AUBURN NATIONAL BANCORPORATION, INC 10-K Cybersecurity GRC - 2025-03-11

Page last updated on March 11, 2025

AUBURN NATIONAL BANCORPORATION, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-11 09:35:56 EDT.

Filings

10-K filed on 2025-03-11

AUBURN NATIONAL BANCORPORATION, INC filed a 10-K at 2025-03-11 09:35:56 EDT
Accession Number: 0001193125-25-051574

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We rely extensively on various information systems and other electronic resources to operate our business. In addition, nearly all of our customers, service providers and other business partners on whom we depend, including the providers of our online banking, mobile banking and accounting systems, use their own electronic information systems. Any of these systems can be compromised by employees, customers and other authorized individuals, and bad actors using sophisticated and constantly evolving sets of software, tools and strategies, which may include artificial intelligence, to do so. The threats are domestic and international and range from small to large, including state sponsored, terrorist and criminal organizations with substantial funds, and technical and other resources As a bank, we and our vendors, service providers and customers may be attractive targets, and we confront continuous cybersecurity threats. Insurance to fully cover these risks is unavailable in sufficient amounts at reasonable costs. We believe the more effective approach is taking active measures to detect, deter and reduce cybersecurity threats, and be prepared to address and remediate any breaches and prevent similar breaches in the future. See “Risks Related to Information Security and Business Interruption” section of the Risk Factors included in Item 1A of this Form 10-K for additional information. Accordingly, we have devoted significant resources to assessing, identifying and managing risks associated with cybersecurity threats, including: - Implementing an Information Security Program that establishes policies and procedures for security operations and governance; - Establishing an IT Steering Committee that includes participation by directors that is responsible for security administration, including reviewing assessments of our information systems, existing controls, vulnerabilities and potential improvements; - Implementing layers of controls and not allowing excessive reliance on any single control; - Employing a variety of preventative and detective tools designed to monitor, block and provide alerts regarding suspicious activity; - Continuously evaluating tools that can detect and help respond to cybersecurity threats in real-time; - Leveraging people, processes and technology to manage and maintain cybersecurity controls; - Maintaining a vendor management program with pre-engagement and periodic review processes thereafter, and a third-party risk management program designed to identify, assess and manage risks associated with external service providers; Table of Contents 54 - Monitoring our systems and related software and programming periodically to update software and programing, including updating data protection elements, and requiring that our service providers also engage in similar programs that are reasonably designed to deter cybersecurity breaches; - Performing initial and ongoing due diligence with respect to our third-party service providers, including their cybersecurity practices and safeguards, and service level standards based on the risk they pose to the Bank; - Engaging third-party cybersecurity consultants, who conduct periodic penetration testing, vulnerability assessments and other procedures to identify potential weaknesses in our systems and processes; and - Conducting periodic cybersecurity training for our employees and the Company’s board of directors. Our Information Security Program is a key part of our overall risk management system, which is administered by our IT Steering Committee and evaluated by our IT Steering Committee and chief risk officer. The program includes administrative, technical and physical safeguards to help protect the security and confidentiality and availability of customer records and information. From time-to-time, we have identified cybersecurity threats that require us to make changes to our processes and equipment and to implement additional safeguards. While none of these identified threats or incidents have materially affected us, it is possible that threats and incidents we identify in the future could have a material adverse effect on our business strategy, customer service, data privacy and security, continuity of service and reputation, and our results of operations and financial condition. The Company’s Chief Technology Officer is responsible for the day-to-day management of cybersecurity risks we face and oversees the IT Steering Committee, which is chaired by a director of the Company’s board. The IT Steering Committee oversees the information security assessment, development of policies, standards and procedures, testing, training and security report processes. The IT Steering Committee is comprised of officers with the appropriate expertise and authority to oversee the Information Security Program, and includes the participation of certain directors. Our Chief Technology Officer, along with the information technology department, is accountable for managing our enterprise information security and delivering our information security program. The department, as a whole, consists of information security professionals with varying degrees of education and experience. The Chief Technology Officer is subject to professional education and certification requirements. In particular, our Chief Technology Officer, who is also designated as our Information Security Officer, has relevant expertise in the areas of information security and cybersecurity risk management. In addition, the Company’s Board, both as a whole and through directors participating in the IT Steering Committee, is responsible for the oversight of risk management, including cybersecurity risks. In that role, the Company’s Board and the IT Steering Committee, with support from the Company’s management and third-party cybersecurity advisors, are responsible for implementing and maintaining risk management processes designed and implemented by management that are adequate and functioning as designed. The Board reviews and approves an information security program, vendor management policy (including third-party service providers), acceptable use policy, incident response procedures and business continuity planning policy on at least an annual basis. All the aforementioned policies are developed and implemented by Company management. To carry out their duties, the Board receives updates at least quarterly from the Chief Technology Officer regarding cybersecurity risks and the Company’s efforts to prevent, detect, mitigate and remediate any cybersecurity incidents.

Company Information