NBT BANCORP INC 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

NBT BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:20:15 EST.

Filings

10-K filed on 2025-02-28

NBT BANCORP INC filed a 10-K at 2025-02-28 16:20:15 EST
Accession Number: 0001140361-25-006528

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy In line with our commitment to strong corporate governance and the security of our operations, we continuously assess and mitigate cybersecurity risks that could impact our business, stakeholders, and the integrity of our systems. Using comprehensive risk assessment methodologies, we diligently identify and evaluate potential cybersecurity threats and vulnerabilities across our systems, networks, and data assets. This process includes regular reviews of emerging threats, penetration testing, vulnerability scanning, and thorough analysis of industry-specific risks. We actively participate in industry forums and information-sharing initiatives and collaborate with relevant stakeholders to exchange threat intelligence and best practices. We emphasize continuous training for our staff to enhance their ability to identify and respond to cybersecurity threats. To support this effort, we invest in cybersecurity technology and talent. Additionally, we conduct rigorous vendor assessments and require specific security standards for third-party providers. Our comprehensive policies and procedures are designed to safeguard the integrity and security of information collected by us and our service providers. We have also implemented security measures to prevent unauthorized access to personal data and mitigate potential incidents. Furthermore, we learn from any past incidents and near misses to strengthen our resilience. NBT collaborates with external experts to conduct audits, assessments, and validations of our cybersecurity controls, aligning them with established frameworks such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We adapt our cybersecurity policies, standards, processes, and practices based on insights from these reviews. Governance The Board considers cybersecurity as part of its broader consideration of business strategy and enterprise risk management. It is the responsibility of the Risk Management Committee (“RMC”), a committee of the Board, to oversee efforts to develop and formally approve the written Information Security Program (“ISP”), implement, maintain and monitor the program, and review management reports and policies related to cyber incidents. The RMC is led by our Chief Risk Officer and comprised of Board members as well as the Chief Executive Officer. Cybersecurity risks are reported to the RMC at least quarterly and those reports include key performance indicators, test results, recent threats and how the Company is managing those threats, along with the effectiveness of the ISP. The RMC receives briefings from executive management on activities, including those related to cybersecurity risk oversight. The Board reviews the overall ISP at least annually. NBT has appointed the Senior Director of Information Security (“DISO”) to oversee the implementation, coordination, and maintenance of the ISP. The DISO’s responsibilities include: ● Leading the initial implementation of the ISP, including assessing internal and external risks to institutional data and documenting findings through risk assessment reports and remediation plans. ● Coordinating the development, distribution, and maintenance of information security policies and procedures. ● Designing and implementing administrative, technical, and physical safeguards to protect institutional data across the company. The DISO reports to the Chief Risk Officer and has expertise in cybercrime prevention, social engineering, identity theft, and fraud prevention, gained through prior roles within the organization. The DISO also supervises the Incident Response Team (“IRT”), which consists of senior executives, including the Chief Audit Officer, Chief Risk Officer, General Counsel, and representatives from Operations, Accounting, and Communications. Upon detecting an incident, the IRT promptly convenes to assess its severity, categorizing it as low, medium, or high. The response protocol follows the Cybersecurity and Infrastructure Security Agency (“CISA”) Cybersecurity Incident and Vulnerability Response Playbook (November 2021) and incorporates best practices outlined in the NIST Special Publication (SP) 800-61 Rev. 2: Computer Security Incident Handling Guide. The IRT has procedures and escalation protocols to escalate significant cybersecurity matters to the Executive Committee, the RMC and/or full Board, as deemed necessary. During the incident review process, senior management, in collaboration with relevant personnel from information technology, data security, and external cybersecurity firms specializing in forensic investigations, when necessary, assesses the materiality of the breach alongside the severity scale. This evaluation aims to accurately identify risks and potential operational and business impacts. Materiality determination involves an objective analysis of both quantitative and qualitative factors, including an evaluation of impact and reasonably likely impacts. We have purchased cybersecurity insurance, but there are no assurances that the coverage would be adequate in relation to any incurred losses. As of December 31, 2024 we have not experienced any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected the business strategy, results of operations or financial condition of the Company. However, we cannot guarantee that we will remain unaffected in the future. For further discussion of such risks, see the section entitled “Risks Related to Information Technology, Cybersecurity and Data Privacy” in Item 1A. Risk Factors of this Form 10-K.

Company Information