HERITAGE FINANCIAL CORP /WA/ 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

HERITAGE FINANCIAL CORP /WA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 15:01:02 EST.

Filings

10-K filed on 2025-02-27

HERITAGE FINANCIAL CORP /WA/ filed a 10-K at 2025-02-27 15:01:02 EST
Accession Number: 0001046025-25-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Enterprise Risk Management and Technology Risk Management. The Company’s Enterprise Risk Management program and team plays a pivotal role in overseeing the organization’s risk posture, specifically focusing on the implementation of a holistic risk management program for overseeing the assessment and appropriate control of information and cybersecurity risks . Annually, the Information and Cyber Security Policy and Program and Risk Assessments are presented for approval to the Board to ensure the program is representative and supportive of the Bank’s risk appetite and security testing expectations. Risks identified are subject to rigorous controls, ensuring both design and operational effectiveness and adherence to regulatory requirements. Instances where a risk is identified as inadequately controlled are promptly reported to Management requiring formal remediation activities that are tracked and reported to the Risk and Technology Committee of the Board, until measures are implemented to reduce the risk to an acceptable level Identification of risks is a multifaceted process, encompassing diverse activities such as the execution of formal risk assessments, as described above, management self-disclosures, monitoring of regulatory and interagency authorities, engagement with professional and industry forums, internal and external audits, collaboration with third-party professional services, policy reviews and walkthroughs, adherence to best practice frameworks, leveraging subject matter expertise and industry experience, and maintaining a collaborative relationship with third party service providers/vendors . The dedicated Technology Risk Management team operates a continuous risk management framework, utilizing information gathered daily, weekly, monthly, quarterly and annually to provide insights into the state of controlled risk within the organization. Security testing and assurance activities are performed internally and are outsourced to independent audit and security firms based on factors such as resource capacity, subject matter expertise, regulatory requirements, and the prevailing rate and condition of risk. Daily operational activities are in place to ensure the achievement and implementation of security requirements, including the management of the Bank’s security architecture, monitoring for potential security events or incidents, and the reporting and response to detected threats in our technology environments. The Information and Cyber Security Policy and Program establishes the additional policies and standards the Bank is required to implement in support of these practices and processes. Additionally, we maintain a compliant and comprehensive Security Incident Response Plan, incorporating accessible resources such as insurance providers, digital and cyber forensic experts and law enforcement, along with documentation of regulatory notification requirements. Our practices are interdependent with third party vendors, and we collaborate appropriately with these partners on notification and investigation processes to ensure complete visibility into security risks and events. From time-to-time, we have identified cybersecurity threats that require us to make changes to our processes and to implement additional safeguards. While none of these identified threats or incidents have materially affected us, it is possible that threats and incidents we identify in the future could have a material adverse effect on our business strategy, reputation, results of operations and financial condition. During the reporting period, the Company had not experienced any material cybersecurity events or incidents. Although third party service providers that the Bank engages have encountered cybersecurity events or incidents during the year ended December 31, 2024, the Bank’s investigation of each event or incident has shown that these occurrences have not resulted in a material impact on our systems, computing environments, customers, or data . Governance Board Oversight: The Board provides active oversight of cybersecurity threats in accordance with the Board-approved Information and Cyber Security Policy and Program. These policies and programs aim to achieve a controlled risk environment while meeting regulatory, legislative, and compliance requirements, including but not limited to the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Information Technology Sarbanes-Oxley Act (IT SOX) Compliance, and Payment Card Industry Data Security Standard (PCI-DSS) Compliance. Direct oversight of information and cybersecurity risks is delegated to the Risk and Technology Committee of the Board. The Risk and Technology Committee meets at least quarterly and receives reports detailing current risks, maturity and functioning of associated processes and controls, and emerging or anticipated risks and threats. Additionally, the Risk and Technology Committee Chair provides a verbal summarized report to the full Board following each quarterly meeting, and as needed on an interim basis to address developing risk. All Risk and Technology Committee reports are available to the full Board for review. In the event critical matters arise between scheduled meetings, the Chief Risk Officer promptly notifies the Board and Risk and Technology Committee. To further ensure independence and effectiveness, the Board has delegated authority for the Information and Cybersecurity Policy and Program, including the referenced reports, to the Technology Risk Management Director . This position fulfills the role and responsibilities of a Chief Information Security Officer and reports to the Chief Risk Officer who in turn reports independently to the Chair of the Risk and Technology Committee. Additional layers of oversight are integrated into the program through the Director of Internal Audit, who conducts independent audits of critical information technology and cybersecurity activities. The results of these audits are reported to the Board’s Audit and Finance Committee, providing an extra layer of assurance and accountability. The Director of Internal Audit reports independently to the Chair of the Board’s Audit and Finance Committee. Management’s Role in Assessing and Managing Cybersecurity Risks. Management’s role in assessing and managing material risks from cybersecurity threats is integral to the Company’s governance framework. As discussed above, the Information and Cyber Security Policy and Program outline specific roles and responsibilities delegated to management and the Enterprise Risk Management Program, which includes the Technology Risk Management team, and responsibilities assigned to various employees and the Risk and Technology Committee. The Technology Risk Management Director, a seasoned information and cyber security expert with significant experience in financial institutions, oversees the Technology Risk Management function. This expert conducts comprehensive assessments of cybersecurity risks inherent in the industry and the Company’s business activities, evaluating controls implemented to address identified risks. The Technology Risk Management Director is responsible for maintaining the Company’s information and cyber security risk management framework. This framework establishes standards and processes for the continuous assessment of material cybersecurity risks, covering identification, measurement, mitigation activities, monitoring and reporting of the risk posture at any given time. Additionally, the Director ensures oversight and compliance with the Security Incident Response Plan, providing guidance during security incidents, whether within the Company or involving service provider/vendor engagements. The Company’s information technology department, including a dedicated security operations group, plays a crucial role in implementing practices aligned with the Information and Cyber Security Policy and Program requirements. Responsibilities include the maintenance and monitoring of systems, network(s), and application access and error logs, identification of unauthorized access attempts, adherence to access controls standards, configuration management, and the implementation of controls to mitigate risks related to information availability, integrity, and confidentiality. Business activities, products, and services are managed by experts in their respective fields, with employees receiving training to detect and prevent material cybersecurity threats. Business leaders are expected to understand specific threats within their areas of responsibility and adhere to established processes and standards to control such threats. To facilitate a transparent and collaborative approach to managing cybersecurity risk, an executive management level committee has been established. Chaired by the Chief Risk Officer and administered by the Technology and Risk Management Director , the committee ensures continual awareness of the information and cybersecurity risk posture, emerging threats, known threat actors, and vulnerabilities. Its purpose is to foster a security culture within the Company through active participation in planning and managing threat and security risk activities. All committee activities are reported to the Risk and Technology Committee through committee minutes and formal activity reports provided by the Technology and Risk Management Director. The Risk and Technology Committee provides similar reports to the full Board quarterly, as well as on an as-needed basis. Results of cybersecurity-related audits are also reported to the Board’s Audit and Finance Committee .

Company Information