CHOICEONE FINANCIAL SERVICES INC 10-K Cybersecurity GRC - 2025-03-11

Page last updated on March 11, 2025

CHOICEONE FINANCIAL SERVICES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-11 08:30:43 EDT.

Filings

10-K filed on 2025-03-11

CHOICEONE FINANCIAL SERVICES INC filed a 10-K at 2025-03-11 08:30:43 EDT
Accession Number: 0000950170-25-036839

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We face various cybersecurity threats, including unauthorized access, malware, ransomware, and phishing attacks. These threats could compromise the security of our information systems and the data we store and process. While we have experienced, and expect to continue to experience, cybersecurity threats, we have not experienced a material cybersecurity incident in the three year period ended December 31, 2024. The potential consequences of a material cybersecurity incident could include reputational damage, litigation with third parties, regulatory criticism or proceedings and increased cybersecurity protection and remediation costs, which in turn could materially adversely affect our results of operations. We have established an information security third party risk management program to identify and manage these risks. This program includes regular risk assessments, third party risk provider reviews, and implementation of security measures such as encryption and firewalls, and ongoing monitoring of our systems for potential threats. We also engage with industry consultants to assist with our risk assessments. On a regular basis, the technology steering committee, led by management, receives comprehensive reports summarizing cybersecurity threat monitoring and incident management activities. These reports also include details about remediation efforts to address identified threats and incidents. Additionally, both internal and external assessments of our company’s cybersecurity threat monitoring capabilities are shared with the committee. Meeting minutes from these committee sessions are diligently maintained and provided to the Board of Directors. The Board of Directors has responsibility for approving and overseeing management’s policies related to information system security and cybersecurity threats and incidents. They also supervise management’s overall approach to securing the company’s information systems. The Board of Directors delegates the oversight of cybersecurity risk management to the Information Technology Committee of the Board. The Information Technology Committee, in turn, reviews reports on our cybersecurity risk management processes. These reports cover assessments of management’s handling of cybersecurity threats and incident management functions. The committee receives periodic updates from the Chief Information Officer, including information on social engineering risks, the effectiveness of cybersecurity training, and results from vulnerability and penetration assessments conducted both internally and by external parties. Audit reports related to information systems and cybersecurity threat monitoring are also part of this reporting process. ChoiceOne recognizes the importance of cybersecurity and has established a comprehensive framework to assess and manage material risks from cybersecurity threats. The Company’s cybersecurity risk management program is overseen by the Information Technology Committee, which is responsible for developing and implementing policies and procedures to protect the Company’s information assets. Key members of ChoiceOne’s cybersecurity team include: Chief Information Officer (“CIO”) has extensive experience in managing complex IT environments and mitigating cybersecurity risks. The CIO is responsible for overseeing cybersecurity and technology vendors, assessing risks in these areas, and ensuring the effective execution of the information security program. Vice President of Network Security is a Certified Information System Security Professional (CISSP) with over 10 years of experience in managing IT and cybersecurity operations. The cybersecurity team has several other members with expertise in network security, technology, and administration. The cybersecurity team meets regularly to review and assess the Company’s cybersecurity posture, identify potential threats, and implement appropriate measures to mitigate risks. The committee also collaborates with external cybersecurity experts to stay informed about the latest threats and best practices in the industry.

Company Information