Page last updated on March 14, 2025
TRUSTCO BANK CORP N Y reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:28:28 EDT.
Filings
10-K filed on 2025-03-14
TRUSTCO BANK CORP N Y filed a 10-K at 2025-03-14 16:28:28 EDT
Accession Number: 0001140361-25-008827
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C Cybersecurity Cybersecurity Risk Management and Strategy At TrustCo, we recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that our customers share with us. TrustCo Bank maintains a formal enterprise wide risk management (“ERM”) program which identifies, measures, monitors, and controls risk. The ERM Program and framework is designed to ensure that all elements of the risk management process are in place and operating effectively across all risk categories. Risk categories include credit, interest rate risk, liquidity, price, operational, compliance, reputation, and strategic risks. Cybersecurity risk is a critical component of our technology risk management program, specifically our information security program given the increasing reliance on technology and potential of cyber risk threats. Using guidance set forth in our ERM program, we have implemented an Information Security Program to lead and support the management of information security risks in accordance with our risk profile and business strategy. We utilize the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool to benchmark these controls and procedures. Our Information Security Program includes a number of components designed to identify, analyze, and respond to cybersecurity risks, including reliance on a layered system of preventative and detective technologies, controls, and policies designed to detect, mitigate, and contain cybersecurity threats. As part of our Information Security Program, we maintain an Information Security Policy that outlines internal controls and procedures designed to protect information systems. Information security program risk assessments and third-party attestations and assessments are conducted periodically by both internal and external resources. We leverage qualified third-party security assessors to identify vulnerabilities through both internal and external penetration tests and perform internal cybersecurity maturity assessments. In addition, our internal audit team conducts an information security and information technology audit on an annual basis. We are also subject to examinations by applicable regulators. We conduct annual cybersecurity awareness training for employees to enhance awareness of how to detect and respond to cybersecurity threats, as well as periodic phishing training campaigns. We also provide quarterly cybersecurity updates for our employees, and table-top exercises are conducted annually to simulate a response to a cybersecurity incident. As part of our Information Security Program, TrustCo maintains a formal Third-Party Risk Management program that provides oversight of cybersecurity risks related to supplier relationships. During supplier onboarding, we perform risk-based due diligence for suppliers with access to confidential TrustCo information or that require technical integration with TrustCo systems. This program includes encryption and password requirements for our suppliers, as well as ongoing monitoring and assessment, and contract review. Furthermore, we recognize the growing risk associated with highly sophisticated actors targeting corporations and maintain an Incident Response Plan, which is part of our broader business continuity planning. We have access through our insurer to computer forensics firms and specialized legal counsel in case of a cybersecurity incident. While we maintain cybersecurity insurance to assist in the cost of recovery from a cybersecurity incident, such coverage may not be sufficient to cover all costs resulting from such incidents. We did not experience any material losses relating to cybersecurity threats or incidents for the year ended December 31, 2024. We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us , including our business strategy, results of operations, or financial condition. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and incidents and protect our systems and information may not successfully protect against all cybersecurity threats and incidents. For more information on the risks that we face from cybersecurity threats, see “Risk Factors - Risks Related to Cybersecurity, Third Parties, and Technology.” in Part I, Item 1A of this report. 38 Index Cybersecurity Governance The Board has overall responsibility for risk oversight and has delegated oversight of our cybersecurity program to both our Risk Committee and our Audit Committee. The Risk Committee directly oversees information technology and information security risks through regular reports from management on information technology, cyber security, and related risk assessments. The Risk Committee also receives annual reports on the Information Security Program and approves the Information Security Policy. In addition, the Audit Committee of the Board monitors internal audit’s coverage of cybersecurity governance, risks, and related controls, including any identified deficiencies, from cybersecurity or other risks, that could adversely affect the ability to record, process, summarize, and report financial data. The Risk Committee coordinates with the Audit Committee for review of information security matters, as needed. The Board also receives an annual update on the Company’s enterprise services, which includes both information technology and information security. Our Information Security Program is run by our Senior Vice President, Chief Risk Officer, Chief Compliance Officer and Information Security Officer (“ISO”), who reports to our Executive Vice President, Chief Operating Officer (“EVP”). Our ISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, and through the use of technological tools and software and results from third party audits. Our management-level IT Steering Committee meets on a monthly basis to discuss cybersecurity and related topics. Our ISO and EVP have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our ISO has served in that position since 2013, is a Certified Information Security Manager, and has over 20 years of experience working at TrustCo. Our EVP, who has been an employee of TrustCo since 1986, has served in his role as Executive Vice President of TrustCo since 2013. Our ISO and EVP report directly to the Risk Committee on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues.
Company Information
| Name | TRUSTCO BANK CORP N Y |
| CIK | 0000357301 |
| SIC Description | State Commercial Banks |
| Ticker | TRST - Nasdaq |
| Website | |
| Category | Accelerated filer |
| Fiscal Year End | December 30 |