Finward Bancorp - (FNWD)
10-K Filing Date: March 28, 2024
Our Board of Directors has delegated primary responsibility for oversight of cybersecurity risk management to the Risk Management Committee of the Board. The Committee receives quarterly reports from the Chief Information Security Officer (CISO) and Chief Risk Officer (CRO), respectively, and reviews them with such officers. These reports are made available to all board members concurrently. The CRO’s report includes evaluation of the level of cybersecurity risks and strength of mitigating controls. All board members are invited to attend the portion of the Committee’s meetings for review of reports received on risk management from management (e.g., the CRO, CISO, Chief Compliance Officer).
Our processes for assessing, identifying, and managing material risks from cybersecurity threats are based on examination guidance published by the Federal Financial Institution Examination Council (FFIEC), an interagency body established under the Financial Institutions Regulatory and Interest Rate Control Act of 1978. Consistent with FFIEC guidance, the Bank selected and adheres to the risk management framework established by the Cybersecurity Risk Institute known as the “CRI Profile.” The CRI Profile is based primarily on the well-known National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity” and is tailored to ensure expectations of financial institution regulators are met. Our processes are designed to meet standards for all seven CRI Profile functions – governance, identification, detection, protection, response, recovery, and supply chain dependency management. In addition, we adhere to security standards set by the PCI Security Standards Council which are designed to ensure secure payments globally.
Risks from cybersecurity threats, including risks identified from previous cybersecurity incidents, have required significant investments over time in maturing our Information Security Program and attracting and retaining the personnel with requisite experience and expertise. In particular, the CISO has substantial relevant expertise in the financial services industry and formal training in the areas of information security and cybersecurity risk management. We will need to continue to make meaningful investments in cybersecurity controls for continuous improvement and maturation in response to constantly evolving cybersecurity threats. Cybersecurity threats will continue to be endemic to the financial services industry for the foreseeable future.