Hanover Bancorp, Inc. /NY 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

Hanover Bancorp, Inc. /NY reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 17:22:35 EDT.

Filings

10-K filed on 2025-03-14

Hanover Bancorp, Inc. /NY filed a 10-K at 2025-03-14 17:22:35 EDT
Accession Number: 0001558370-25-003018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity Risk Management and Strategy Hanover recognizes that risk is an intrinsic aspect of all areas of our business and activities. Effective risk management is vital to our success. A comprehensive risk management approach is fundamental to maintaining the trust of our customers and the efficacy of our financial services. Hanover’s Enterprise Risk Management (“ERM”) framework leverages the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) principles. This alignment is intended to bolster effective risk management practices that meet regulatory expectations. ERM considers all eight major risk categories including credit, market, liquidity, operational, compliance, reputation, legal, and strategic risk and further enhances the Company’s financial resiliency by integrating ERM with our capital and strategic planning processes. Cybersecurity is a major component of the broader operational risk category given the increase in risk due to the increased reliance on technology both for operating processes and delivery channels. Hanover is committed to safeguarding the confidentiality, integrity, and availability of our information assets, including in particular customer information, and information technology environment. The objective of our cybersecurity program is to minimize the potential and impact of cyber threats. Our comprehensive cybersecurity program is designed based upon the National Institute of Standards and Technology (“NIST”) cybersecurity framework and in accordance with applicable industry guidance inclusive of Federal Financial Institutions Examinations Council (“FFIEC”) Information Security program guidance and NYDFS guidance and requirements. Our cybersecurity governance framework includes documented policies, procedures, and controls designed to mitigate cybersecurity risk. We also perform regular risk assessments of our infrastructure, network architecture, and software/systems using current threat intelligence received from a variety of sources. We employ various preventative and detective controls to block, monitor, and alert for suspicious activity. Additionally, we engage third-party experts to perform periodic internal and external assessments, including penetration testing and vulnerability scanning. We also maintain an ongoing education and training program designed to increase employee awareness and gauge risks relative to the human element. Moreover, we maintain a third-party risk management program designed to identify, assess, and mitigate risks, inclusive of cybersecurity risk, associated with third-party service providers and Hanover’s supply chain vendors. Lastly, we engage third-party audit firms to periodically assess our IT general controls and information security. We also maintain an Incident Response Plan that provides a structured framework for addressing potential or actual cybersecurity incidents. The Incident Response procedures and detections/prevention mechanisms are continuously refined to address evolving threats and alerts. This Plan includes the timely notification, escalation, and reporting of cybersecurity incidents to the Bank’s Operational Risk Management Committee, Enterprise Risk Management Committee, and the Board of Directors and/or the duly designated ERM Committee of the Board of Directors. It also includes for the timely notification to regulatory agencies, including but not limited to the FDIC, DFS, FRB and SEC as required or deemed appropriate. We also undertake periodic simulations and tabletop exercises to test our Incident Response Plan and ensure business resiliency and proper incident response management. Cybersecurity Governance Our Senior Information Security Officer (“SISO”), who is supported by a team of specialized Information Security and Third-Party Risk Management Analysts, is primarily responsible for the development, oversight, and administration of our Information Security, Business Continuity, and Vendor Risk Management Programs. The SISO has over 25 years of experience in information security, information technology, and enterprise risk management and holds certifications as both a Certified Information Systems Security Professional (“CISSP”) and Certified Information Systems Auditor (“CISA”). The SISO is an active member of the following management-level committees: Incident Response Committee, IT Steering Committee, Change Control Committee, Product Management Committee, Project Management Committee, and Operational Risk Management Committee (“ORMC”). The SISO reports to the ORMC on a quarterly basis, or more frequently if needed, regarding the effectiveness and status of the cybersecurity program, material cybersecurity risks and key risk indicators, and material cybersecurity trends and developments. The SISO reports directly to the Chief Risk Officer (“CRO”), who has over 35 years of experience in enterprise risk, audit, and compliance. The CRO maintains oversight of entity-wide risk management, inclusive of but not limited to cybersecurity risk. The SISO meets regularly with and works collectively with the Bank’s Chief Information Officer (“CIO”) and various members of the Information Technology Department as well as third-parties we may employ to assist in this area. The CIO has over 30 years of experience in Information Technology. The SISO also reports to Hanover’s Board Enterprise Risk Management Committee on a quarterly basis, or more frequently if needed. Similar to the SISO’s management-level reporting, the SISO reports on the overall cybersecurity program, material cybersecurity risks and key risk indicators, and material cybersecurity trends and developments. The SISO also provides an annual Information Security report to the full Board of Directors and executive leadership team on the overall cybersecurity program, including material risks, key risk indicators, and emerging trends . The ultimate responsibility, among management, for effective risk management, including cybersecurity risk, resides with the Chief Executive Officer (“CEO”). The Bank’s CEO and SISO annually certify compliance to the NYSDFS as required under DFS regulations. Material Cybersecurity Risks, Threats, and Incidents Our cybersecurity program has been designed to mitigate risks from cyber-attacks. However, even with a strong internal control environment designed to mitigate risks, Hanover is keenly aware that risks cannot be entirely eliminated. Notwithstanding our cybersecurity program’s effectiveness, the threat posed by cyber-attacks remains substantial. Additionally, we maintain cybersecurity insurance designed to further reduce residual risk. Nevertheless, due to the continuously shifting and evolving threat landscape and global geopolitical events, a portion of cyber risk remains inherently beyond full mitigation. While we have experienced cybersecurity incidents in the past, we do not believe any of these incidents have materially affected or are reasonably likely to materially affect the Company or its operations and financial condition .

Company Information