First Financial Northwest, Inc. 10-K Cybersecurity GRC - 2025-03-20

Page last updated on March 20, 2025

First Financial Northwest, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 16:53:58 EDT.

Filings

10-K filed on 2025-03-20

First Financial Northwest, Inc. filed a 10-K at 2025-03-20 16:53:58 EDT
Accession Number: 0000939057-25-000075

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity risk management and strategy are integrated into our enterprise-wide risk management (“ERM”) program, which leverages a “three lines of defense” model to manage risk within the organization. Such model incorporates 1) day-to-day/operational activities and controls that are managed at the business unit level; 2) identification, measurement and mitigation of inherent security risks via the use of internal control and cybersecurity maturity frameworks, operating policies, independent monitoring, risk management and compliance oversight; and 3) internal audit designed to provide objective and independent validation of the design and operating effectiveness of cybersecurity and information security controls. Technology risk (including cybersecurity and overall operational risk) is a key focus for the Company. We use a combination of manual and automated methods along with internal and external resources, to monitor, measure and mitigate cybersecurity risks. Effective risk mitigation dependents on a robust risk assessment process that identifies, measures, controls, and monitors cybersecurity threats. These threats include any unauthorized activities within the Company’s information systems that could compromise the confidentiality, integrity, or availability of data. The Company’s Information Security Program incorporates a comprehensive information security risk assessment, which includes: - Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information or information systems. - Evaluation of the likelihood and potential damage of these threats, considering data sensitivity. - Assessment of the sufficiency of existing policies, procedures, information systems, and other controls in mitigating risks. The risk assessment process helps identify assets requiring additional risk reduction strategies and involves regular internal and third-party security assessments. In designing our Information Security Program, we refer to established industry frameworks, particularly those of the Federal Financial Institutions Examination Council (“FFIEC”) and the National Institute of Standards and Technology (“NIST”). The FFIEC framework offers a set of guidelines to help financial institutions effectively manage and mitigate cybersecurity risks. The framework focuses on ensuring the confidentiality, integrity, and availability of sensitive information and systems. NIST is part of the U.S. Department of Commerce and among other initiatives, develops cybersecurity standards, guidelines, and other resources to meet the needs of U.S. industry, federal agencies and the broader public. Activities range from producing specific information that organizations can put into practice immediately to longer-term research that anticipates advances in technologies and future challenges. These frameworks inform the design of our security controls and risk mitigation strategies. While we believe our Information Security Program is well-designed, cyber threats continue to evolve. Consequently, despite our efforts, the Company’s cybersecurity strategy may not be sufficient to prevent all incidents. No system is entirely secure, and the Company may not be able to anticipate or prevent every security breach. For additional information on how cybersecurity risk may affect the Company’s business strategy, results of operations or financial condition, please refer to Item IA. Risk Factors - Risks Related to Cybersecurity, Data and Fraud. 44 The Company uses a cross-functional approach to identify, prevent, and mitigate cybersecurity threats and incidents. We have established controls and procedures for the timely escalation of cybersecurity incidents, so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Our Cybersecurity Incident Response Plan outlines the steps the Company will take to respond to a cybersecurity incident, and includes an Incident Response Team (“IRT”) responsible for addressing and coordinating all aspects of the Company’s response to cybersecurity events. The IRT follows established procedures for addressing unauthorized access to confidential information and may consult external experts, including legal counsel. An escalation process helps ensure appropriate reporting at both the management and Board of Directors levels. Governance Our Board of Directors annually reviews the Company’s Risk Management Statement, which defines key risk categories and associated metrics monitored quarterly by Management and reported to the Audit/Compliance/Risk (“ACR”) Committee of the Board and the Board of Directors. Management regularly assesses inherent risk, mitigating controls, residual risk and emerging risk for each key risk category, inclusive of cybersecurity threats. The Company’s governance and oversight of cybersecurity risks are facilitated through our Information Security Program, which establishes administrative, technical, and physical safeguards to protect confidential client information in accordance with FDIC and FFEIC regulations. The program is tailored to align with the Company’s risk profile, operational complexity, and strategic objectives. We maintain relevant in-house cybersecurity expertise, led by the Bank’s Information Security Officer (“ISO”), who reports directly to the Bank’s Chief Risk Officer (“CRO”). The ISO oversees cybersecurity-related activities, including risk assessments, service provider oversight, incident response, business continuity, staff training, and security program adjustments based on evolving threats. The ISO has more than 20 years of information security experience at financial institutions as well as information security consulting firms, and maintains various cybersecurity and IT audit professional certifications. The ISO works in partnership with the Company’s Information Technology department and is supported by both internal and external information technology and information security tools, resources and staff. Both the CRO and ISO provide routine reports to various management committees and at the Board level-namely the ACR Committee and the Board of Directors-regarding the overall status of the Information Security Program. Such reporting encompasses various aspects, such as risk assessment, risk management and control decisions, service provider arrangements, results of independent testing, cybersecurity incidents or violations and Management’s responses, and recommendations for changes to the Information Security Program. The Board of Directors plays a crucial role, annually reviewing and approving our Information Security Program. The Board oversees efforts to develop, implement, and maintain an effective Information Security Program, including reviewing Management’s reporting on program effectiveness. Additionally, the Board of Directors’ Corporate Governance/Nominating Committee considers information technology and cybersecurity expertise when assessing potential director candidates to enhance the Board of Directors’ ability to oversee these critical areas.

Company Information