CNB FINANCIAL CORP/PA 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

CNB FINANCIAL CORP/PA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 16:16:57 EST.

Filings

10-K filed on 2025-03-06

CNB FINANCIAL CORP/PA filed a 10-K at 2025-03-06 16:16:57 EST
Accession Number: 0000736772-25-000071

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Corporation maintains robust processes for assessing, identifying, and managing material risks from cybersecurity threats. The Corporation’s cybersecurity program is based on the Federal Financial Institutions Examination Council (“FFIEC”) framework which tailors the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to be more financial services focused. The risk of cybersecurity threats is integrated into the Corporation’s Enterprise Risk Management (“ERM”) program, led by the Corporation’s Chief Risk Officer. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned a risk owner to establish action plans and implement risk mitigation strategies. The Corporation’s cybersecurity threat risk action plan is managed at the enterprise level by the Chief Information Technology & Security Officer (the “CITSO”), the VP of Information Technology, and the VP of Information Security. Risk owners regularly monitor cybersecurity risks and the evolving threat landscape and review and update the cybersecurity threat risk action plan in response to newly identified threats or risk mitigation actions. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third party service providers, the Corporation maintains a third-party security operations center with round-the-clock monitoring, and the CITSO receives regular reports on industry activity. Management also assesses the cybersecurity proficiency of potential third-party suppliers before utilizing their services. The assessment identifies cybersecurity-related risks and makes recommendations to enhance the security of all new computing services. Management reassesses all suppliers on a regular interval. The Corporation maintains a Cybersecurity Incident Response Plan (the “CSIRP”), which establishes an organizational framework and guidelines intended to facilitate an effective response and handling of cybersecurity incidents that could jeopardize the availability, integrity, or confidentiality of the Corporation’s assets. Pursuant to the CSIRP and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the CITSO and the VP of Information Security primarily lead these efforts. The Corporation works closely with its internal auditors to assess, identify, and manage cybersecurity risks. In addition, the Corporation engages with third party cybersecurity specialists to provide an independent assessment of the Corporation’s cybersecurity programs and to prepare a 3-year plan to maintain compliance and operational excellence. Management periodically reviews the 3-year plan and modifies it in response to changes in the threat landscape or otherwise as needed. Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Corporation, including its business strategy, results of operations or financial condition. However, there can be no assurance that the Corporation’s security efforts and measures will be effective or that attempted security incidents or disruptions would not be successful or damaging. In addition, although the Corporation maintains cybersecurity insurance to provide some coverage for certain risks arising out of data and network breaches, there can be no assurance that the Corporation’ cybersecurity insurance coverage will be sufficient in the event of a cyber attack. See “Item 1A. Risk Factors” above for more information. Governance The Board of Directors is responsible for overseeing the assessment and management of enterprise-level risks that may impact the Corporation. The Audit Committee has primary responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. The boards of directors of the Corporation and the Bank have also established an IT Committee, consisting of at least three independent directors, along with non-voting members from management, including the President and CEO, the Chief Financial Officer, the CITSO, the SVP of Operations, the VP of Information Technology, and the VP of Information Security. The IT Committee assists the boards of directors of the Corporation and CNB Bank in fulfilling their respective governance responsibilities for CNB’s information technology and related data security infrastructure under relevant regulatory safety and soundness requirements. Management, including the CITSO, reports on cybersecurity matters regularly to the Board, primarily through the Audit Committee and IT Committee, including an annual report regarding specific risks and mitigation efforts within the Bank and a 3-year cybersecurity threat assessment conducted by third party experts. Management provides benchmarking information and updates on key operational and compliance metrics to the Board of Directors. In addition, cybersecurity training is provided to the full Board of Directors to educate directors on the current cyber threat environment and measures companies can take to mitigate risk and impact of cyber attacks. Several members of the Board of Directors, including the Chairperson of the Audit Committee, also have cybersecurity experience. As described above, management is actively involved in assessing and managing the Bank’s material cybersecurity risks. The Corporation’s incident response plan provides clear communication protocols, including with respect to members of senior management, which may include the CEO, the CFO, the Board of Directors, the Audit Committee and external legal counsel. In addition, the incident response plan considers communications and reporting to customers, regulators and law enforcement. The CITSO, who reports directly to the CEO, is responsible for the oversight of the Corporation’s IT operation, including the cybersecurity program, and holds a Bachelor of Science degree in Information Technology and Security and a Master of Science in Information Security and Assurance. He also holds 20 industry recognized Technology and Security certifications. The VP of Information Security reports directly to the CITSO and has responsibility for leadership of the Bank’s cybersecurity program. He holds a bachelor’s degree in mathematics and computer science, as well as several industry recognized information security certifications. The VP of Information Technology reports directly to the CITSO and has responsibility for leadership of the Bank’s Information Technology program. He holds a bachelor’s degree in information technology and has worked in the technology field for 29 years with 17 of those years in a financial institution in various technology management, security, and audit roles.

Company Information