PARKE BANCORP, INC. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

PARKE BANCORP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 16:05:24 EDT.

Filings

10-K filed on 2025-03-12

PARKE BANCORP, INC. filed a 10-K at 2025-03-12 16:05:24 EDT
Accession Number: 0001315399-25-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats. The Committee receives reports from, and oversees, IT Risk Assessment, Cybersecurity Risk Assessment, Annual IT Program Status Report, Vendor Management Risk Assessment, and Quarterly Internal Vulnerability Reports and current Cyber Events briefings. The Committee also makes budgeting, procedure, and policy decisions designed and intended to improve the Company’s residual risk. The IT Steering Committee consists of the Company’s senior management, the entire IT team, and various operations personnel. The primary function of the IT Steering Committee is to perform Strategic Planning, discuss hardware and software replacement, new projects, current cybersecurity threats, and ongoing cybersecurity issues and threats. The IT manager provides an IT status report to the Risk Management committee on a quarterly basis. Our IT department performs annual risk assessments to evaluate the effectiveness of the controls to support the requirements under Gramm-Leach Bliley Act (“GLBA”), and Federal Institutions Examination Council (“FFIEC”) Guidance on Securing Customer Information. The focus areas include: - technology systems used for information that is collected, processed, and stored; - assessing internal and external cybersecurity threats and vulnerabilities; - performing regular penetration and controls testing; - evaluation and assessment of impact should the information or systems become compromised; - evaluation for the effectiveness of the governance structure for Information security risk management. Internal and external Penetration Testing is performed annually. Tests are conducted or reviewed by independent third parties or qualified Associates independent of those that develop or maintain the security program. Testing is performed annually by third party auditors contracted through the company’s IT department. Management reviews test results promptly and ensures that appropriate steps are taken to address adverse test results. Remediation efforts are organized and made available to the Committee as well as for review by third party auditors and examiners. The Company has adopted an Incident Response Plan (the “Plan”) to monitor, detect, mitigate and remediate cybersecurity incidents. The Plan requires all employees to have a working knowledge of the Company’s Information Security Program and Incident Response Policies. Pursuant to the Plan, the Information Technology Administrator and Senior\Compliance Management identify information owners for sensitive customer information and create an incident response team. Each Department Manager, upon notification of a potential unauthorized access, manipulation of data or theft of any item identified under GLBA Inventory and Asset Classification, is responsible for further assessing the situation in order to document the suspected or actual breech, and forward the appropriate documentation to the Information Technology Administrator. The documentation of the suspected or actual incident includes the following: a. Identify the nature and scope of the incident. b. Identify the information systems affected. c. Identify the types of customer information potentially affected. 16 Once the Department Manager has determined that unauthorized access, manipulation of data or theft of any item identified under GLBA Inventory and Asset Classification has occurred, Senior Management, the Compliance Officer and the Information Technology Administrator must be contacted immediately. If theft of any item identified under GLBA Inventory and Asset Classification has occurred, and it cannot be determined what specific information was included on the Asset, the Asset is treated as if it contained sensitive customer information and Senior Management, the Compliance Officer and the Information Technology Administrator must be contacted immediately. If the Information Technology Administrator and Senior\Compliance Management declare an incident or if there is a confirmed theft or loss of customer information, appropriate regulatory authorities, law enforcement, and legal counsel are notified. During the fiscal year ended December 31, 2024, the risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, its business strategy, results of operations, or financial condition.

Company Information