Page last updated on March 31, 2025
NEW PEOPLES BANKSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 17:30:11 EDT.
Filings
10-K filed on 2025-03-31
NEW PEOPLES BANKSHARES INC filed a 10-K at 2025-03-31 17:30:11 EDT
Accession Number: 0001903596-25-000149
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity of this Form 10-K for a discussion of the Company’s cybersecurity risk management, strategy and governance. Limitations on Incentive Compensation . The federal bank regulatory agencies have issued comprehensive final guidance on incentive compensation policies intended to ensure that the incentive compensation policies of financial institutions do not undermine the safety and soundness of such institutions by encouraging excessive risk-taking. The Interagency Guidance on Sound Incentive Compensation Policies, which covers all employees that have the ability to materially affect the risk profile of financial institutions, either individually or as part of a group, is based upon the key principles that a financial institution’s incentive compensation arrangements should (i) provide incentives that do not encourage risk-taking beyond the institution’s ability to effectively identify and manage risks, (ii) be compatible with effective internal controls and risk management, and (iii) be supported by strong corporate governance, including active and effective oversight by the financial institution’s board of directors. The Federal Reserve will review, as part of the regular, risk-focused examination process, the incentive compensation arrangements of financial institutions, such as the Company and the Bank, that are not “large, complex banking organizations.” These reviews will be tailored to each financial institution based on the scope and complexity of the institution’s activities and the prevalence of incentive compensation arrangements. The findings of the supervisory initiatives will be included in reports of examination. Deficiencies will be incorporated into the institution’s supervisory ratings, which can affect the institution’s ability to make acquisitions and take other actions. Enforcement actions may be taken against a financial institution if its incentive compensation arrangements or related risk-management control or governance processes pose a risk to the institution’s safety and soundness, and the financial institution is not taking prompt and effective measures to correct the deficiencies. As of December 31, 2024, the Company and the Bank have not been made aware of any instances of noncompliance with this guidance. 13 Other Laws. Banks and other depository institutions also are subject to other numerous consumer-oriented laws and regulations. These laws, which include the Truth in Lending Act, the Truth in Savings Act, the Real Estate Settlement Procedures Act, the Electronic Funds Transfer Act, the Equal Credit Opportunity Act, the Fair and Accurate Credit Transactions Act of 2003 and the Fair Housing Act, require compliance by depository institutions with various disclosure and consumer information handling requirements. These and other similar laws result in significant costs and create potential liability for financial institutions, including the imposition of regulatory penalties for inadequate compliance. Future Regulatory Uncertainty. Because federal and state regulation of financial institutions changes regularly and is the subject of constant legislative debate, New Peoples cannot forecast how regulation of financial institutions may change in the future and impact its operations. New Peoples fully expects that the financial institution industry will remain heavily regulated notwithstanding the regulatory relief that has been recently adopted. Item 1A. Risk Factors Not required. Item 1B. Unresolved Staff Comments Not applicable. Item 1C. Cybersecurity The Cyber Incident Reporting for Critical Infrastructure Act, enacted in March 2022, requires certain covered entities to report a covered incident to the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) within 72 hours after a covered entity reasonably believes an incident has occurred. Separate reporting to CISA will also be required within 24 hours if a ransom payment is made as a result of a ransomware attack. The SEC adopted a new rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies in 2023, which applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and requires disclosure of material cybersecurity incidents in Current Reports on Form 8-K and periodic disclosure of cybersecurity risk management, strategy, and governance in Annual Reports on Form 10-K. State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations and many states have recently implemented or modified their data breach notification and data privacy requirements. The Company expects this trend of state-level cybersecurity regulatory activity to continue and continues to monitor these developments. Risk Management Our Enterprise Risk Management program (ERM) is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned a risk owner to establish action plans and implement risk mitigation strategies. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential cyber threats. The Company uses a cybersecurity framework to aid management in understanding, managing, and reducing cybersecurity risk. This framework aids management in identifying gaps within cybersecurity infrastructure and evaluating maturity of processes. Cybersecurity frameworks use maturity levels to gauge the strength of cybersecurity controls. Our information technology and vendor risk management functions assess information technology and cybersecurity third party providers as part of the initial determination process and then periodically thereafter. We use a variety of methods and tools to assess a third-party vendor’s controls related to cybersecurity threats, including obtaining proof of a provider’s independent testing of data protection controls, imposition of contractual obligations and reviews of data protection controls such as backups, encryption standards and disaster recovery. Our Information Security Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization, coordinating with our Chief Risk Officer with board oversight through our Information Technology Steering Committee and the Audit Risk and Compliance Committee. Aside from the Information Security Officer, cybersecurity support is provided by our Director of Information Technology and our Chief Information Officer. Each of these persons has over twenty years of financial sector information technology and information security administration and management backed by undergraduate and/or post-graduate degrees in information technology, as well as various information technology and network certifications. 14 We maintain a comprehensive Business Continuity Management program that includes Business Continuity, Disaster Recovery, and Incident Response planning and testing. This program is designed to minimize the impact of an information security disruption and ensure the Company can return to normal operations in a timely manner. The Information Security Officer is responsible for the administration and management of the program and key members of management are embedded into the program by its design. At least annually, management identifies an exhaustive list of business functions for each area of the Company, and lists resource requirements, assigns Recovery Time and Point Objectives, and Maximum Tolerable Period of Downtime for each function. Management then completes a comprehensive Business Impact Analysis that prioritizes business functions based on criticality and is used as a guide for business continuity and disaster recovery planning. We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees , and to the Information Technology Steering Committee. The Incident Response Plan facilitates coordination across multiple parts of our organization. Business Continuity, Disaster Recovery, and Incident Response plans are updated and tested at least annually. Management performs a variety of tests on the plans including tabletop, simulation, and technical testing to ensure key personnel are prepared, recovery systems and data are viable, and Recovery Time and Point Objectives can be met. Weaknesses identified during testing are monitored until they are fully remediated. The Information Technology Steering Committee provides oversight for the Business Continuity Management Program, which includes ratification of plans and Business Impact Analysis, plan testing frequency, and remediation of identified weaknesses. The Committee ensures, based on testing, that plans are adequate to meet the Company’s objectives. We engage various third parties to assist us in identifying, assessing and responding to cybersecurity threats. This includes around-the-clock managed firewall services and managed detection and response services. In addition, we engage third parties to test the vulnerability of our cybersecurity infrastructure on a regular basis and we have a third-party assessment performed annually. A third party provides social engineering and phishing testing on a subset of bank employees annually. These third-party service providers are in regular contact with our information technology personnel, and we monitor other sources for information that any of these providers may have encountered cybersecurity threats. All employees receive initial and ongoing training in cybersecurity awareness including such topics as email protocols, social engineering, phishing tactics and security of Bank issued computers and other devices. Management conducts regularly phishing testing on all employees and assigns additional training when necessary. Employees with privileged access receive additional relevant training. Key personnel pursue training in their respective disciplines on a continual basis . In the ordinary course of its business, the Bank relies on electronic communications and information systems to conduct its operations and to store sensitive data and employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding these defensive measures, the threat from cybersecurity attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected our company. The Bank’s systems and those of its customers and third-party service providers are under constant threat and it is possible that we could experience a future significant event. The Bank expects risks and exposures related to cybersecurity attacks to remain high for the foreseeable future.
Item 1C. Cybersecurity The Cyber Incident Reporting for Critical Infrastructure Act, enacted in March 2022, requires certain covered entities to report a covered incident to the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) within 72 hours after a covered entity reasonably believes an incident has occurred. Separate reporting to CISA will also be required within 24 hours if a ransom payment is made as a result of a ransomware attack. The SEC adopted a new rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies in 2023, which applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and requires disclosure of material cybersecurity incidents in Current Reports on Form 8-K and periodic disclosure of cybersecurity risk management, strategy, and governance in Annual Reports on Form 10-K. State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations and many states have recently implemented or modified their data breach notification and data privacy requirements. The Company expects this trend of state-level cybersecurity regulatory activity to continue and continues to monitor these developments. Risk Management Our Enterprise Risk Management program (ERM) is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned a risk owner to establish action plans and implement risk mitigation strategies. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential cyber threats. The Company uses a cybersecurity framework to aid management in understanding, managing, and reducing cybersecurity risk. This framework aids management in identifying gaps within cybersecurity infrastructure and evaluating maturity of processes. Cybersecurity frameworks use maturity levels to gauge the strength of cybersecurity controls. Our information technology and vendor risk management functions assess information technology and cybersecurity third party providers as part of the initial determination process and then periodically thereafter. We use a variety of methods and tools to assess a third-party vendor’s controls related to cybersecurity threats, including obtaining proof of a provider’s independent testing of data protection controls, imposition of contractual obligations and reviews of data protection controls such as backups, encryption standards and disaster recovery. Our Information Security Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization, coordinating with our Chief Risk Officer with board oversight through our Information Technology Steering Committee and the Audit Risk and Compliance Committee. Aside from the Information Security Officer, cybersecurity support is provided by our Director of Information Technology and our Chief Information Officer. Each of these persons has over twenty years of financial sector information technology and information security administration and management backed by undergraduate and/or post-graduate degrees in information technology, as well as various information technology and network certifications. 14 We maintain a comprehensive Business Continuity Management program that includes Business Continuity, Disaster Recovery, and Incident Response planning and testing. This program is designed to minimize the impact of an information security disruption and ensure the Company can return to normal operations in a timely manner. The Information Security Officer is responsible for the administration and management of the program and key members of management are embedded into the program by its design. At least annually, management identifies an exhaustive list of business functions for each area of the Company, and lists resource requirements, assigns Recovery Time and Point Objectives, and Maximum Tolerable Period of Downtime for each function. Management then completes a comprehensive Business Impact Analysis that prioritizes business functions based on criticality and is used as a guide for business continuity and disaster recovery planning. We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees , and to the Information Technology Steering Committee. The Incident Response Plan facilitates coordination across multiple parts of our organization. Business Continuity, Disaster Recovery, and Incident Response plans are updated and tested at least annually. Management performs a variety of tests on the plans including tabletop, simulation, and technical testing to ensure key personnel are prepared, recovery systems and data are viable, and Recovery Time and Point Objectives can be met. Weaknesses identified during testing are monitored until they are fully remediated. The Information Technology Steering Committee provides oversight for the Business Continuity Management Program, which includes ratification of plans and Business Impact Analysis, plan testing frequency, and remediation of identified weaknesses. The Committee ensures, based on testing, that plans are adequate to meet the Company’s objectives. We engage various third parties to assist us in identifying, assessing and responding to cybersecurity threats. This includes around-the-clock managed firewall services and managed detection and response services. In addition, we engage third parties to test the vulnerability of our cybersecurity infrastructure on a regular basis and we have a third-party assessment performed annually. A third party provides social engineering and phishing testing on a subset of bank employees annually. These third-party service providers are in regular contact with our information technology personnel, and we monitor other sources for information that any of these providers may have encountered cybersecurity threats. All employees receive initial and ongoing training in cybersecurity awareness including such topics as email protocols, social engineering, phishing tactics and security of Bank issued computers and other devices. Management conducts regularly phishing testing on all employees and assigns additional training when necessary. Employees with privileged access receive additional relevant training. Key personnel pursue training in their respective disciplines on a continual basis . In the ordinary course of its business, the Bank relies on electronic communications and information systems to conduct its operations and to store sensitive data and employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding these defensive measures, the threat from cybersecurity attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected our company. The Bank’s systems and those of its customers and third-party service providers are under constant threat and it is possible that we could experience a future significant event. The Bank expects risks and exposures related to cybersecurity attacks to remain high for the foreseeable future.
Company Information
| Name | NEW PEOPLES BANKSHARES INC |
| CIK | 0001163389 |
| SIC Description | State Commercial Banks |
| Ticker | NWPP - OTC |
| Website | |
| Category | Non-accelerated filer Smaller reporting company |
| Fiscal Year End | December 30 |