HAWTHORN BANCSHARES, INC. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

HAWTHORN BANCSHARES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 13:07:17 EDT.

Filings

10-K filed on 2025-03-17

HAWTHORN BANCSHARES, INC. filed a 10-K at 2025-03-17 13:07:17 EDT
Accession Number: 0000893847-25-000002

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity . We recognize the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving the value of the Company. Our board of directors is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). The Company maintains a cybersecurity and information technology (“IT”) risk management program designed to prevent, detect and respond to information security threats, which are fully integrated into the Company’s ERM program. Our cybersecurity and IT risk management program is based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, as well as the banking-specific framework from the Federal Financial Institution Examination Council’s (“FFIEC’s”) Cybersecurity Assessment Tool. The Company’s program is led by our Director of Information Technology and Information Security Officer, whose teams are responsible for leading short-term and long-term enterprise-wide cybersecurity strategy, policy, standards, monitoring, architecture and processes. Our Director of Information Technology and Information Security Officer has over fifteen years of experience in the field of cybersecurity and over a decade of experience leading cyber security oversight in the banking industry. Governance Although it is management’s job to assess and manage our Company’s exposure to risk , our board of directors oversees our Company’s ERM, including cybersecurity and IT risks and threats, and establishes policies that govern the process. Our board conducts much of its risk oversight activities through our Audit Committee, which works closely with our Chief Risk Officer and Internal Audit Manager. The Audit Committee has primary management responsibility for oversight of operations, technology and operational risk, including information security, fraud, vendor, data protections and privacy, business continuity and cybersecurity risks. Our Audit Committee meets at least quarterly with our Chief Risk Officer, Internal Audit Manager and other members of management to assess, among other things, cyber threats or risks to align the Company for effective cybersecurity risk management and reporting. The Audit Committee receives quarterly reports from our Internal Audit Manager and Director of Information Technology and Information Security Officer on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security program, the emerging threat landscape and key metrics from cybersecurity systems and monitoring. Our Chief Risk Officer provides a presentation on ERM to the full board at least once annually. From time to time our Audit 22 Committee also receives updates between meetings from our Chief Risk Officer, Chief Executive Officer, Chief Financial Officer and other members of management relating to risk oversight matters. Security event monitoring and detection Our processes for assessing, identifying, and managing material risks from cybersecurity threats include using a wide-range of industry-leading security tools, regularly updating our technology roadmaps, and mandating cybersecurity awareness, business continuity and incident response training for all employees. Recognizing the complexity and evolving nature of cybersecurity threats, we engage a range of outside experts, including cybersecurity assessors, consultants and auditors in evaluating and testing our cybersecurity and IT risk management systems. Engaging outside vendors enables us to leverage specialized knowledge and insights, ensuring our cybersecurity and IT risk management strategies and processes remain sound. Our collaboration with these third-parties includes threat assessments, consultation on security enhancements and regular audits, the results of these threat assessments and audits are reported to the Audit Committee. Strong vendor management and monitoring controls are enforced and require, at a minimum, annual due diligence on critical vendors. We have implemented a comprehensive Incident Response Program to provide guidance in the event of a cybersecurity incident for contacting authorities and informing key stakeholders to ensure that any non-routine events are properly escalated. The Company participates in cybersecurity incident response exercises to test pre-planned response actions from the Company’s plan and to facilitate group discussions regarding the effectiveness of the Company’s cybersecurity incident response strategies and tactics. We use a third-party SEIM to provide 24x7x365 monitoring of logs, administrator and user actions, network and security appliances, and endpoint agents. Our Director of Information Technology and Information Security Officer actively engages with key vendors, industry participants, as well as the FS-ISAC, InfraGard, InspireCIO and SANS Internet Storm Center cybersecurity collaboration organizations . Incident materiality The Incident Response Program is a component of the Company’s Information Security policy and sets forth the severity categories and processes required to assess the impact of a cyber-related incident to the Company. The impact is categorized in one of five severity levels and is expressed in terms of financial loss, strategic objectives, customer, legal and regulatory, reputation, and service interruption. The incident response program includes timely notification of a material cybersecurity incident to the to the appropriate law enforcement, regulatory agencies, Board of Directors and other members of senior management. Like other financial institutions, the Company experiences malicious cyber activity on an ongoing basis directed at its websites, computer systems, software, networks and users. This malicious activity includes attempts at unauthorized access, implantation of computer viruses or malware, and denial of service attacks. The Company also experiences large volumes of phishing and other forms of social engineering attempted for the purpose of perpetrating fraud. While, to date, malicious cyber activity, cyberattacks and other information security breaches have not had a material adverse impact on the Company, risk to its systems remains significant. See Item 1A. entitled Technology Risk “A successful cyber attack or other computer system breach could significantly harm the Company, its reputation and its customers”. 23

Company Information