Embassy Bancorp, Inc. - (EMYB)

10-K Filing Date: March 28, 2024
Item 1C. CYBERSECURITY.

Our operations are dependent on our information technology systems, and the systems of our third party partners, upon which we rely, to maintain our ability to access, store, and transmit sensitive information in a secure manner. One of the primary risks to which we are exposed is the risk that our information systems are compromised, either deliberately or unintentionally, and that sensitive information is disclosed, misused or corrupted, or our operations are disrupted. Such an incident could result in a number of adverse consequences, including disruptions in customer relationship management, system damage, remediation costs, litigation, and reputational damage. We maintain an information security and governance program that is designed to protect our information systems against such risks.

Risk Management and Strategy

The Company recognizes the significance of such risks and cybersecurity is a critical component of our overall risk management program. In order to combat against and mitigate the impact of any unauthorized access to or attack on our information systems, we have implemented policies and procedures designed to assess, identify, and manage material risks arising from cybersecurity threats. Additionally, because we rely on third parties to provide services that are integral to our operations, we have procedures in place to assess a technology provider’s cybersecurity controls prior to establishing a contractual relationship and to periodically review assessments of those systems. Whenever possible, we include cybersecurity requirements in our contracts with such providers, which typically include agreed-upon security standards and protocols and our right to obtain periodic reports or assessments of such provider’s compliance therewith.


27


Embassy Bancorp, Inc.

Our cybersecurity program provides a program for compliance with applicable cybersecurity and data protection laws. Our program is designed to ensure the security and confidentiality of customer, employee and Company information, protect against known or evolving threats to the security or integrity of customer records and personal information and protect against unauthorized access to or use of such information. We work with third party reviews of cyber security programs, regulators, and third-party service providers to ensure that these policies are adequately designed to appropriately safeguard such information. The Company’s policies and procedures include, and are not limited to:

Information Systems and Cyber Security Policy

Patch and Change Management

Cyber Incident Response Policy and Testing

Annual NIST Risk Assessments

Business Continuity and Disaster Recovery Plans and Testing

Annual CIS Benchmarks Assessments

Vendor Risk Management Policies

Access to Threat Intelligence

Remote Access Policy

Dark Web Monitoring

Customer Facing Technology Risk Assessments

Cyber Risk Insurance Policy

Cyber Security Awareness Training

Physical Security Policy

Vulnerability Assessments

The Company uses a layered security structure of processes and technologies to detect, prevent, mitigate, monitor and respond to cybersecurity threats.

Employees undergo cybersecurity training during orientation. Employees and board members receive annual training to promote cybersecurity awareness. All employees are required to abide by our cybersecurity and data protection policies.

To date, the Company has not experienced a material cybersecurity incident.

Governance

Cybersecurity and data protection is essential for the Company to maintain the trust of our customers, team members and stakeholders. The Board of Directors is ultimately responsible for overseeing the Company’s management of cybersecurity risk, including oversight into appropriate risk mitigation, strategies, processes, systems, and controls.

The Company has an IT Team and Cyber Incident Response Team made up of senior managers of the bank and led by the Chief Operating Officer (COO), the Information Security Officer (ISO) and the Security Officer (SO).The COO, ISO and SO are primarily responsible for assessing and managing material risks from cybersecurity threats and are responsible for designing, implementing and maintaining our cybersecurity environment and incident response procedures. The IT Team is responsible for ensuring the Board of Directors and employees are trained annually on cybersecurity and information security awareness and apprised of any emerging threats. Additionally, the IT Team ensures employees are adequately trained on our incident response procedures.

The ISO and SO report to the COO and monthly written Cybersecurity reports are presented to the Board of Directors. At least annually the IT Team leadership and members of the Audit Committee and Board meet strategically to review, and as appropriate, adapt our cybersecurity program to an evolving landscape of emerging threats, evaluate effectiveness of key security controls, assess cybersecurity best practices, and to adopt the annual cybersecurity strategy. A written cybersecurity report and briefing to the full Board is conducted on an annual basis. These reports cover, but are not limited to, the Company’s cybersecurity environment, threats, material cybersecurity risks and events, improvements and effectiveness, the results of periodic testing (both internal and external), and other material matters related to the cybersecurity program.


28


Embassy Bancorp, Inc.