Primis Financial Corp. 10-K Cybersecurity GRC - 2024-10-15

Page last updated on October 15, 2024

Primis Financial Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-15 08:00:59 EDT.

Filings

10-K filed on 2024-10-15

Primis Financial Corp. filed a 10-K at 2024-10-15 08:00:59 EDT
Accession Number: 0001558370-24-013277

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy The Bank’s information security program is designed to protect sensitive information from unauthorized access, use, disclosure, alteration, or destruction, and to maintain the confidentiality, integrity, and availability of our information assets, including employee and customer non-public information, financial data, and internal operational information. Our Chief Information Officer (“CIO”) manages our information security strategy and development as overseen by our overarching Enterprise Risk Management (“ERM”) program. On January 16, 2024, G. Cody Sheflett, Jr., CIO of the Company, passed away. The Company has actively engaged a recruiting firm to fill the CIO vacancy, but has not formally appointed a new CIO. During such vacancy, the Company has appointed an interim CIO and unless otherwise noted, references to the CIO and his duties refer to Mr. Sheflett’s historical role and the interim CIO’s role, and the duties and obligations the Company anticipates the next CIO to abide by. The Company’s interim CIO has worked in the financial services industry for over 20 years and held similar roles at other financial institutions including four years as a Chief Information Officer and five years as a Chief Technology Officer. The Bank’s cybersecurity program, including our information security policies, is designed to align with regulatory guidance and industry practices. To protect our information systems, network, and information assets from cybersecurity threats, we use various security tools, products, and processes that help identify, prevent, investigate, and remediate cybersecurity threats and security incidents. The Bank’s Network Team monitors threat intelligence sources to research evolving threats, investigates the potential impact to financial services companies, examines company controls to detect and defend against those threats, and proactively adjusts company defenses against those threats. The Network Team also actively monitors company networks and systems to detect suspicious or malicious events, and contracts with third-party consultants to perform penetration testing and routine vulnerability scans. A managed security service provider supplements our efforts to provide 24 hours a day, seven days a week coverage. We maintain policies and procedures for the safe storage, handling, and secure disposal of customer information. Each employee is expected to be responsible for the security and confidentiality of customer information, and we communicate this responsibility to employees upon hiring and regularly throughout their employment. Annually, we provide employees with mandatory security awareness training. The curriculum includes the recognition and appropriate handling of potential phishing emails, which could place sensitive customer or employee information at risk. The Company employs a number of technical controls to mitigate the risk of phishing emails targeting employees. We test employees monthly to determine their susceptibility to phishing test emails, and we require susceptible employees to take additional training and provide regular reports to management. As part of our information security program, we have adopted a Cyber Incident Response Plan (“Incident Response Plan”) which is administered by our CIO who closely coordinates with the Bank’s Information Technology team. The Incident Response Plan describes the Bank’s processes, procedures, and responsibilities for responding to cybersecurity incidents, and identifies those team members responsible for assessing potential security incidents, declaring an incident, and initiating a response. The Incident Response Plan outlines action steps for investigating, containing, and remediating a cybersecurity incident, and includes procedures for escalation and reporting of potentially significant cybersecurity incidents to the Bank’s Senior Leadership Team, including the Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), Chief Risk Officer (“CRO”), and the Board of Directors. As necessary, the Company may retain a third-party firm to assist with forensic investigation and management of cybersecurity incidents . The Bank conducts due diligence prior to engaging third-party service providers which have access to the Bank’s networks, systems, and/or customer or employee data. Risk assessments are performed using Service Organization Controls (SOC) reports, self-attestation questionnaires, and other tools. Third-party service providers are required to comply with the Bank’s policies regarding non-public personal information and information security. Third parties processing non-public personal information are contractually required to meet all legal and regulatory obligations to protect customer data against security threats or unauthorized access. After contract execution, Primis requires critical and high-risk providers to have an ongoing monitoring plan. While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive, and cybersecurity risk has increased in recent years. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. See “Item 1A. Risk Factors - Operational Risks” of this report for additional information. Cybersecurity Governance Our Board of Directors is responsible for overseeing the Bank’s business and affairs, including risks associated with cybersecurity threats. The ERM Committee (“ERMC”) of the Board has primary responsibility for overseeing the Bank’s comprehensive ERM program, including its cybersecurity program. The ERM program assists senior leadership team in identifying, assessing, monitoring, and managing risk, including cybersecurity risk, in a rapidly changing environment. Cybersecurity matters and assessments are regularly included in both Audit Committee (“AC”) and ERMC meetings. The Board’s oversight of cybersecurity risk is supported by our CIO. The CIO attends ERMC meetings and provides cybersecurity updates to these Board committees on a quarterly basis. Our CRO, in conjunction with our CIO, facilitates the involvement of the ERMC in oversight of potentially significant cybersecurity incidents. The Executive Vice President and Chief Financial Officer and the Network Manager have been attending the ERMC meetings in the CIO’s absence. The Bank’s CIO directs the Bank’s information security program and our information technology risk management. In this role, in addition to the responsibilities discussed above, the CIO manages the Bank’s information security and day-to-day cybersecurity operations and supports the information security risk oversight responsibilities of the Board and its committees. The CIO is also responsible for the Bank’s information technology governance, risk, and compliance program and ensures that high level risks receive appropriate attention. Led by our CIO, the Network Team examines risks to the Bank’s information systems and assets, designs and implements security solutions, monitors the environment, and provides responses to threats. Our CRO has over three decades of experience in risk management, and our Network Team collectively has over 19 years of experience in cybersecurity operations.

Company Information