Mercer Bancorp, Inc. 10-K Cybersecurity GRC - 2025-01-14

Page last updated on January 14, 2025

Mercer Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-14 16:10:22 EST.

Filings

10-K filed on 2025-01-14

Mercer Bancorp, Inc. filed a 10-K at 2025-01-14 16:10:22 EST
Accession Number: 0001558370-25-000202

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company and the Bank recognize the critical importance of cybersecurity in maintaining the integrity, confidentiality, and availability of our systems and data. Our operational risks include the risk of malfeasance or security breaches by employees or persons outside our company. Although we take protective measures, the security of our computer systems, software, and networks may be vulnerable to breaches, unauthorized access, misuse, computer viruses, or other malicious code and cyber-attacks that could have an impact on our information security, operations, and reputation. As a financial institution entrusted with sensitive customer information and financial assets, the Bank is committed to implementing robust cybersecurity risk management practices, strategies, and governance mechanisms. The bank’s cybersecurity consultant and partner (Community Bank Consulting) is primarily responsible for implementing cybersecurity measures and reports directly to the SVP of Operations. The Bank has established a standing information technology steering committee (the “IT Committee”), consisting of the President and Chief Executive Officer, the Senior Vice President of Operations, the Assistant Vice President of Operations, and the Bank’s technology partner which generally meets on a quarterly basis. The IT Committee provides oversight of the Bank’s technology and information security programs, including cybersecurity risk management, policies, practices, controls, and threat detection and prevention efforts. More frequent meetings may occur from time to time in order to facilitate timely information and monitoring efforts. At IT Committee meetings, the Bank’s technology partner reports on key issues, including significant cybersecurity or data privacy risks and any specific threats or incidents. Cybersecurity Risk Management: The Bank employs a comprehensive approach to cybersecurity risk management to avoid or minimize the impact of external threats and efforts to penetrate, disrupt or misuse our systems or information. ● Risk Assessment: Regular assessments of cybersecurity risks are conducted annually to identify potential threats, vulnerabilities, and their potential impact on the Bank’s operations. These assessments cover both internal and external factors affecting the Bank’s IT infrastructure and systems. ● Risk Mitigation: Upon identifying risks, the Bank’s policies and practices may be revised to protect against any anticipated threats or hazards to the security or integrity of such information. This involves deploying advanced security technologies, implementing security best practices, and ensuring compliance with industry standards and regulations. ● Monitoring and Response: The Bank maintains continuous monitoring capabilities to detect and respond to cybersecurity incidents promptly. Automated tools, as well as internal and external dedicated security teams, are used to monitor network traffic, system logs, and other relevant indicators of compromise. ● Audit and Testing: Independent third-party penetration testing, IT security audits, and vulnerability assessments are completed at least annually to test the effectiveness of security controls and preparedness measures (or more often if warranted by the risk assessment or other external factors). The IT Steering Committee determines the scope and objectives of the penetration analysis. Results of audits and testing are reported directly to the Audit Committee of the Board of Directors. Cybersecurity Strategy: Key components of our cybersecurity risk management strategy include: ● Defensive Measures: The Bank incorporates multiple defensive measures at various levels of its IT infrastructure, including firewalls, intrusion detection systems, endpoint protection, and data encryption. ● Employee Awareness and Training: The Bank recognizes that employees are a critical line of defense against cyber threats. The Bank invests in cybersecurity awareness training programs to educate employees about potential risks and best practices for safeguarding sensitive information. ● Vendor Risk Management: The Bank evaluates and manages the cybersecurity risks associated with third-party vendors. Vendor contracts include provisions for security requirements, regular assessments, and compliance with industry standards. ● Incident Response Plan: The Bank maintains an Incident Response Policy and Plan that provides a documented framework for responding to actual or potential cybersecurity incidents. The Incident Response Plan is coordinated through the IT steering committee, and key members of management are embedded into the plan by its design. The Incident Response Plan is reviewed and approved by the IT Steering Committee annually and provided to the Board of Directors for approval. Cybersecurity Governance: Key elements of the Bank’s cybersecurity governance structure include: ● Board Oversight: The Board of Directors provides oversight of the Bank’s cybersecurity posture, including reviewing and approving cybersecurity policies, strategies, testing, and investments. Our Board of Directors includes members who have expertise in information technology and telecommunications. Director Jose Faller is the Director of Human Resources and Technology at Cooper Farms, a farm and food company based in northwest Ohio, who previously worked as a network administrator for the U.S. Army. Additionally, Director Michael Boley is the President and Chief Executive Officer of Wabash Mutual Telephone Company, a customer-owned broadband communications company. Nonetheless, the Board relies to a large degree on management and outside consultants in overseeing cybersecurity risk management. The board receives quarterly internal audit reports, prepared by our technology consultant and partner and presented by management. Additionally, an annual information technology audit report, including cybersecurity matters, is prepared by a third-party IT auditor and presented directly to the Audit Committee. ● IT Committee: The Bank has established a standing IT Committee, consisting of the President and Chief Executive Officer, the Senior Vice President of Operations, the Assistant Vice President of Operations, and the Bank’s technology consultant and partner which meets on a quarterly basis. The IT Committee is responsible for overseeing cybersecurity risk management and prevention efforts. Our technology consultant and partner provides internal audit reports on a quarterly basis, which are presented to the Board of Directors by management at their next regular meeting. The Bank is committed to protecting the interests of its customers, shareholders, and other stakeholders. By implementing robust risk management practices, strategic initiatives, and effective governance mechanisms, the Bank strives to mitigate cybersecurity risks and safeguard its operations against evolving threats.

Company Information