ARROW FINANCIAL CORP 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

ARROW FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:46:42 EDT.

Filings

10-K filed on 2025-03-14

ARROW FINANCIAL CORP filed a 10-K at 2025-03-14 16:46:42 EDT
Accession Number: 0000717538-25-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity Regulatory Supervision Arrow and its subsidiaries are subject to the provisions in the Gramm-Leach-Bliley Act relating to data security, as well as many federal and state laws, regulations and regulatory interpretations which impose standards and requirements related to cybersecurity. In July 2023, the SEC adopted amendments intended to enhance and standardize disclosures related to cybersecurity. The amendments were effective in December 2023 and require timely disclosure of material cybersecurity incidents and annual disclosures related to cybersecurity risk management, strategy, and governance. Under the new rules, a material cybersecurity incident is required to be disclosed on a Form 8-K within four business days after the learning of a material incident. The SEC has defined a cybersecurity incident to mean “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Arrow has undertaken and implemented a number of procedures and control steps to comply with these expanded cybersecurity reporting requirements as outlined below. Cybersecurity Risk Management & Strategy Arrow has implemented processes designed to oversee and identify risk from cybersecurity breaches. Arrow’s cybersecurity risk management and data security program is an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. Arrow employs a variety of preventative and detective tools to 16 monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent cybersecurity threats. Our security framework involves processes for detection, identification, protection and response to a cybersecurity incident. Additionally, we are well prepared for recovery in the case of a cybersecurity incident with proper vendor support as well as backups both online and offline. Arrow also regularly assesses and tests its security systems and disaster preparedness, including the adequacy and functionality of its backup systems. Arrow also regularly reviews and updates its existing internal controls and procedures and corporate governance policies and procedures intended to protect its business operations, which includes the security and privacy of the confidential information of its customers. In addition, Arrow engages a variety of vendors to meet data processing and communication needs. Arrow communicates and works directly with all of our critical information technology (“IT”) vendors to resolve issues and install releases. We perform business continuity plan testing on a periodic basis. Arrow has not experienced, nor does it believe it is reasonably likely to experience, a material effect on the Company’s business strategy, results of operations or financial condition as a result of a significant compromise, significant data loss or any material financial losses related to cybersecurity incidents or other security problems. Cybersecurity and the continued enhancement of Arrow’s controls and processes to protect its systems, data and networks from cybersecurity incidents remain a priority to Arrow. Governance Arrow’s senior management regularly considers the impact of cybersecurity risks when developing its business strategy and financial planning. Arrow has various policies and procedures in place to mitigate cybersecurity risks and maintains a layered, defensive program to manage and maintain cybersecurity controls. Arrow’s Board of Directors, Chief Information Officer, Director of IT and the Enterprise Risk Management (“ERM”) committee at the senior management level all have a role in the cybersecurity risk management program. The Board receives periodic reports from the ERM committee, which is chaired by the Director of Compliance and Risk and includes executive, senior, and other designated managers as appropriate.

Company Information