Blue Foundry Bancorp - (BLFY)

10-K Filing Date: March 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Our risk management program is designed to identify, assess and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Chief Information Security Officer is primarily responsible for this cyber security component and is a key member of the risk management organization, reporting directly to the Chief Risk Officer.
Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits and threat intelligence feeds to facilitate and promote program effectiveness. Our Chief Information Security Officer and our Chief Technology Officer, who reports directly to our President and Chief Executive Officer, along with key members of their teams, regularly collaborate with peer banks, industry groups and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.
We employ an in-depth, layered, defensive strategy that embraces a “trust by design” philosophy when designing and/or implementing new products, services and technology. We leverage people, processes and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detection tools designed to monitor, block and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems and network architecture, using internal cybersecurity risks, associated with external service providers and our supply chain. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections as a significant portion of our workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.

42



We maintain a Cyber Incident Response Procedure that provides a documented framework for responding to actual and potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees and to the Enterprise Risk Committee of our Board of Directors. The Cyber Incident Response Procedure is coordinated through the Chief Information Security Officer and key members of management are embedded into the Plan by its design. The Cyber Incident Response Procedure facilitates coordination across multiple parts of our organization and is evaluated at least annually.
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected our company. For further discussion of risks from cybersecurity threats, see the section captioned “Cyber-attacks or other security breaches could adversely affect our operations, net income or reputation” in Item 1A. Risk Factors.
Cybersecurity Governance
Management Committee Oversight
The Company has established an Information Risk Management Subcommittee, chaired by the Chief Information Security Officer and supported by leaders from departments across the Company. The Cybersecurity function is provided by qualified financial service technology professionals, with extensive certifications and/or advanced degrees in cybersecurity. Cybersecurity knowledge is expanded across all areas of Information Technology and is foundational in the approach from planning to execution. The subcommittee focuses on strategic and tactical delivery, policy oversight, and the assessment and management of material risks from cybersecurity threats. Policies are also shared with the Enterprise Risk Management Committee to provide an additional second line review in alignment with Enterprise Risk functions. All Information Security activity is lead by the Chief Information Security Officer, which includes developing and implementing the information security program and reporting cyber security matters to the Board. The Chief Information Security Officer has many years of experience leading cybersecurity governance and operations in financial services, supported by staff cybersecurity specialists. Management provides cybersecurity statistics and details to the Board quarterly.
Board Committee Oversight
The Company’s Board Enterprise Risk Committee provides oversight of the cyber program. The Committee consists of Board members, chaired by an independent director. Committee members have extensive experience in various disciplines including risk management, communications, litigation, banking and transactional matters, and regulatory compliance. The Board Committee receives regular reports informing on the effectiveness of the overall cybersecurity program and the detection, response, and recovery from significant cyber incidents. Cybersecurity metrics are reported quarterly to the Committee and Key Risk Indicators are reported.