ESSA Bancorp, Inc. 10-K Cybersecurity GRC - 2024-12-13

Page last updated on December 13, 2024

ESSA Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-13 13:37:13 EST.

Filings

10-K filed on 2024-12-13

ESSA Bancorp, Inc. filed a 10-K at 2024-12-13 13:37:13 EST
Accession Number: 0000950170-24-136130

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybe rsecurity Incident Response Plan The Board of Directors is responsible for overseeing the risks from cybersecurity threats. ESSA Bank and Trust has adopted an Incident Response Plan (the “IR PPlan”) for responding to cybersecurity incidents. This IR Plan applies to both potential and actual incidents. The IR Plan should be invoked in any context where the Bank believes that an incident may have occurred. The IR Plan applies to all employees, contractors, and third parties. The objectives of the IR Plan are to ensure the protection of customer data and all organization assets from security incidents and ensure timely detection, mitigation, and communication of security incidents to appropriate parties. Implementation of the IR Plan requires cross-functional efforts from across the organization. The roles/functions involved and the related responsibilities in enforcing the IR Plan are spread across the entire organization of the Bank’s senior. Once the possibility of a cybersecurity incident has been noted, employees assigned to appropriate teams do the necessary research and analysis to confirm either that there is an incident requiring additional action, or that no further action is necessary. This will typically involve some combination of Operations and Information Technology. If an incident is confirmed, an incident response team is formed, and the team takes steps to contain the incident to limit damage, eradicate the incident to restore our full control of all Bank systems and eliminate unauthorized access, and recover data and full functionality. Detection and analysis continue during this phase as necessary to ensure that this phase has been successfully executed. This phase also involves communication as needed with employees, customers, partners and service providers, legal representatives, insurance provider, law-enforcement authorities, and regulatory bodies as necessary and appropriate. In the post-incident phase, the Bank analyzes the root cause of the incident, identifies any changes that need to be made to policies, procedures, training, documentation, and technology to protect against similar incidents in the future, and institutes a plan to implement them. In addition, the Bank undertakes any additional communication with the necessary parties and the public, if appropriate, and the Bank’s legal representatives, insurance provider, law-enforcement authorities, and regulatory bodies as appropriate to fully address the impact of the incident, and fully documents the entire incident. During the fiscal year ended September 30, 2024, the risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, its business strategy, results of operations, or financial condition.

Company Information