NB Bancorp, Inc. - (NBBK)

10-K Filing Date: March 28, 2024
ITEM 1C. Cybersecurity

The Company recognizes the importance of cybersecurity and the potential risks posed to our business operations, financial performance, and reputation. Cybersecurity is a significant and integrated component of the Company’s risk management strategy. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident to occur, which could disrupt business operations or compromise sensitive data. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company. Cybersecurity risks and threats include, but are not limited to, unauthorized access, use, disclosure, modification, or destruction of our information systems, data, or network; denial of service attacks; malware; ransomware; phishing; social engineering; and cyberattacks by hackers, state-sponsored actors, or other malicious third parties and is compounded by the advent and availability of artificial intelligence (“AI”) tools.

To prepare and respond to incidents, the Company has implemented a multi-layered cybersecurity strategy, integrating people, technology, and processes. This includes establishing a cybersecurity risk management framework that aligns with industry standards and best practices provided by the National Institute of Standards and Technology (“NIST”), employee training, the use of innovative technologies, and the implementation of policies and procedures in the areas of Information Security, Data Governance, Business Continuity and Disaster Recovery, Privacy, Third-Party Risk Management, and Incident Response that ensure compliance with applicable laws, regulations and obligations, such as the Gramm-Leach-Bliley Act (“GLBA”), the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool, and the Ransomware Self-Assessment Tool (“RSAT”). Additionally, we have implemented various technical measures to prevent, detect, and respond to cybersecurity incidents, such as firewalls, third-party managed detection & response services, encryption, authentication, backup and recovery solutions. The Company engages third-party consultants and independent auditors to, among other things, conduct penetration tests and perform cybersecurity risk assessments and audits to regularly evaluate our cybersecurity posture in conjunction with obtaining cybersecurity insurance coverage to mitigate the potential financial impact of cybersecurity incidents.

The Board Enterprise Risk Management (“ERM”) Committee provides governance oversight of all risks faced by the Company, including cybersecurity and information technology general controls. The Chief Information Officer (“CIO”) manages the IT Department and reports to the Board Risk Committee and Chief Risk Officer (“CRO”) on these matters. The CIO also supervises the Information Security Officer (“ISO”) who is responsible for implementing and maintaining the Company’s Information Security Program. The Information Security Program, which is governed by various information security and cybersecurity, systems development, change control, disaster recovery/business continuity and physical asset classification and control policies. Additional cybersecurity training to the ERM Committee is provided and overseen by the CRO and CIO. The Information Security Program identifies data sources, threats and vulnerabilities and ensures awareness, accountability, and oversight for data protection throughout the Company and with trusted third parties to ensure that data is protected and able to be recovered in the event of a breach or failure (technical or other disaster). The Information Security Department conducts on-going technology and IT threat meetings to ensure the latest threats are addressed in addition to external and internal penetration testing, business continuity/ disaster recovery testing, and incident response plan testing. The CIO is a member of various management committees, chairs the Company’s management-level Information Technology Steering Committee, and presents information security and cybersecurity updates on a regular basis to the Company’s ERM Working Group, which consists of members of management, including the Chairman, President and Chief Executive Officer, Chief Operating Officer, and other senior leaders in the Company. The ERM Working Group is responsible for identifying and assessing cybersecurity risks, developing and implementing risk mitigation strategies that align with the Bank’s corporate strategies, and ensuring compliance with applicable laws and regulations. The Bank’s IT Steering Committee in conjunction with the Bank’s PMO oversees the development and implementation of our cybersecurity strategy, financial planning, and capital allocation.

54

The ERM Working Group provides executive management oversight, from a risk perspective, of information systems security. As referenced above, the CIO provides information security updates to the ERM Working Group at each meeting. In addition, as discussed below, the Company has implemented an Incident Response Plan to provide a structured and systematic incident response process for information security incidents that affect any of the information technology systems, network, or data of the Company. The Incident Response Plan is implemented and maintained by the CIO and ISO and is subject to annual review and approval by the ERM Working Group. Cybersecurity metrics are reported to both management level committees and the ERM Committee and ERM Working Group on a quarterly basis.

The Board of Directors recognizes the importance of the FFIEC for Safeguarding Customer Information and has incorporated those elements in its ongoing oversight of the Information Security Program.

We continually monitor and evaluate the evolving cybersecurity landscape and the potential impact of cybersecurity incidents on our business. We may incur additional costs to enhance our cybersecurity processes and controls, to comply with new or changing laws, regulations, or contractual obligations, or to respond to or recover from cybersecurity incidents. We may also experience reputational harm or loss of customer confidence or trust as a result of cybersecurity incidents. Any of these factors could have a material adverse effect on our business, financial condition, results of operations, and reputation.

Despite our efforts to enhance our cybersecurity posture, we cannot guarantee that our processes and controls will be sufficient to prevent or mitigate all cybersecurity risks and threats that we face. We may experience cybersecurity incidents that result in unauthorized access, use, disclosure, modification, or destruction of our information systems, data, or network; disruption or degradation of our operations; loss of customers or business opportunities; regulatory investigations or enforcement actions; litigation or liability; reputational damage; or increased costs.

Risk Assessment. On a periodic basis, but not less than annually, the CIO and ISO, in conjunction with Enterprise Risk Management, identifies and documents internal and external vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer records. Based on the results of the risk assessment, the Company’s Information Security Program may be revised to protect against any anticipated threats or hazards to the security or integrity of such information. The IT Steering Committee reviews changes to the program designed to monitor, measure, and respond to vulnerabilities identified.

Response to Security Vulnerabilities. In response to identified risks, management may take certain steps to correct and respond to security vulnerabilities, which may include:

Eliminating unwarranted risks by applying vendor-provided software fixes, commonly called patches.
Ensuring that changes to security configurations are documented, approved, and tested.
Ensuring that exploitable files and services are assessed and removed or disabled based upon known vulnerabilities and business needs.
Updating vulnerability scanning and intrusion detection tools to identify known vulnerabilities and related unauthorized activities.
Investing in additional technologies or resources to aid in the evaluation, identification and mitigation of risks.
Conducting subsequent penetration testing and vulnerability assessments, as warranted.
Reviewing performance with service providers to ensure security maintenance and reporting responsibilities are operating according to contract provisions and that service providers provide notification of system security breaches that may affect the Company.

55

Internal Controls, Audit, and Testing. Regular internal monitoring is integral to the Company’s risk assessment process, which includes regular testing of internal key controls, systems, and procedures. In addition, independent third-party penetration testing to test the effectiveness of security controls and preparedness measures is conducted at least annually or more often, if warranted by the risk assessment or other external factors. Management determines the scope and objectives of the penetration analysis, which may identify additional risks or require additional costs to remediate.

Service Providers. The Company relies, in part, on third-party vendor solutions to support its operations. Many of these vendors, especially in the financial services industry, have access to sensitive and proprietary information. In order to mitigate the operational, informational and other risks associated with the use of vendors, the Company maintains a Vendor Risk Management Program, which is implemented through a Vendor Risk Management Policy and includes a detailed onboarding process and periodic reviews of vendors with access to sensitive Company data. The Vendor Risk Management Policy applies to any business arrangement between the Company and another individual or entity, by contract or otherwise, in compliance with the Interagency Guidance on Vendor Relationships: Risk Management. The Vendor Risk Management Program is audited as part of the Company’s annual Internal Audit Risk Assessment.

Employees and Training. Employees are the first line of defense against cybersecurity measures. Each employee is responsible for protecting Company and client information. Employees are provided training at initial onboarding and thereafter regarding information security and cybersecurity-related policies and procedures applicable to their respective roles within the organization. In addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities. In addition to training, employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection systems, security automation and response capabilities, user behavior analytics, multi-factor authentication, data backups to immutable storage and business continuity applications. Notable services include security monitoring and response, continuous vulnerability scanning, third-party monitoring, and threat intelligence.

Board Reporting. At least annually, the CIO reports to the Board, directly or through the Enterprise-Wide Risk Management Committee, the overall status of the Information Security Program and the Company’s compliance with the Interagency Guidelines for Safeguarding Customer Information. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations are discussed as are management’s responses and any recommendations for program changes.

Program Adjustments. The CIO monitors, evaluates, and adjusts the Information Security Program considering any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.

Incident Response Plan. To ensure that information security incidents can be recovered from quickly and with the least impact to the Company and its customers, the Company maintains a structured and systematic incident response plan (the “IRP”) for all information security incidents that affect any of the IT systems, network, or data of the Company, including the Company’s data held, or IT services provided by third-party vendors or other service providers. The CISO is responsible for implementing and maintaining the IRP, which includes:

Identifying the incident response team (“IRT”) and any appropriate sub-teams to address specific information security incidents, or categories of information security incidents.
Coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information security incidents.
Conducting post-incident reviews to gather feedback on information security incident response procedures and address any identified gaps in security measures.

56

Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of the IRP.
Reviewing the IRP at least annually, or whenever there is a material change in the Company’s business practices that may reasonably affect its cyber incident response procedures.
Report up to the Executive Incident Response Committee, as needed.