associated with its information systems and information assets. Additionally, we maintain a similar risk-based approach to our third-party vendor management program including identifying and overseeing cybersecurity risks they present. The Company’s Information Security Steering Committee (“ISSC”), further described below under “Governance”, oversees information and cybersecurity risk management for the Company. The ISSC assists the board of directors in fulfilling its oversight responsibilities concerning the role of information security and cybersecurity in executing the Company’s business strategy and complying with regulatory requirements. The ISSC is responsible for managing and enforcing the Company’s information security program, development of cybersecurity policies, strategies, and plans, monitoring control statuses and program gaps, facilitating program assessments which include risk assessments and business impact analysis, and evaluating risk mitigation strategies to address cybersecurity threats. The Company’s cybersecurity framework includes an assessment of critical systems, physical security, and information resources both within and outside the Company that exposes it to cybersecurity threats. The ISSC employs policies, systems, and safeguards to manage those cybersecurity risks. The Company continues to expand investment in information technology and cybersecurity infrastructure, including enhanced threat monitoring and detection services. The ISSC consistently collaborates with third-party service providers to support and maintain a robust information security program. These service providers assist in responding to cybersecurity risks by providing comprehensive threat detection, monitoring and response services. The information security program is designed to provide effective processes, procedures, and internal controls, including monitoring cybersecurity threats through endpoint and network security, email protection, data loss prevention, vulnerability scanning and mitigation, identity and access management, logging and monitoring, and threat hunting. Independent third parties evaluate the Company’s cyber readiness and resilience through ongoing testing and audits. We adapt our cybersecurity policies, standards, processes, and practices accordingly based on the insights provided by these reviews. In addition, information security education and training is conducted both at the time of hire and annually thereafter by internal employees and certain third parties. Training is designed to mitigate accidental information security incidents by employees. Phishing simulation testing activities are regularly conducted internally and by third parties to assess employees’ competency at identifying potential threats. Vendor due diligence is performed for all third parties with access to the Company’s information assets to ensure such parties maintain effective cybersecurity practices in accordance with the Company’s vendor management program. The Company performs ongoing monitoring, including the review of cybersecurity practices, of third parties using a risk-based approach to determine the extent and frequency of periodic assessments. Annual cybersecurity assessments are conducted by the Company’s information technology team on its information systems using industry-standard guidelines and tools. Governance The board of directors is responsible for oversight of our information security program and fulfills this responsibility through regular reporting and updates provided by the ISSC, members of management and other third parties contracted to assess and test the effectiveness of the Company’s information security and cybersecurity program. On a quarterly and as-needed basis the board of directors receives updates on cybersecurity risks and the actions taken by management to monitor and mitigate those risks, including key risk indicators, test results, reporting of recent threats and how the Company is managing those threats, along with pertinent information to allow the board of directors to evaluate the effectiveness of the information security program. In addition, at least annually, the board of directors receives comprehensive reporting from the virtual Chief Information Security Officer (“vCISO”) on the overall effectiveness of the Information Security program. The ISSC is comprised of representatives of management from various departments of the Company and members from an outside third-party information security service provider. The ISSC is led by the vCISO who oversees the implementation, coordination, and maintenance of the information security and cyber risk management program. The vCISO is a contracted third-party vendor and reports directly to the board of directors. This individual holds a Certified Information Systems Security Specialist Professional (“CISSP”) certification and has over a decade of experience in community banking, risk management, compliance, and information security. The ISSC includes members of management with specific cybersecurity expertise, including the Senior Vice President (“SVP”) - Information Technology. The SVP - Information Technology, is a Certified Community Banker Technology Officer, has 20 years of experience in the information technology field, and is responsible for developing and implementing the Company’s information security program. The SVP - Information Technology reports to the board of directors on a quarterly basis regarding the relevant key risk indicators, information technology and information security events, including key risk indicator metrics used by the board of directors to monitor risks, and quarterly technology update which includes details of information technology and cybersecurity, initiatives, projects, training, events, and incidents. The Company has developed a cyber incident response plan to maintain procedures and protocols for responding to incidents. The Cyber Incident Response Team (“CIRT”) is comprised of all members of the Company’s executive management team, the vCISO and representatives from the technology, operations, accounting, risk management, financial crimes, marketing and retail departments. During an incident response process, the Chief Administrative Officer serves as the incident manager. The Chief Administrative Officer has over 15 years of experience in leadership and management of information technology, cybersecurity, and incident response programs. In this role as incident manager, the Chief Administration Officer, in collaboration with the CIRT and external cybersecurity firms, as necessary, will assess the materiality of the breach following the incident response plan severity scale. This evaluation aims to accurately identify risks and potential operational and business impacts. Materiality determination involves an objective analysis of both quantitative and qualitative factors, including an evaluation of immediate impact on systems and critical infrastructure. The purpose of this cyber incident response plan is to ensure that the Company is prepared to manage operational and/or malicious events which may disrupt critical business processes and/or compromise the confidentiality, integrity, or availability of its data. This cyber incident response plan defines the processes the Company will follow to manage adverse security events. The cyber incident response plan also maintains procedures and protocols to escalate significant cybersecurity matters to the full board of directors and regulators, as deemed necessary. The Company’s CIRT performs an annual testing exercise to evaluate its preparation and response plan in the event of an actual cybersecurity event. Although cybersecurity threats, including those stemming from prior incidents, have not materially affected the Company in the previous fiscal year, and there are no known imminent cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations, or financial condition, we cannot guarantee that we will remain unaffected in the future. Information regarding risks from material cybersecurity threats can be found under the section captioned “Risks Related to Operations” contained in Item 1A. Risk Factors.

Company Information