HarborOne Bancorp, Inc. 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

HarborOne Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 08:55:58 EST.

Filings

10-K filed on 2025-03-06

HarborOne Bancorp, Inc. filed a 10-K at 2025-03-06 08:55:58 EST
Accession Number: 0001558370-25-002324

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Introduction: Our business operations rely on the secure collection, storage, transmission, and other processing of confidential and sensitive data through our information systems. In addition, as a financial services company, we are subject to extensive regulatory compliance requirements concerning the treatment of such data. To ensure the security, confidentiality, integrity, and availability of our information systems, we have implemented a comprehensive cybersecurity risk management program (the “Information Security Program”). The program is designed to identify, assess, manage, and mitigate risks and secure Company and customer information against threats. This is achieved through monitoring, threat management strategies, policies and procedures, security awareness, oversight, and governance. Risk Management Oversight and Governance : The Chief Risk Officer (“CRO”) and Chief Information Security Officer (“CISO” ) provide direct oversight and management of the cybersecurity risk management program. The CISO and the Information Security team assess and manage the day-to-day cybersecurity and threat management programs. Our CISO has more than 20 years of relevant experience in leading and building risk management and cybersecurity programs. Our CISO maintains the following credentials: Certified Information Systems Auditor and Certification in Risk Management Assurance. The CRO and CISO report periodically on important updates related to the Information Security Program and threat landscape to the Board of Directors and its designated committee with responsibility for oversight of risk management. There are also several Management committees that are responsible for oversight of the Information Security Program. These include: - Information Security Committee; and - Risk Management Committee. The Information Security Committee (“ISC”) is chaired by the CISO and is responsible for overseeing cybersecurity risk, including information security policies and procedures, information security audits, social engineering testing, vulnerability management, penetration testing, information security projects, business continuity, incident response planning, and current threats and security advisories related to the bank’s information systems and data assets. The ISC members include the CRO, Chief Information Officer, and General Counsel, with broader attendance from representatives of Risk Management, Technology, Operations, Internal Audit, and Retail. The ISC, in turn, provides a summary update and points of escalation to the Risk Management Committee (“RMC”), who is chaired by the CRO. The RMC serves as the primary Management committee in fulfilling enterprise risk management oversight responsibilities, including cybersecurity risk. The RMC provides quarterly updates to the Audit Committee. The Board of Directors holds oversight responsibility over the Company’s risk management program, including material risks related to cybersecurity threats. This oversight may be executed directly by the Board of Directors or through its committees. The Board of Directors has delegated oversight of Risk Management to the Audit Committee of the Board of Directors. The Audit Committee engages in regular discussions with Management regarding the Company’s risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. These discussions include evaluating current trends, internal risk assessments, and risk management policies. Annually, a comprehensive report on the state of the Information Security Program, including cybersecurity risk management, is provided to the Board of Directors by the CRO and CISO. This report includes: ● Risk assessment results; ● Third- and fourth-party vendor oversight; ● Results of security monitoring and testing; ● Security incidents or violations (if applicable); ● Material changes to Information Security Program; and ● Internal and external audit results. Cybersecurity Risk Management The Information Security Program employs various information security controls, tools, and strategies to combat threats and to ensure the Company’s information and systems remain secure. The Information Security Program contains specific provisions for identifying, assessing, and mitigating cyber threats, including but not limited to ransomware attacks, denial of service attacks, phishing and social engineering, data breaches, credential theft, and vulnerability exploitation. Due to the dynamic nature of risks, threats, vulnerabilities, and the information systems themselves, all information systems that store, process, or transmit sensitive and confidential information are protected by comprehensive defense-in-depth strategies that include strong authentication techniques, firewalls, intrusion detection systems, end point protection, physical security measures, encryption and security awareness training. The Information Security Program is periodically reviewed to ensure that internal controls are designed appropriately and operating as expected. The Information Security Program is reviewed and approved by the Board of Directors annually. Periodic audits are performed by internal and external auditors to confirm adherence to the security program and regulatory guidelines and requirements. The Information Security team performs an annual assessment of cybersecurity risk and maturity using the FFIEC Cybersecurity Assessment Tool and reports the results to the Board of Directors as part of the annual report. The Information Security Program complies with all applicable regulations, including Section 501(b) of the Gramm-Leach-Bliley Act and Section 216 of the Fair and Accurate Credit Transactions Act of 2003. The Information Security Program aligns with National Institute of Standards and Technology Cybersecurity Framework and the Center for Internet Security (benchmarks for device hardening). The Information Security team is responsible for monitoring and identifying all vulnerabilities and suspected threats and implementing corrective actions, if required. The Information Security team conducts risk assessments on the technology stack, determines effectiveness of internal controls, and develops remediation plans. The Information Security team utilizes specialized service providers to perform continuous monitoring, alerting and containment of potential threats, and penetration testing. The Information Security team maintains a Vendor Management Program and performs ongoing periodic risk assessments on third- and fourth-party vendors and their associated technologies, if applicable. While we have not experienced any data breaches during the year, our online banking platform was targeted in the beginning of the year by threat actors who created malicious look-alike phishing sites. The Bank did not suffer losses as a result of these attempted attacks and due to efforts made to improve our security posture, the attack efforts have significantly subsided and remained at a stable low-level for the remainder year. We continue to monitor and look for ways to enhance security, safeguard customer data, ensure the continuity of our operations, and mitigate any risks associated with potential cybersecurity events. The Information Security team maintains a Third-Party Risk Vendor Management Program that requires all third-party vendors with access to our systems or sensitive information comply with applicable cybersecurity standards and regulations. Ongoing periodic risk assessments on third- and fourth-party vendors and their associated technologies are performed, if applicable. While extensive cybersecurity controls and procedures are in place, the risk of experiencing an incident can never be eliminated completely. We maintain and regularly review and update an Incident Response Plan that outlines procedures for identifying, containing, and mitigating any cyber event that may affect our systems, data, or operations and includes potential credit monitoring services, customer and regulatory notification guidelines and templates. This plan is regularly tested and updated. The plan is designed to address adverse events that could impact the security of information, that affect our ability to conduct secure financial transactions, or that present reputational risk. We have retainers in place with privacy counsel and forensic incident response firms. We maintain cybersecurity insurance coverage to mitigate potential financial impacts from cyber incidents, such as data breaches and system disruptions. However, such insurance may not cover all types of damages, and we cannot guarantee that our coverage will be sufficient to fully protect us from the financial consequences of a cyberattack.

Company Information