First Northwest Bancorp 10-K Cybersecurity GRC - 2025-03-13

Page last updated on March 14, 2025

First Northwest Bancorp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-13 14:23:30 EDT.

Filings

10-K filed on 2025-03-13

First Northwest Bancorp filed a 10-K at 2025-03-13 14:23:30 EDT
Accession Number: 0001437749-25-007492

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company recognizes cybersecurity as a critical risk to its operations and the management of this risk is a top priority. We are committed to protecting the confidentiality, integrity, and availability of our customer information, information systems, data, and assets from unauthorized access, use, disclosure, disruption, modification, or destruction. The Company adheres to cybersecurity industry best practices such as the National Institute of Standards and Technology cybersecurity framework and Federal Financial Institutions Examinations Council (“FFIEC”) guidance. The Company conducted a NIST cybersecurity framework version 1 to version 2 gap analysis and is in the process of updating controls to adhere to the newest version. Company management has integrated its processes for assessing, identifying, and managing material risks from cybersecurity threats into the Company’s overall risk management program, including regularly conducting risk assessments and gap analyses in order to identify and prioritize cybersecurity threats and vulnerabilities across our entire digital estate which is comprised of our IT infrastructure as well cloud-based applications and storage. These assessments consider industry best practices, evolving threats, and the specific needs of our business. The Company implements a defense in depth, or layered, approach to security controls, including network security, intrusion detection and prevention, anomaly detection, endpoint security, data encryption, identity and access management, and security awareness training. Staff evaluate and update our controls on an ongoing basis to address emerging threats. We have a documented incident response plan in place to identify, contain, and remediate cybersecurity incidents. The plan includes roles and responsibilities for key personnel, communication protocols, and procedures for recovery and notification. We also maintain business continuity, crisis management, and disaster recovery plans to ensure the continued operation of critical business functions in the event of a major disruption, including a cyberattack, which are tested regularly through tabletop exercises, simulations, parallel testing, and functional testing. The Company adheres to a continuous improvement philosophy in regard to cybersecurity and leverages external experts, consultants, auditors, and assessors on a regular basis to complement the internal staff in identifying and remediating any gaps in the Company’s cybersecurity program. The Company has a well-defined and mature vendor management program that includes controls to address third -party cybersecurity risks throughout the vendor management lifecycle. The Board has oversight responsibility for enterprise-wide risks, including cybersecurity risks. The Audit Committee, a designated committee of the Board, is responsible for overseeing the Company’s cybersecurity risk management program and reviewing its effectiveness. The Information Security Officer (“ISO”) is responsible for assessing and managing material risks from cybersecurity threats, with a dedicated staff of internal and external information security professionals. The ISO is a Systems Security Certified Practitioner and Certified Information Systems Security Professional with over 12 years of education, training and experience managing technology and cybersecurity risks, including eight years of experience in the banking industry specifically. The ISO regularly updates executive and senior management, including the Bank’s Enterprise Risk Management Committee, as well as the Board Audit Committee on cybersecurity risks and mitigation strategies. The Company has implemented internal controls to address the effectiveness of our cybersecurity program. These controls include risk assessments, vulnerability assessments and scans, periodic audits, and periodic penetration testing. We are committed to disclosing material cybersecurity incidents to investors and other stakeholders in a timely and transparent manner in compliance with applicable regulations and in keeping with market practices. Management will assess the materiality of a cybersecurity incident based on its potential impact on our financial condition, results of operations, reputation, or ability to meet our business objectives. The Company is not aware of any current cybersecurity threats that are reasonably likely to affect the Company’s business strategy, results of operations or financial condition. See " We are subject to certain risks in connection with our use of networks and technology systems " in Item 1A. Risk Factors of this Form 10 -K for additional information regarding the risks we face from cybersecurity threats.

Company Information