AMERISERV FINANCIAL INC /PA/ - (ASRV)

10-K Filing Date: March 27, 2024

ITEM 1C. CYBERSECURITY

The Company maintains comprehensive and continually evolving processes for assessing, identifying, and managing material risks from cybersecurity threats, including any potential unauthorized occurrence on, or conducted through, the Company’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or any information residing on such systems. The processes relating to cybersecurity threats are integrated into the Company’s overall risk management processes, which are overseen by the Board of Directors.

Risk Management and Strategy

The Company’s Enterprise Risk Management Policy assists the Board of Directors and management in clarifying their tolerance for identifying those credit, market, liquidity, operational, legal, compliance, strategic, reputation and security (information and physical) risks that have the potential to cause material financial harm to the institution, as well as describing a methodology for determining the proper level of controls to manage and mitigate those risks. Cybersecurity is a critical component of risk management, given the increasing reliance on technology and the increasing cybersecurity threat landscape. The Information Security Program is built on the Federal Financial Institutions Examination Council (FFIEC) IT Handbooks, National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Center for Internet Security (CIS) Cybersecurity Controls (CSC), and industry best practice. The Information Security Program utilizes a defense in depth strategy that leverages multiple security measures to protect Company assets and information.

The Board of Directors is responsible for overseeing management’s development and execution of the Company’s risk management process. Risk management is administered by a senior management team called the Management Enterprise Risk Committee (MERC). Periodic risk assessments are performed to identify technical and physical risks to information systems. These risk assessments identify internal and external threats that could cause a cybersecurity incident, assessing the likelihood of potential impact of those threats, and assessing the measures and controls in place to manage the risks. As per FFIEC guidance, a Change Management Policy and Committee are in place to manage changes to technology and systems. Information Security is a member of this Committee to evaluate changes for information security impact.

The Company leverages internal and external auditors to periodically review information technology and information security policy, processes, and controls to ensure they meet regulatory compliance and operate effectively. Independent penetration testing is performed annually.

The Company maintains an Incident Response Plan and a Crisis Communication Plan that provide documented guidelines for handling potential threats and taking appropriate measures including timely notification of cybersecurity threats and incidents to senior management and the Board of Directors when appropriate. The Incident Response Plan is managed by the Chief Information Security Officer (CISO) and is reviewed and tested at least annually. The Crisis Communication Plan, managed by the Director of Marketing and Alternative Delivery, is reviewed and tested at least annually.

14

The Company uses third-party vendors to assist in monitoring, detecting, and managing cyber threats, including managed security service monitoring, penetration testing and vulnerability assessment. The Management Enterprise Risk Committee has established risk management guidelines for third-party vendors. Through the Vendor Management Committee, the Company conducts due diligence reviews of third-party vendors before contracts or agreements for provision of services are signed and conducts ongoing due diligence and oversight procedures with the frequency of the procedures determined based on a risk assessment of the services provided. Generally, the Company’s agreements with service providers include requirements related to cybersecurity and data privacy. All such agreements are reviewed periodically. The Company cannot guarantee, however, that such agreements, due diligence, and oversight procedures will prevent a cybersecurity incident from impacting information systems. Moreover, as a result of applicable laws and regulations or applicable contractual provisions, the Company may be held responsible for cybersecurity incidents attributed to its service providers in relation to any data that the Company shares with such providers.

Notwithstanding our efforts at cybersecurity, no system of prevention is impenetrable, and we cannot guarantee that we will be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. To date, the Company has not detected any material cybersecurity incident to our own systems. However, during the second quarter of 2023, a prominent third-party vendor experienced a cybersecurity incident due to a previously unknown (i.e., zero-day) vulnerability in a popular file sharing software the vendor used called MOVEit Transfer. For further information regarding this incident, please see our Quarterly Report on Form 10-Q for the quarter ended June 30, 2023 filed on August 10, 2023 and our Quarterly Report on Form 10-Q for the quarter ended September 30, 2023 filed on November 9, 2023. Future cybersecurity incidents could, however, materially affect our business strategy, results of operations, or financial condition.

Governance

The Company’s information technology resources are managed by the Information Technology Department, which is responsible for the first line of defense – identifying, assessing, and managing material risks from cybersecurity threats. The Information Technology Department is managed by the Chief Information Officer (CIO), who reports to the Company’s President and CEO. The present CIO has been employed by the Company in the information technology area for two and a half years and was previously the CISO at the Company for two years. The present CIO has over thirty-five years of IT experience, twelve of that in banking. The CIO holds a current Certified Information Systems Security Professional (CISSP) designation.

The Chief Information Security Officer (CISO) whose responsibilities constitute the second line of defense provides the vision, leadership, and strategies necessary to protect the information security of the Company. The CISO manages policy, procedure, and process to ensure the execution of the Company’s Information Security and Business Continuity/ Disaster Recovery (BC/DR) Programs. The CISO reports directly to the Chief Risk Officer to provide segregation between the first and second line of defense. The Information Security Department, among other duties, supervises internal employee training relating to cybersecurity risks, conducts access reviews relating to the Company’s information systems, and monitors implemented security measures.

The Company has established a Management Technology Committee and a Board Technology Committee. These Committees provide oversight and governance of information technology and the Information Security Program and meet quarterly. The Board Technology Committee’s responsibilities include: (1) monitoring the strategic deployment and usage of Information Technology throughout the Company using reports and presentations from management; (2) oversight of cybersecurity preparedness through information security reports, discussion of internal events and discussion of cybersecurity topics pertinent to the Company and the industry; (3) oversight of activities in support of the Company’s business continuity/disaster recovery program to ensure optimal corporate resiliency in the unlikely event of a disaster; and (4) providing broad strategic guidance on the technology direction of the Company by, among other things, overseeing the development of the AmeriServ Strategic Technology Plan.