Richmond Mutual Bancorporation, Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

Richmond Mutual Bancorporation, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 17:13:34 EDT.

Filings

10-K filed on 2025-03-27

Richmond Mutual Bancorporation, Inc. filed a 10-K at 2025-03-27 17:13:34 EDT
Accession Number: 0001767837-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company’s Information Security Program (“ISP”) is a robust framework overseen by the Information Technology Board Committee (“ITBC”) and the IT Steering Committee (“ITSC”). These committees play a pivotal role in managing technology and cyber risks, ensuring compliance with regulatory requirements, and fostering a controlled risk environment. The ITBC meets quarterly, while the ITSC meets monthly. Meeting minutes from the ITSC are regularly submitted to the Board for review. These two committees jointly oversee the organization’s information technology and cyber risk posture, focusing on the assessment of information and cybersecurity risks. Evaluated risks are subject to rigorous controls, ensuring both design and operational effectiveness and adherence to regulatory requirements. In instances where a risk is identified as inadequately controlled, remediation measures are implemented to reduce the risk to an acceptable level. This commitment to ongoing assessment and responsiveness enhances our ability to adapt to emerging threats and maintain a proactive stance in managing risks effectively. The identification of risks is a multifaceted process that involves a range of activities. This includes monitoring of guidance issued by regulatory authorities, participating in professional forums, conducting both internal and external audits, collaborating with third-party services, reviewing policies, and adhering to best practice frameworks including Federal Financial Institutions Examination Council (“FFIEC”) guidance and information security requirements established in the Gramm-Leach Bliley Act, along with other relevant state laws and agency regulations. For instance, as part of our risk management framework, we regularly assess phishing threats targeting employees, conduct simulated attack exercises, and 43 implement enhanced endpoint detection solutions. Furthermore, we emphasize the importance of maintaining a collaborative relationship with third-party service providers/vendors. This collaborative approach enhances our risk management capabilities and ensures a shared commitment to maintaining a secure information environment. Moreover, our commitment to robust risk management extends to the maintenance of a comprehensive Security Incident Response Plan (“SIRP”). This SIRP serves as a framework for effectively addressing and mitigating security incidents. Within this plan, we integrate accessible resources to fortify our response capabilities. This includes establishing collaborative partnerships with insurance providers, regulatory agencies, and law enforcement agencies, ensuring a seamless and coordinated approach in the event of a security incident. Recognizing the interdependence of our practices with service providers and vendors, we actively engage with our partners during the notification and investigation processes following a security incident . This collaborative effort is designed to foster complete visibility into the nature and scope of security risks and events, enabling a unified and effective response. In addition to incident response, the Company implements robust data protection measures, including encryption protocols, multi-factor authentication, and data loss prevention controls, to safeguard sensitive information. To ensure we can keep our operations running smoothly, we maintain and regularly test our business continuity and disaster recovery plans. These measures help minimize disruption and ensure a swift recovery in the event of a cybersecurity incident. Our SIRP is dynamic and adaptable, evolving in tandem with the ever-changing cybersecurity landscape. By regularly updating and refining our response strategies, we remain prepared to confront emerging threats. The Company also maintains a cyber insurance policy as part of its overall risk management strategy to mitigate financial losses in the event of a cybersecurity incident. As of the reporting period, the Company has not experienced any material cybersecurity events or incidents. Although third-party service providers have encountered cybersecurity events or incidents, these occurrences have not resulted in a material impact on our systems, computing environments, or data. In determining materiality, the Company evaluates factors such as potential financial loss, operational disruptions, regulatory implications, and reputational harm. The Company remains committed to enhancing its cybersecurity defenses through ongoing risk assessments, investment in technology, and adherence to industry best practices. Governance Our Board, supported by the ITBC and the ITSC, actively oversees our processes for management of cybersecurity risks and threats. The Board’s responsibilities include the ongoing administration of the ISP, conducting an annual review, and granting approval. Regular reviews of reports by both the Board and the ITBC, submitted by the ITSC, ensure timely awareness of emerging concerns and facilitate continuous enhancements to our cybersecurity posture. In addition to governance oversight, the Board designates key roles crucial for effective cybersecurity management. This includes appointing the Information Security Officer (“ISO”), Chief Information Officer (“CIO”) , and Chief Compliance Officer (“CCO”). The ISO and CIO roles are filled jointly by one individual, who has been with the organization for 20 years with over 25 years of experience in information technology. Our Chief Compliance Officer has been with the organization for over 37 years, with over 15 years of experience in compliance. These professionals bring diverse qualifications, certifications, and experience, ensuring a comprehensive approach to our information security initiatives. These qualifications and certifications include Certified Information Security Manager (CISM) and Certified Banking Security Manager (CBSM). Our governance structure ensures a comprehensive approach to managing cybersecurity risks and threats, aligning with the Board-approved ISP. The ITBC, which is comprised of several Board members, the CIO, ISO, Chief Executive Officer and Chief Operating Officer, is responsible for establishing and updating the Company’s Risk Appetite Statement. The ITSC, appointed by the Board of Directors and comprised of the CIO, ISO, CCO and various other representatives from each area of the Bank, is responsible for overseeing ISP compliance. This involves delineating lines of responsibility and accountability for information security risk management decisions. The ITSC also reviews and approves significant changes to our control environments, ensuring that outside independent organizations conduct annual vulnerability assessments and penetration tests. Furthermore, they examine reports submitted by the ISO. The ISO is responsible for reporting, at least annually, to the Board of Directors on the status of the ISP, including overall compliance, risk management, vendor management, audit and testing results, breaches and incidents, and recommended updates to the ISP . The Board also receives quarterly cybersecurity briefings that include updates on emerging threats, results of cybersecurity risk assessments, and the effectiveness of current controls. These discussions inform strategic decision-making and resource allocation for cybersecurity investments. 44

Company Information