FRANKLIN FINANCIAL SERVICES CORP /PA/ 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

FRANKLIN FINANCIAL SERVICES CORP /PA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:50:08 EDT.

Filings

10-K filed on 2025-03-14

FRANKLIN FINANCIAL SERVICES CORP /PA/ filed a 10-K at 2025-03-14 16:50:08 EDT
Accession Number: 0000723646-25-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Corporation is exposed to a variety of cybersecurity risks that could adversely affect our operations, reputation, and financial results. Cybersecurity incidents, including data breaches, denial of service attacks, malware, ransomware, phishing, and other intrusions, could compromise the confidentiality, integrity, or availability of sensitive information and disrupt our systems. Such incidents could result in unauthorized access to customer or employee information, financial losses, regulatory penalties, and litigation. Our dependence on technology to deliver banking services and manage our operations increases the potential impact of cybersecurity risks. The Corporation has developed an information security program to protect the confidentiality, integrity, and availability of our data, information systems, and digital assets from disruption, breach, or theft. As a financial institution we store and protect nonpublic data related to customers, employees, and business operations. Securing this data at all times is critical to our business. The Corporation’s information security program was developed to assess, identify, and monitor cybersecurity risks. The cybersecurity framework utilized by the Corporation is based on recommendations from the National Institute of Standards and Technology (NIST), ISO/IEC 27001 & 27002, Federal Financial Institutions Examination Council (FFIEC), industry standards and best practices, and other applicable regulatory guidance. We maintain robust cybersecurity policies and procedures identify risks and mitigate where feasible. Policies and procedures address; vendor management and third-party risk, incident response, disaster recovery and business continuity, electronic banking, data classification and retention. The Corporation’s information security program is led by the Chief Technology Officer (CTO) in conjunction with the Chief Risk Officer (CRO) having over 50 years of combined experience in financial services risk management, and information security. Their experience includes incident response, vendor management, disaster recovery and business continuity, breach mitigation as well as relevant professional certification. Along with the CTO and CRO, the Executive Enterprise Risk Management Committee (EERM)and the Board Enterprise Risk Management Committee (BERM) are responsible for oversight of the Corporation’s cybersecurity and information security program and regularly reviews and evaluates information security and cybersecurity risks provided by management. Key risk indicators (KRIs) are regularly reported to the EERM Committee and BERM for review on a quarterly basis or as needed. The CRO provides updates to the Board of Directors multiple times a year and as needed. This includes facilitating training for the Board on cybersecurity risks and threats. The Board of Directors is also responsible for reviewing and approval policies critical to the information security program annually. All employees participate in annual cybersecurity training courses conducted by the Training department with oversight from the CTO. Additional training exercises are administered throughout the year to increase cybersecurity awareness and address relevant risks. The Corporation conducts periodic testing of software, hardware, defensive capabilities, and other information security systems utilizing both internal processes and third-party consultants. Testing procedures are supplemented by regular cyber threat exercises and employee training. Threat simulation exercises are used to develop and refine the Corporation’s incident response plans. A defense-in-depth strategy is utilized to provide various layers of defense to identify and protect against risks to the Corporations network and computer systems. We utilize industry standards such as but not limited to; advanced firewall, content filtering, email gateway protections, endpoint detection and response software, and data loss prevention software. Access to systems is granted on an as needed basis as it relates to the job functions of an individual. All access changes must be requested based on job function and approved by the appropriate departments. Changes are reviewed monthly, and all access rights to all significant systems are reviewed and verified annually. The Corporation also addresses cyber risks posed by its relationships with third-party vendors. The Corporation assesses vendor risk as a part of its vendor management process, which requires a pre-acquisition diligence review, including the review of the vendor’s information security policy for all vendors determined to be a “critical vendor”. The vendor management process also requires a review of all critical vendors annually and all critical vendors are reported to the Board of Directors. An incident response plan is in place to ensure swift and effective action in the event of a cybersecurity incident. The plan defines the Incident Response Team (IRT) which includes representatives from executive management, critical business lines, and communications. The plan outlines responsibilities of the IRT to meet in the event of an incident and ensure proper containment, investigation and forensic analysis, recovery procedures, and notifications are made within the parameters of all applicable laws and regulations. The IRT participate in testing of the plan at least annually through simulated cyberattack exercises. The Board of Directors reviews and approves the plan annually. To date, risks from cybersecurity threats or incidents have not materially affected the Corporation . However, the sophistication of and risks from cybersecurity threats and incidents continues to increase, and the preventative actions the Corporation has taken and continues to take to reduce the risk of cybersecurity threats and incidents and protect its systems and information may not successfully protect against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect the Company’s business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors.

Company Information