LAKE SHORE BANCORP, INC. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

LAKE SHORE BANCORP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:59:26 EDT.

Filings

10-K filed on 2025-03-14

LAKE SHORE BANCORP, INC. filed a 10-K at 2025-03-14 16:59:26 EDT
Accession Number: 0000950170-25-039548

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Company recognizes that the security of our operations is critical to protecting our customers and maintaining the reputation of the Company. Management is committed to managing Information Security (“IS”) risk, which includes cybersecurity, that may impact the Company. The Enterprise Risk Committee (“ERC”) of the Board of Directors provides oversight of the Company’s written Information Security Management and Information Technology Governance Programs (the “Programs”). Through the Programs, the Company has established polices, processes, controls, and systems designed to identify, assess, measure, manage, monitor, and report risks related to cybersecurity and help prevent or limit the effect of possible cybersecurity threats and attacks. As cybersecurity threats continue to evolve, the Company expects to continue to monitor and enhance the current controls and systems in place to detect and prevent cybersecurity attacks and to remediate discovered vulnerabilities. The Company’s Information Security Officer (“ISO”) is responsible for the design and execution of the Information Security Management Program and the information and cyber security aspects of the Information Technology Governance Program. The ISO works in concert with members of the Information Technology (“IT”) Department, including the Bank’s Chief Information Officer (“CIO”), to ensure the execution of the Programs. The aforementioned individuals meet with management on a monthly basis through an IT Steering Committee in which management assesses IS and IT risk. Additionally, the ISO provides the ERC with regular reports on the status and effectiveness of the Pro grams and risk management activities, as well as cyber and IS issues that may affect the Company. The ISO has served various roles involving anti-money laundering, law enforcement, security, and information technology for over 7 years. The ISO holds an undergraduate degree in Legal Studies and master’s degree in Criminal Justice and Criminology. The ISO reports to the Chief Financial Officer (“CFO”) as well as the Chairperson of the ERC. The CIO has served various roles in audit, information risk, information technology, and information security in multiple industries for over 12 years. The CIO holds an undergraduate degree in Management Information Systems and has attained the ISACA Certification in Certified Information Systems Auditor (“CISA”). The CIO reports to the Chief Executive Officer (“CEO”). The Company utilizes the following guidelines and frameworks to develop and maintain the Information Security Management Program: Federal Financial Institutions Examination Council (“FFIEC”) Information IT Examination Handbooks, FFIEC Cybersecurity Assessment Tool (“CAT”), Center for Internet Security Critical Security Controls, National Institute of Standards and Technology Special Publication 800 Series, National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), 12 CFR Appendix B to Part 30 - Interagency Guidelines Establishing Standards for Safety and Soundness Gramm-Leach-Bliley Act (“GLBA”) 501(b). The Information Security Management Program features layered controls of network and endpoint intrusion detection and prevention, enterprise malware protection, threat-monitoring, and a Security Operations Center that provides full time support and additional operational measures to monitor and respond to data breaches and cyberattacks. The Company leverages regular assessments to identify current and potential threats and vulnerabilities within the Company’s environment. Technical vulnerabilities are identified through regular automated vulnerability scans and periodic vulnerability and penetration testing performed by independent third parties. Non-technical vulnerabilities are identified through the IT and IS Assurance Program by conducting regular process and procedural reviews as well as risk assessments. The Company uses the FFIEC CAT and NIST CSF to help identify cybersecurity risks and determine our cybersecurity preparedness. The Company’s information security and cybersecurity risk appetite statements define the levels of risk the Company is willing to accept and guide the risk management decisions of the Company. The risk appetite statements are approved by the Board of Directors annually. The Company has an Incident Response Plan to help reduce the risks related to security incidents by providing guidelines on responding to incidents; focusing on a roadmap for coordinating personnel, policies, and procedures to ensure incidents are detected, analyzed, and handled appropriately. The Company also recognizes the risks associated with the use of third party providers and maintains a Third Party Management Program that is responsible for the oversight of outsourced services. This enables the Company to identify risks related to third parties through an inherent risk assessment and a due diligence review process designed to ensure third parties are in compliance with the Company’s risk and information security expectations. The Company’s Security Awareness Program provides annual, mandatory training for personnel on information security to prepare personnel with the knowledge of how to properly use and protect Company resources from internal and external threats. The Program also conducts regular phishing assessments and targets new hires and other groups with specific training related to their job activities or risk levels. The Program also communicates information security policies, standards, and practices to personnel and requires annual review and acknowledgement of the policies. For the year ended December 31, 2024, the Company has not identified any specific risk from a cybersecurity threat that has materially affected, or is reasonable likely to affect, the Company’s business strategy, results of operation, or financial condition, other than those described in Item 1A. Risk Factors - Risks Related to Operations.

Company Information