CHAIN BRIDGE BANCORP INC 10-K Cybersecurity GRC - 2025-03-21

Page last updated on March 21, 2025

CHAIN BRIDGE BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-21 16:16:48 EDT.

Filings

10-K filed on 2025-03-21

CHAIN BRIDGE BANCORP INC filed a 10-K at 2025-03-21 16:16:48 EDT
Accession Number: 0001392272-25-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company identifies, assesses, and manages cybersecurity risks as part of its risk management program. Our cybersecurity strategy aligns the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), applicable regulatory guidelines and other industry practices to secure critical information systems and sensitive data. Key components of the Company’s cybersecurity program include: - Risk Assessment & Management: Regular identification and evaluation of cybersecurity threats, vulnerabilities, and exposures informed by threat intelligence, industry trends, and regulatory developments. - Governance & Oversight: Defined cybersecurity policies and procedures overseen by senior management and the Board of Directors. The Director of Technology is responsible for monitoring cybersecurity risks and reporting any material threats or incidents to the IT Committee or Board for oversight, strategic response planning, and mitigation efforts. - Access Controls & Identity Management: Implementation of multi-factor authentication, role-based access controls, and monitoring of user permissions. - Incident Detection & Response: Security monitoring supported by an incident response plan designed for timely identification, containment, and remediation of cybersecurity incidents. - Data Protection & Encryption: Encryption, standards, data loss prevention protocols, and secure data storage measures for sensitive client and corporate information. - Third-Party Risk Management: Security assessments, monitoring, and contractual requirements to manage cybersecurity risks from third-party vendors. - Training & Awareness: Mandatory cybersecurity training for employees to enhance awareness of cybersecurity threats and compliance requirements. - Regulatory Compliance & Audit: Regular internal and external cybersecurity audits to assess compliance with applicable regulations, standards, and Company policies. - Continuous Improvement & Testing: Periodic penetration tests and vulnerability assessments to evaluate cybersecurity risks and enhanced security measures. Program updates are implemented as needed to address emerging threats and align with evolving industry best practices. The Company uses third-party assessors , auditors, and consultants to independently evaluate security practices through penetration testing, vulnerability assessments, and vendor evaluations. Despite these measures, the Company acknowledges that cybersecurity incidents cannot be fully prevented. Third-Party Risk Management Cybersecurity risks posed by third-party vendors and service providers are integrated into the Company’s risk management framework. Vendor security practices, compliance with contractual cybersecurity obligations, and exposure to cybersecurity threats related to external providers are assessed regularly. While these efforts aim to assess and mitigate cybersecurity risks, no security assessment can eliminate all potential risks associated with third-party vendors. Board Oversight The Board oversees cybersecurity through the Bank’s Information Technology Committee (" IT Committee “), the Company’s Audit Committee, and the Company’s Risk Committee, aligning cybersecurity practices with the Company’s risk management framework and regulatory requirements. Updates on cybersecurity strategy, risk assessments, and regulatory developments are provided to the relevant committees. The Risk Committee monitors the quality and effectiveness of the Company’s information technology security, and at least annually reviews, appraises, and discuss with management the quality and effectiveness of the Company’s information technology security, data privacy, disaster recovery capabilities and cybersecurity and related risks. Additionally, the IT Committee reviews quarterly reports regarding the information security program and technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. Cybersecurity and IT risks are reported to the Board through multiple channels. The IT Committee Chair periodically reports to the Board summarizing key issues, risk assessments, and compliance matters. Additionally, the Director of Technology submits semi-annual reports to the Board, providing insights into ongoing and emerging risks, technology developments, and IT security initiatives. In cases where significant IT or cybersecurity risks arise, such matters are escalated to the Company’s Board through the Chair of the Risk Committee or the Chief Risk Officer, for timely awareness and response. The IT Committee is chaired by Dr. Yonesy F. Núñez, CISSP, who holds a Doctor of Professional Studies in Computing Information Assurance and Security from Pace University. Dr. Núñez has experience in cybersecurity governance and risk management and currently serves as Chief Information Security Officer (“CISO”) of a Systematically Important Financial Market Utility. His prior roles include CISO at Jack Henry & Associates and senior cybersecurity positions at major financial institutions . The Risk Committee, chaired by a former senior executive from KPMG LLP, who established and led KPMG’s Financial Risk Management practice in the U.S., annually evaluates the effectiveness of the Company’s cybersecurity controls. The Audit Committee selects third-party auditors to conducts cybersecurity audits, penetration tests, and risk assessments. The Committee Chair has expertise in auditing and regulatory compliance within the financial services industry. Management Oversight The Company’s cybersecurity operations are overseen by the Director of Technology, who possesses twelve years of experience in cybersecurity management, information technology infrastructure, and risk mitigation. The Director of Technology participates in industry committees, reports to executive management, and updates Board committees and the Board of Directors. Reporting to the Chief Executive Officer, and working with executive leadership, this role supports cybersecurity risk management and helps aligns them with the Company’s broader risk framework. Issues are elevated to the Board by either the Director of Technology or by the Chairs of the IT Committee and Risk Committee, the Chief Risk Officer, or the CEO. As of the date of this Annual Report on Form 10-K, the Company has contracted with a third-party firm to provide CISO services, who reports to the Chief Risk Officer and the IT Committee Chair. This engagement allows the Company to access specialized knowledge, industry best practices, and regulatory insights while maintaining flexibility in managing its information security strategy. The external CISO provides guidance and oversight on cybersecurity risk assessments, incident response, and compliance. Incident Response As of the date of this Annual Report on Form 10-K, the Company has not identified any cybersecurity incidents materially affecting its business strategy, results of operations, or financial condition. Recognizing cybersecurity threats continue to evolve, the Company maintains a focus on enhancing its detection, response, and resilience capabilities. The Company cannot assure the prevention of future cybersecurity incidents. For additional information regarding the risk we face from cybersecurity threats, see the risk factors entitled “The occurrence of fraudulent activity, breaches or failures of our information security controls or cybersecurity-related incidents could have a material adverse effect on our business, financial condition, results of operations, and reputation” and “We also face risks related to cyberattacks and other security breaches involving external, third-party vendors and counterparties” included in Part I, Item 1A. Risk Factors in this Annual Report on Form 10-K.

Company Information