Gouverneur Bancorp, Inc./MD/ 10-K Cybersecurity GRC - 2024-12-20

Page last updated on December 20, 2024

Gouverneur Bancorp, Inc./MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-20 16:33:31 EST.

Filings

10-K filed on 2024-12-20

Gouverneur Bancorp, Inc./MD/ filed a 10-K at 2024-12-20 16:33:31 EST
Accession Number: 0001558370-24-016433

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company regards information and data as valuable assets. As a result, we have implemented safeguards to protect corporate informational and data assets. Associated and established technology resources maintain the integrity, availability, and privacy of confidential information of the respective assets. Additionally, we maintain a similar risk-based approach to our third-party vendors including identifying and overseeing cybersecurity risks they present. Integration into Overall Risk Management System The Company employs comprehensive methodologies for risk assessment and diligently identifies and evaluates potential cybersecurity threats and vulnerabilities across our systems, networks and data assets. This process involves regular examinations of emerging threats, conducting penetration tests, vulnerability scanning and thorough analysis of industry-specific risks. The Company continues to expand investments in information technology security, including continuous end-user training, layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting. The Company’s Manager of Information Technology & Facilities (the “IT Manager”) is responsible for completing additional mandatory training to understand the processes, procedures, and technical requirements for securing information assets across the Company. The Company has developed an Incident Response Plan to guide its actions in responding to real and suspected information security incidents. This includes unlawful, unauthorized, or unacceptable actions that involve a computer system or a computer network or ransomware. Cybersecurity threats that are identified and deemed material are escalated and communicated directly to the board of directors, in collaboration with relevant information technology personnel, insurance providers, legal counsel and, when necessary, external cybersecurity firms specializing in forensic investigations. The Company sets forth enterprise-wide coordinated responses to identified threats, ensuring timely mitigation and remediation, and facilitating awareness and communication. Training sessions are held regularly at the senior and executive management levels to validate roles and responsibilities, and response protocols respective to cybersecurity threats. Third-Party Access The Company has a fully integrated third-party risk management program to identify, assess, monitor and mitigate risks associated with third-party relationships, including cybersecurity risks. Under the program, risk ratings are assigned to each of the vendors based on an assessment of the vendor and its access to networks, systems, and confidential information. An assessment is conducted on each vendor to identify and measure the risks from cybersecurity threats that could impact our customer’s data and our environment. Third parties that have access to our systems or customer data must have appropriate technical and organizational security measures and security control principles based on commercially acceptable security standards, and we require third parties in this class to agree by contract to manage their cybersecurity risks. Material Cybersecurity Threat Risks The Company has not experienced any material losses relating to cybersecurity threats or incidents for the year ended September 30, 2024. We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Although we have a robust cybersecurity program that is designed to assess, identify, and manage material risks from cybersecurity threats, we cannot provide absolute surety that we have properly identified or mitigated all vulnerabilities or risks of incidents. The Company, and the third parties that the Company engages, are subject to constant and evolving threats of attack and cybersecurity incidents may be more difficult to detect for periods of time. A cybersecurity incident could harm our business strategy, results of operations, financial condition, reputation, and/or subject us to regulatory actions or litigation which may result in fines, judgments or indictments. Cybersecurity Governance The board of directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has oversight responsibilities to ensure effective governance in managing these risks because it recognizes the significance of these threats to our operational integrity, shareholder and customer confidence and reputation. Board of Directors Oversight The board of directors is responsible for the oversight of cybersecurity risk management and is composed of members with expertise in risk management, technology, and finance, thereby equipping them to manage and prevent cybersecurity risks effectively. Management’s Role in Managing Risk The IT Manager plays a pivotal role in informing the board of directors on cybersecurity risks. The IT Manager and members of senior management meet regularly and provide comprehensive briefings to both the board of directors. These briefings encompass a broad range of topics, including: ● the current cybersecurity landscape and emerging threats; ● the status of ongoing cybersecurity initiatives and strategies; ● incident reports and issued identified from any cybersecurity events; and ● compliance with regulatory requirements and industry standards. In addition to our regularly scheduled board meetings, the IT Manager regularly communicates with senior staff regarding emerging or potential cybersecurity risks. They discuss any significant developments in the cybersecurity domain, which when reported to the board, ensures the board’s oversight is proactive and responsive. The board actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of the Company. The board closely reviews these reports of the Bank’s cybersecurity posture and the effectiveness of its risk management strategies prior to approval. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. Cyber Risk Management Personnel The IT Manager directly reports to senior management. The IT Manager regularly meets with senior management to update and discuss any cybersecurity risks and incidents affecting the Company. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, all significant cybersecurity matters and strategic risk management decisions are promptly escalated to the Board of Directors, ensuring that they have an up-to-date, comprehensive understanding of and can provide guidance on critical cybersecurity issues. Primary responsibility for assessing and providing strategic direction to our cybersecurity program resides with our IT Manager, whose over eleven years of information technology experience in the financial services industry has provided him with in-depth knowledge and experience which are instrumental in developing and executing our cybersecurity strategies. Monitoring Cybersecurity Incidents The IT Manager and other information security staff utilizes vendor relationships and various other internet based daily updates for the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This knowledge is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The IT Manager provides structure for clear processes to ensure the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we believe we are equipped with a well-defined Incident Response Plan that is adequately resourced. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevent future incidents.

Company Information