Provident Bancorp, Inc. /MD/ 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Provident Bancorp, Inc. /MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 16:45:41 EDT.

Filings

10-K filed on 2025-03-31

Provident Bancorp, Inc. /MD/ filed a 10-K at 2025-03-31 16:45:41 EDT
Accession Number: 0001437749-25-010234

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As part of our overall Enterprise Risk Management strategy, we maintain a robust Information Technology and Security Management Program (“ITSM”), which includes processes to assess, identify, monitor and manage cybersecurity risks. The program includes provisions for annual cybersecurity risk assessments, ongoing monitoring and testing, as well as annual training for employees, executives, and Board Members. We use the Federal Financial Institutions Examination Council’s (“FFIEC”) cybersecurity assessment tool to identify risks and ascertain cybersecurity preparedness and the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework to benchmark our internal policies and procedures against best practices. We engage consultants and auditors to assist in the completion of our annual risk assessment and review of controls related to the ITSM. The Company also maintains a robust Vendor Risk Management program to manage risks related to third -party relationships in a manner that is consistent with the Company’s strategic goals, organizational objectives, and risk appetite. This includes comprehensive risk and control assessments with respect to the appropriate safeguarding of sensitive information. We maintain cybersecurity insurance coverage to mitigate potential financial impacts from cyber incidents, such as data breaches and system disruptions. However, such insurance may not cover all types of damages, and we cannot guarantee that our coverage will be sufficient to fully protect us from the financial consequences of a cyberattack. To date, there have been no cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, the Bank, our business strategy, results of operations, or financial condition. Governance The Board of Directors is responsible for overseeing the development, approval, implementation and maintenance of the ITSM, including overseeing the program’s execution in accordance with the overall strategic goals of the Bank. The Board conducts oversight, in part, through the use of committees. The Risk Management Committee (“RMC”) of the Board of Directors is charged with monitoring and reviewing risk assessments, assurance, testing, and training as well as overseeing the correction of identified deficiencies as they relate to the ITSM. The Company’s Information Security Team is comprised of the information security officer (“ISO”) and a cyber-risk analyst. With input from the Information Technology and Risk departments, the Information Security Team is responsible for incident management, disaster recovery, business continuity and cybersecurity programs and policies. The Bank’s Incident Response Manual and Cyber Incident Policy outline how potential cybersecurity threats or incidents are communicated to the RMC. The RMC is responsible for determining if cybersecurity incidents or threats should be escalated to the Board of Directors. The Information Security Team and the RMC work together to mitigate cybersecurity threats or incidents. The ISO is responsible for cybersecurity under the ITSM and holds a Certified Information Security Manager certification and was a former Chief Information Security Officer (“CISO”) for the United States segment of a multi-national bank. The ISO reports directly to the Executive Vice President, Chief Risk Officer of the Bank who is a member of the executive team. The Chief Operating Officer, who is a member of the executive team, is a former CISO and holds both a Certified Fraud Examiner and Certified Information Security Manager certification. The Chair of the RMC of the Board also has multiple certifications in information and cybersecurity, including a Certified Information Systems Security Professional certification.

Company Information