TIMBERLAND BANCORP INC 10-K Cybersecurity GRC - 2024-12-11

Page last updated on December 11, 2024

TIMBERLAND BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-11 16:23:09 EST.

Filings

10-K filed on 2024-12-11

TIMBERLAND BANCORP INC filed a 10-K at 2024-12-11 16:23:09 EST
Accession Number: 0000939057-24-000331

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy Safeguarding the confidentiality, integrity and availability of customer and sensitive financial data, records and transactions is essential to Timberland and Timberland Bank. Our risk management program is designed to identify, assess and mitigate risks across various aspects of the Bank, including financial, operational, regulatory, reputational and legal. Cybersecurity is a critical component of our risk management program; thus we have implemented a Cyber and Information Security Program to protect the confidentiality, integrity and availability of our information and information technology environment. Our program aligns with applicable federal and state regulations, industry frameworks such as the Federal Financial Institutions Examination Council (“FFIEC”) and best practices from the National Institute of Standards and Technology (“NIST”). The FFIEC framework offers a set of guidelines to help financial institutions effectively manage and mitigate cybersecurity risks. The framework focuses on ensuring the confidentiality, integrity and availability of sensitive information. NIST is part of the U.S. Department of Commerce, which develops cybersecurity standards, guidelines and other resources. We have employed a multi-layered, risk-based approach to cyber and information security, incorporating a variety of tools and processes to aid in risk identification, assessment and management. The Bank conducts a variety of information security risk assessments throughout the year. We employ a defense in depth strategy that incorporates preventive, detective, and administrative safeguards including but not limited to, configuration hardening, robust patch management and vulnerability scanning, advanced anti-malware firewall technologies, anti-phishing and web filtering controls. These controls are tested annually by an independent third-party audit firm. Quarterly employee training is performed on cybersecurity, information security, identify theft prevention and data privacy. The Bank has not experienced any material losses relating to cybersecurity threats or incidents to date. Incident Response Response to cyber incidents is guided by the Bank’s Incident Response Policy. The Bank’s plan is based on the National Infrastructure Protection Center (“NIPC”) guidelines, with the addition of specific reporting and notification requirements required by regulation. The Incident Response Policy prescribes points of escalation and mechanisms for collaboration should the need arise to engage outside partnerships such as external counsel, cybersecurity forensic examiners, cyber insurance vendors, government agencies and regulatory bodies. Third Party Service Provider Monitoring The Bank maintains a robust Vendor Management Program to appropriately measure, monitor and control risks associated with outsourcing products and services, including cybersecurity risks. Under the program, vendors are assigned a risk rating based 46 on an assessment of the vendor and its access to network, systems and confidential information. The Bank’s Information Security Officer conducts regular periodic reviews of the adequacy of its oversight of controls over third party relationships. Cybersecurity Governance Timberland Bank’s Board of Directors (“Board”) recognizes the significance of cybersecurity risks and provides oversight of the Bank’s Cyber and Information Security Program. The Bank’s Board of Directors is currently comprised of the Chief Executive Officer and seven non-employee directors; one of which has completed and received Cybersecurity Oversight Certification from the National Association of Corporate Directors (“NACD”). The Bank’s primary responsibility for managing cyber risk is vested in the Bank’s Information Security Analyst (“ISA”) . The ISA reports to the Chief Risk Officer and serves as the primary custodian of the Bank’s Cyber Security and Information Security Program. The Technology Steering Committee meets on a regular basis and is tasked with providing oversight and guidance regarding both information technology and cybersecurity related issues of strategic importance to the Bank. The Technology Steering Committee is comprised of numerous members of the management team, Chief Technology Officer (“CTO”) and ISA. The Technology Steering committee reports to the Board of Directors through Committee minutes. The Board Technology Committee assists the Board of Directors in fulfilling its oversight responsibilities with respect to the overall role of technology in executing the business strategy of the institution, including but not limited to major technology investments, technology strategy, operational performance and technology trends that may affect customers. The Board Technology Committee meets regularly and receives reports from the CTO and ISA on cybersecurity and information technology risks. The Board Technology Committee reports to the Board of Directors through Committee minutes. The Board’s Audit Committee also has oversight responsibility for audits related to information technology, security and information technology governance.

Company Information