JUNIATA VALLEY FINANCIAL CORP 10-K Cybersecurity GRC - 2025-03-26

Page last updated on March 26, 2025

JUNIATA VALLEY FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-26 15:42:27 EDT.

Filings

10-K filed on 2025-03-26

JUNIATA VALLEY FINANCIAL CORP filed a 10-K at 2025-03-26 15:42:27 EDT
Accession Number: 0001558370-25-003701

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Juniata’s risk management program is designed to identify, assess and mitigate risks across various aspects of the Company, including credit, market, treasury, operational, compliance and reputational. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential for a cybersecurity incident to occur, which could disrupt business operations or compromise sensitive data. Juniata’s Information Security Officer (“ISO”) and SVP/IT Manager are primarily responsible for the cybersecurity component of the risk management program and are key members of the organization, both of which have a clear line of reporting directly to the Board of Directors and are involved with management’s Information Technology (“IT”) Steering Committee. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company. Juniata’s policies, standards, processes and practices for assessing, identifying and managing material risks from cybersecurity threats are based on the framework established by the Federal Financial Institutions Examination Council (“FFIEC”) Guidelines and Cybersecurity Assessment Tool (“CAT”), which consists of controls designed to identify, protect, detect, respond and recover from information and cyber security incidents. The FFIEC CAT tool will no longer be updated after August 31, 2025, therefore, JVB will replace this tool with another tool such as the NIST 2.0 standard. To prepare and respond to incidents, the Company has implemented a multi-layered cybersecurity program that is intended to comply with Gramm-Leach-Bliley Act 12 CFR 364, Appendix B, integrating people, technology, and processes. The program includes company-wide employee training, the use of innovative technologies, and the implementation of policies and procedures in the areas of information security, data governance, business continuity and disaster recovery, privacy, third-party risk management and incident response. Juniata’s objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse its systems or information. The information security program is periodically reviewed by the Company’s SVP/IT Manager and ISO with the goal of addressing changing threats and conditions. The Company also employs a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. The Company established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. Juniata engages in regular assessments of its infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. The Company also actively monitors its email gateways for malicious phishing email campaigns and remote connections as some of its workforce has the option to work remotely. The Company relies on third-party vendor solutions to support its operations. Many of these vendors, particularly in the financial services industry, have access to sensitive and proprietary information. To mitigate the operational, informational and other risks associated with the use of vendors, the Company maintains a Vendor Management Policy, which includes a detailed onboarding process and periodic reviews of vendors with access to sensitive Company data. The Vendor Management Policy applies to any business arrangement between the Company and another individual or entity, by contract or otherwise, in compliance with the FFIEC guidelines for third-party risk management. The Vendor Management Policy is audited periodically in accordance with the Board of Directors approved Internal Audit plan. Juniata leverages internal and external auditors and independent external partners to periodically review its processes, systems and controls, including with respect to its information security program, to assess their design and operating effectiveness and make recommendations to strengthen its information security and risk management programs. Regular internal monitoring is integral to the Company’s risk assessment process, which includes regular testing of internal key controls, systems and procedures. In addition, independent third-party penetration testing of the effectiveness of security controls and preparedness measures is conducted at least annually or more often, if warranted, by the risk assessment or other external factors. Management determines the scope and objectives of the penetration analysis. The Company maintains a Business Continuity Plan (the “Plan”) that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board of Directors-approved management committees, as discussed further below, and to the IT Steering Committee. The Plan is coordinated through the SVP/IT Manager and ISO, and key members of management are embedded into the Plan by their design. The Plan facilitates coordination across multiple parts of the Company and is evaluated at least annually. Integral elements of the Plan related to the Company’s response to cyber security vulnerabilities include the following: ● Identifying the appropriate team and any appropriate sub-teams to address specific information and/or cyber security incidents, or categories of information and/or cyber security incidents; ● Coordinating incident response or crisis management activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information and/or cyber security incidents; ● Conducting post-incident reviews to gather feedback on information and/or cyber security incident response procedures and address any identified gaps in security measures; ● Providing company-wide training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of the Plan; and ● Reviewing the Plan at least annually, or whenever there is a material change in the Company’s business practices that may reasonably affect its cyber incident response procedures. Governance Management has overall responsibility for risk oversight. The Company’s SVP\IT Manager is accountable for managing enterprise information security and delivering the information security program. These responsibilities include cybersecurity risk assessment, defense operations, cyber incident response, vulnerability assessment, threat intelligence, identity access governance, and the evaluation of third party risk management and business resilience as it relates to the cybersecurity program. The foregoing responsibilities are covered on a day-to-day basis by the SVP/IT Manager and ISO . The ISO has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management, including 23 years of cybersecurity experience, 19 of which has been spent at a CPA firm specializing in banking industry financial and information technology audits. The ISO provides guidance, oversight, monitoring and challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the Board of Directors. The IT Steering Committee focuses on technology and business impact and is responsible for overseeing the Company’s information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. The ISO and SVP/IT Manager provide quarterly reports to the IT Steering Committee regarding the information security program and the technology program, key enterprise cybersecurity initiatives and other matters relating to cybersecurity processes. The IT Steering Committee reviews and approves the information security and technology budgets and strategies annually. The IT Steering Committee focuses on the identification, monitoring, assessment, and management of risk associated with the Company’s cyber and information security programs. The IT Steering Committee reviews key metrics summarizing the Company’s cyber security risk profile on a quarterly basis. Both the IT Steering Committee and the Board of Directors provide oversight and governance of the technology program and the information security program. Both committees meet at least quarterly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings occur from time to time in accordance with the Incident Response Plan (part of the Plan) to facilitate timely informing and monitoring efforts. The ISO reports summaries of key issues, including significant cybersecurity incidents discussed at committee meetings and the actions taken to the IT Steering Committee on at least a quarterly basis, or more frequently as may be required by the Incident Response Plan, and to the Board of Directors on at least an annual basis. Additionally, the ISO reports directly to the Board of Directors, at least annually, the overall status of the Information Security Program and the Company’s compliance with the Interagency Guidelines for Safeguarding Customer Information. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results of testing security breaches or violations are discussed, as are management’s responses and any recommendations for program changes.

Company Information