Kentucky First Federal Bancorp 10-K Cybersecurity GRC - 2024-10-03

Page last updated on October 3, 2024

Kentucky First Federal Bancorp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-03 17:28:07 EDT.

Filings

10-K filed on 2024-10-03

Kentucky First Federal Bancorp filed a 10-K at 2024-10-03 17:28:07 EDT
Accession Number: 0001213900-24-085121

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Cybersecurity Risk Management and Strategy The Company regards information and data as valuable assets. As a result, we have implemented safeguards to protect corporate informational and data assets. Associated and established technology resources maintain the integrity, availability, and privacy of confidential information of the respective assets. Additionally, we maintain a similar risk-based approach to our third-party vendors including identifying and overseeing cybersecurity risks they present. Integration into Overall Risk Management System The Company employs comprehensive methodologies for risk assessment and diligently identifies and evaluates potential cybersecurity threats and vulnerabilities across our systems, networks and data assets. This process involves regular examinations of emerging threats, conducting penetration tests, vulnerability scanning and thorough analysis of industry-specific risks. The Company continues to expand investments in information technology security, including continuous end-user training, layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting. The Company’s Information Security Officer (“ISO”) is responsible for completing additional mandatory training to understand the processes, procedures, and technical requirements for securing information assets across the Company. The Company has developed an Incident Response Plan to guide its actions in responding to real and suspected information security incidents. This includes unlawful, unauthorized, or unacceptable actions that involve a computer system or a computer network such as Distributed Denial of Service attacks, Corporate Account Takeover schemes, or ransomware. Cybersecurity threats that are identified and deemed material are escalated and communicated directly to the Incident Response Team, in collaboration with relevant information technology personnel, insurance providers, legal counsels and when necessary, external cybersecurity firms specializing in forensic investigations. The Company sets forth enterprise-wide coordinated responses to identified threats, ensuring timely mitigation and remediation, and facilitating awareness and communication. Tabletop exercises are held regularly at the senior and executive management levels to validate roles and responsibilities, and response protocols respective to cybersecurity threats. Third-party Access The Company has a fully integrated third-party risk management program to identify, assess, monitor and mitigate risks associated with third-party relationships, including cybersecurity risks. Under the program, risk ratings are assigned to each of the vendors based on an assessment of the vendor and its access to networks, systems, and confidential information. An assessment is conducted on each vendor to identify and measure the risks from cybersecurity threats that could impact our customer’s data and our environment. Third parties that have access to our systems or customer data must have appropriate technical and organizational security measures and security control principles based on commercially acceptable security standards, and we require third parties in this class to agree by contract to manage their cybersecurity risks. Material Cybersecurity Threat Risks The Company has not experienced any material losses relating to cybersecurity threats or incidents for the year ended June 30, 2024. We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Although we have a robust cybersecurity program that is designed to assess, identify, and manage material risks from cybersecurity threats, we cannot provide absolute surety that we have properly identified or mitigated all vulnerabilities or risks of incidents. The Company, and the third parties that the Company engages, are subject to constant and evolving threats of attack and cybersecurity incidents may be more difficult to detect for periods of time. A cybersecurity incident could harm our business strategy, results of operations, financial condition, reputation, and/or subject us to regulatory actions or litigation which may result in fines, judgments or indictments. 27 Cybersecurity Governance The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has oversight responsibilities to ensure effective governance in managing these risks because it recognizes the significance of these threats to our operational integrity, shareholder and customer confidence and reputation. Board of Directors Oversight The Board is responsible for the oversight of cybersecurity risk management and is composed of members with expertise in risk management, technology, and finance, thereby equipping them to manage and prevent cybersecurity risks effectively. Management’s Role in Managing Risk The ISO plays a pivotal role in informing the Board of Directors on cybersecurity risks. The ISO, other information security staff, and members of senior management meet regularly as the Technology Steering Committee. Reports of their meetings are shared with the boards of our subsidiary banks. Committee reports provide comprehensive briefings to both the Board and the Audit Committee as part of managements reporting. These briefings encompass a broad range of topics, including: ● Current cybersecurity landscape and emerging threats; ● Status of ongoing cybersecurity initiatives and strategies; ● Incident reports and issues identified from any cybersecurity events; and ● Compliance with regulatory requirements and industry standards. In addition to our regularly scheduled Board meetings, the ISO regularly communicates with senior staff regarding emerging or potential cybersecurity risks. They discuss any significant developments in the cybersecurity domain, which when reported to the Board, ensures the Board’s oversight is proactive and responsive. The Board actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of the Company. The Board closely reviews these reports of the Bank’s cybersecurity posture and the effectiveness of its risk management strategies prior to approval. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. Cyber Risk Management Personnel The ISO directly reports to the CEO. The ISO regularly meets with the CEO to update and discuss any cybersecurity risks and incidents affecting the Company. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, all significant cybersecurity matters and strategic risk management decisions are promptly escalated to the Board of Directors, ensuring that they have an up-to-date, comprehensive understanding of and can provide guidance on critical cybersecurity issues. Primary responsibility for assessing and providing strategic direction to our cybersecurity program resides with our ISO. The ISO’s experience includes prior leadership roles within the Company, where they developed an expert level of understanding of the intersection between financial regulations and cloud-based technologies. The ISO and other information systems staff possess in-depth knowledge and experience which are instrumental in developing and executing our cybersecurity strategies. The ISO and the Tech Steering Committee oversee our governance programs, work with our technology-focused leaders and partners to align security and compliance, and have developed our employee security awareness training program. Monitoring Cybersecurity Incidents The ISO and other information security staff utilizes vendor relationships and various other internet based daily updates for the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This knowledge is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The ISO provides structure for clear processes to ensure the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we believe we are equipped with a well-defined Incident Response Plan that is adequately resourced. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevent future incidents. 28

Company Information