SR Bancorp, Inc. 10-K Cybersecurity GRC - 2024-10-15

Page last updated on October 16, 2024

SR Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-15 17:32:58 EDT.

Filings

10-K filed on 2024-10-15

SR Bancorp, Inc. filed a 10-K at 2024-10-15 17:32:58 EDT
Accession Number: 0000950170-24-114772

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our risk management program is designed to identify, assess and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational and legal. Cybersecurity is a critical component of this program as we rely extensively on various information systems and other electronic resources to operate our business. Additionally, we rely to a great extent on third-party service providers to perform critical functions to assist in maintaining customer accounts, providing electronic banking services and financial reporting. Our Information Security Officer, who is a member of our Executive Management Team, is primarily responsible for managing our cybersecurity program. Our Information Security Officer has direct access to our Board of Directors and is authorized to evaluate our cybersecurity posture throughout the Company to ensure the implementation of appropriate controls over our systems and applications to maintain an effective cybersecurity program. The information security officer consults, where appropriate, with both our staff of IT professionals and, at times, outside security professionals to ensure the implementation of appropriate controls. We have implemented a cybersecurity risk management program to protect the confidentiality, integrity and availability of our information and information technology environment. Our cybersecurity risk management program consists of an extensive range of risk assessments to identify the cyber threats to our environment along with multiple policies and procedures to mitigate the risks identified, including, but not limited to, information technology and cybersecurity standards, incident response and disaster recovery/business continuity. Employees receive regular information and cybersecurity training and reminders throughout the year. Daily operations are monitored by a dedicated team of information technology professionals complemented by management’s monitoring of critical information security monitoring reports along with our third-party security vendor who provides for 24x7 monitoring of our external connections and email system. Defined incident response procedures are maintained, including a requirement that our security vendor notify designated members of management when unusual or suspicious activity is identified. To test and evaluate the effectiveness of our cybersecurity program, we are subject to annual audits of our program by an outside audit firm who specializes in both information technology and cybersecurity 35 assessments. These assessments include a review of general IT controls, external penetration assessments, internal penetration assessments and security awareness testing of our staff. Our vendor management program is designed to identify the risks associated with using third-party service providers to run our business. Third-party service providers that present cyber risk to our operations must meet specific criteria, such as the maintenance of appropriate controls, processes and monitoring to ensure the confidentiality, integrity and availability of data and resources prior to being onboarded. In addition to initial assessments of our critical third-party service provides, we perform regular on-going monitoring of these critical third parties’ infrastructure and performance, including data security and the effectiveness of their cybersecurity risk management programs. Our Board of Directors, along with our information Technology Committee, which is comprised of key senior managers, are actively involved in providing oversight of our cybersecurity program. Monthly updates are provided to our Board regarding the status of our program, including key monitoring metrics and trends noted both internally and within our industry. Our Board reviews and approves all cybersecurity-related risk assessments, polices and formalized reviews performed throughout the year. 36

Company Information