Burke & Herbert Financial Services Corp. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

Burke & Herbert Financial Services Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 12:11:17 EDT.

Filings

10-K filed on 2025-03-17

Burke & Herbert Financial Services Corp. filed a 10-K at 2025-03-17 12:11:17 EDT
Accession Number: 0001964333-25-000105

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The federal bank regulatory agencies have adopted guidelines for establishing information security standards and cybersecurity programs for implementing safeguards under the supervision of a financial institution’s board of directors. These guidelines, along with related regulatory materials, increasingly focus on risk management and processes related to information technology and the use of third parties in the provision of financial products and services. The federal bank regulatory agencies expect financial institutions to establish lines of defense and to ensure that their risk management processes address the risk posed by compromised customer credentials, and also expect financial institutions to maintain sufficient business continuity planning processes to ensure rapid recovery, resumption, and maintenance of the institution’s operations after a cyberattack. If the Company or the Bank fails to meet the expectations set forth in this regulatory guidance, the Company or the Bank could be subject to various regulatory actions and any remediation efforts may require significant resources of the Company or the Bank. On November 18, 2021, the federal bank regulatory agencies issued a final rule, with compliance required as of May 1, 2022, imposing new notification requirements for cybersecurity incidents. The rule requires financial institutions to notify their primary federal regulator as soon as possible and no later than 36 hours after the institution determines that a cybersecurity incident has occurred that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the institution’s: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business, (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value, or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. To date, we have not experienced cybersecurity incidents that we believe has, or is reasonably likely to, materially affect our business operations, strategy, or financial condition. However, we continually assess the potential impact of cybersecurity threats, ensuring that any incident is evaluated for materiality in relation to our business strategy, operational results, and financial condition. Cybersecurity risk is a key factor in assessing the Company’s overall operational and regulatory risk and is a component of our overall information security protocols. The Company maintains a formal information security management program designed, in part, to identify risks to sensitive information, protect that information, detect threats and events, and maintain an appropriate response and recovery capability to help ensure resilience against information security incidents. The program includes, among other things, 24/7 monitoring of all critical infrastructure, active threat hunting, and endpoint Extended Detection and Response (“XDR”) capabilities, to assist with prevention of attacks from advanced adversaries. This monitoring and response is reinforced with regular vulnerability scanning/remediation and penetration testing and includes an annual risk assessment that looks to threats on the Company’s own information technology platforms, and also assesses potential threats, owing to our use of third-party information technology platforms and services. As part of these processes, we engage well-established and professional third-party information security consultants to aid in the assessment and development of our monitoring and threat-detection processes and work with our internal information technology and audit teams. Additionally, all employees receive security training upon hiring, annual refresher training for all employees, and phishing exercises to raise employee awareness. Our cybersecurity program is led by our Chief Information Security Officer who has served in this capacity for 8 years and brings an additional 16 years of experience in information security program management, global cybersecurity operations and incident response. This experience extends to the strategic design, implementation, and management of security programs tailored to mitigate risks. His expertise is underscored by a Certified Information Systems Security Professional (CISSP) and multiple technology certifications. Information security protocols are a part of the Company’s Information Security Policy that is reviewed and approved annually by the Company’s Board. The ongoing oversight of cybersecurity risk is accomplished primarily through the Information Technology Steering Committee, comprised of management, the Regulatory Risk Committee, Technology Committee and the Enterprise Risk Management Committee, each comprised of management and members of the Board. Through these committees the Company keeps abreast of significant matters of actual, threatened, or potential breaches of cybersecurity protocols, monitors the effectiveness of the information security program through regular review of key metrics and assessment reports, discusses topical events requiring consideration, and if necessary, recommends changes to the Information Security Policy for approval by the Company’s Board, which retains the ultimate responsibility for overseeing our enterprise risk management, including cybersecurity. In addition to regular reports from these committees, the Board receives regular reports from management on material cybersecurity risks and the Company’s efforts to combat threats to its digital infrastructure. The Company also maintains specific cyber insurance through its corporate insurance program, the adequacy of which is subject to review and oversight by the Company’s Board. However, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all. With the increase in cyber-threat vectors and enhanced focus on cybersecurity, the Company and the Bank continue to monitor legislative, regulatory, and supervisory developments related thereto.

Company Information