LINKBANCORP, Inc. - (LNKB)
10-K Filing Date: March 29, 2024
Cybersecurity is a significant and integrated component of the Company’s risk management strategy. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident to occur, which could disrupt business operations or compromise sensitive data. The Company takes very seriously the responsibilities to protect sensitive client information, technology resources, and shareholder value from the risk of cyber threats and incidents. The Company has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, financial condition or results of operation. Risks relating to cybersecurity and their potential impact are discussed more fully in “Risk Factors” in Part I, Item 1A herein.
Cybersecurity Risk Management and Strategy
The Company maintains an enterprise-wide and Board-approved Information Security Program (the “Program”), which includes policies, procedures, guidelines and standards to address the assessment, identification and management of cybersecurity risks. The Company designed the Program to be consistent with industry standards that include National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, the Financial Services Sector Cybersecurity Risk (“CRI”) Profile, and the Federal Financial Institutions Examination Council Cyber Security Assessment. Core activities supporting the Company’s strategy include leveraging people, technology and processes to manage and maintain cybersecurity controls.
People play a significant role in our defense against cybersecurity threats. We have established policies, training, and client education to mitigate cyber risk.
Additionally, we employ innovative technology solutions designed to identify, protect, detect, and mitigate cybersecurity threats through use of firewalls, intrusion detection systems, patching, endpoint detection and response, encryption, multi factor authentication, and data backups to immutable storage.
31
We regularly engage third-party assessors, auditors, and solutions to test and evaluate our controls for managing cybersecurity threats. These engagements include penetration testing, vulnerability assessments, internal and external audits, security framework maturity assessments for continued focus and improvement, and social engineering tests of the effectiveness of our employee training to monitor our security posture. We leverage a managed service provider to monitor users, application, infrastructure, and network activity on a 24/7/365 basis to detect and alert the cyber security operation team of cyber threats and potential cybersecurity events of concern.
The Company relies on third-party vendor solutions to support its operations; many of these vendors have access to sensitive and proprietary information. We exercise a detailed vendor due diligence evaluation during the onboarding, and periodic reviews of these vendors with access to sensitive Company data. The Company requires contracts of third parties to incorporate industry and regulatory standard clauses requiring reporting to the Company of the occurrence and mitigation of cybersecurity threats and incidents as well as to maintain adequate levels of cybersecurity insurance coverage.
In the event of a cyber incident, the Company created and maintains a Business Contingency Program. This program provides guidance that will be needed to prepare, detect, analyze, remediate and recover business operations quickly and with the least impact to the Company and its customers.
Cybersecurity Governance
The Company has established an Information Security Committee consisting of the Chief Operations & Technology Officer, Chief Risk Officer, Information Security Officer and department representatives across multiple functional areas of the Company to focus on cybersecurity strategic and tactical delivery, policy oversight, monitoring of key cybersecurity risk indicators, and the assessment and management of cyber risk threats. The Committee is assisted by a Virtual Chief Information Security Officer (the “vCISO”) which is provided by a contracted third-party security firm. The Committee’s activities support the overall protection of data and information assets of the Company in accordance with the Information Security Program, regulatory privacy requirements and Federal Financial Institutions Examination Council guidance. The Committee submits a quarterly report, together with the minutes of its meetings, to the Enterprise Risk Management Committee of the Board of Directors.
The Chief Operations & Technology Officer, among other duties, is responsible for the security and integrity of infrastructure, applications and databases and coordinates security implementations, monitoring and enforcement in conjunction with the vCISO and our risk management department. Our Chief Operations & Technology Officer has over 25 years of relevant experience in information technology and information security, building and leading technical organizations of various sizes, including in the banking industry. The vCISO has served in various roles in information technology and information security for 20 years, and holds multiple certifications relevant to cybersecurity, including CMMC (Cybersecurity Maturity Model Certification) and Fortinet NSE (Network Security Expert) level 3.
The Board of Directors receives periodic training related to cybersecurity and annually reviews comprehensive risk assessments of the Company’s information technology, privacy and cybersecurity programs. The Board of Directors formally approves the Company’s cybersecurity policies and program annually, and more frequently if material changes are adopted. Oversight of the Company’s Information Security Program has been delegated to the Enterprise Risk Management Committee of the Board of Directors. The Enterprise Risk Management Committee receives quarterly reports on the effectiveness and overall performance of the cybersecurity program and provides a report of the same to the full Board of Directors.
The Company engages external independent parties to perform independent audit engagements, as well as other assessments of the Company’s information security and third-party risk management program and information systems. Material findings and recommendations arising from these assessments are reported to the Audit Committee of the Board of Directors.