Northfield Bancorp, Inc. 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

Northfield Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 16:22:59 EST.

Filings

10-K filed on 2025-03-03

Northfield Bancorp, Inc. filed a 10-K at 2025-03-03 16:22:59 EST
Accession Number: 0001493225-25-000047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is an integrated component of the Enterprise Risk Management strategy designed to protect the confidentiality, integrity and availability of our critical systems and information. We design and evaluate our program based on industry recognized standards such as the National Institute of Standards and Technology Cybersecurity Framework and the Center for Internet Security Controls. This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use these standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. 43 Our cybersecurity risk management program is closely aligned with the Company’s business strategy. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk, including third-party relationships, legal, compliance, strategic, operational, and financial. Key elements of our enterprise cybersecurity risk management program include: - implementation of policies and procedures in the areas of Information Security, Business Continuity, Disaster Recovery, Privacy, Third-Party Relationship Risk Management, Risk Management , and Incident Response; - risk assessments designed to help identify material cybersecurity risks to our critical systems, data, products, services, and our broader enterprise information technology environment; - an independent second line function, the Information Security Department, which is principally responsible for managing our cybersecurity risk assessment processes, executing our incident response plan, and monitoring of our security controls; - the use of external service providers, where appropriate, to assess, test and enhance our security controls, including penetration testing, training, and table top exercises; - a comprehensive employee training and awareness program which includes periodic security assessments to test knowledge and reinforce adoption of security processes and controls that include simulated phishing attacks; - membership with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and annual participation in the Cyber Attacks against Payment Systems (CAPS) exercises; - regular reporting of cybersecurity metrics and other risk/threat information matters to both the Management Risk and CIT Committees; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party relationships risk management process for service providers, suppliers and vendors which analyses, monitors, reports, and mitigates cyber risks associated with third-party relationships. Risks from cybersecurity threats, including any previous cybersecurity events, have not materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial conditions, and any expenses incurred from cybersecurity incidents have been immaterial. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors - “Risks Related to Operational Matters”. Cybersecurity Governance The Board of Directors has established its CIT Committee with specific responsibilities for overseeing the cybersecurity risk management program, among other things. Our Chief Information Security Officer (“CISO”) provides the CIT Committee with periodic reports on cybersecurity risks, threats and any material cybersecurity incidents. The CIT Committee also retains an independent external cybersecurity consultant who attends all CIT Committee meetings and reports directly to the CIT Committee Chair. In addition, the external cyber security consultant provides periodic training to the CIT Committee and to our Board of Directors. Northfield Bank maintains a comprehensive Information and Cybersecurity Program led by our Chief Risk Officer, the Chief Information Officer, and the CISO . The program is designed to identify and mitigate information security risks, with timely Board oversight. The Chief Risk Officer briefs the Board of Directors on information security matters during every meeting, ensuring that cybersecurity risks and strategies align with Northfield Bank’s risk profile. The Information Security Department is primarily responsible for identifying, assessing and managing material risks from cybersecurity threats and overseeing cybersecurity third-party relationships . The Information Security Department is led by our CISO, who has over 15 years of experience in the cybersecurity space and has obtained professional security certifications and advanced training in the field of cybersecurity and technology . Our CISO and our Chief Information Officer, along with key members of their departments, regularly collaborate with peer institutions, industry groups, policymakers and third-party relationships to discuss cybersecurity trends and issues and identify best practices. The cybersecurity risk management program is periodically reviewed to address changing threats and conditions. Our internal audit team, led by our Chief Internal Auditor , provides independent assurance and evaluation of processes, controls and cybersecurity risk management practices to ensure they are adequate and functioning as intended. 44 The Information Security Department also monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, including briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the information technology environment.

Company Information