F&M BANK CORP - (FMBM)
10-K Filing Date: March 27, 2024
Risk Management and Strategy
The Company recognizes the importance of a cybersecurity risk management program designed to assess, identify, and manage risk associated with cybersecurity threats. Our cybersecurity risk management program (the “Program”) is consistent with the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool, which incorporates bank regulatory guidance and principles from the National Institute of Standards and Technology Cybersecurity Framework and includes the following risk-based principles:
· | Identification, measurement, mitigation, monitoring and reporting of cybersecurity threats based on internal and external information sharing and resources; |
· | Safeguards designed to protect against identified threats, including documented policies and procedures, controls, and employee education and awareness; |
· | Processes to detect cybersecurity events and improve incident response, including routine testing of incident response, recovery and business continuity plans and processes; and |
· | Third-party risk management process to manage cybersecurity risk with service providers, suppliers, and vendors. |
The Program is designed to adapt to an evolving landscape of emerging cybersecurity threats and advancing technology to determine the Company’s cybersecurity preparedness. Through routine data gathering, emerging risks, internal incidents, technology investments and internal controls, our Program and overall cybersecurity risk strategy is adjusted as needed.
The Program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees through which we communicate our cybersecurity policies, standards, processes, and practices to foster a culture of cybersecurity risk management across the Company.
| 10 |
Integrated Risk Management
The Program is integrated into the Company’s enterprise risk management framework and functions to identify risk, form a strategy to manage risk, implement the strategy, test the implementation, and monitor our technology environment to control risk. The information technology team works closely with stakeholders across security, risk, compliance, operations, other business stakeholders, and senior leadership to conduct an annual cybersecurity risk assessment utilizing the FFIEC Cybersecurity Assessment Tool.
Engagement of Third Parties in Connection with Risk Management
The Company engages various third parties to evaluate the effectiveness and maturity of the Program. The Company engages an independent third party to audit the cybersecurity risk strategy and preparedness. The Company also maintains cybersecurity insurance, however, the costs related to cybersecurity threats or disruptions may not be fully insured. The Company also engages third parties to perform regular penetration tests, vulnerability scans, disaster recovery tests and cyber exercises to simulate threat actor attacks. Our relationships with third parties enable us to leverage their cybersecurity expertise and industry knowledge to assess our Program and adjust as needed.
Oversight of Third-party Risks
Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact the Company in certain circumstances. In response, we have implemented processes for overseeing and managing these risks. The processes include limiting the exposure of our information systems to external systems to the least practical amount, assessing the third parties’ information security practices before allowing them to access our information systems or data, requiring third parties to implement appropriate cybersecurity controls in our agreements with them, conducting ongoing monitoring of their compliance with those requirements, and requiring third parties to agree to contractual requirements designed to ensure cybersecurity concepts are appropriately addressed.
Risks from Cybersecurity Threats
As of the date of this report, we have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.
Governance
Board of Directors Oversight
Our Board’s Operational Risk Committee oversees cybersecurity risk.
Management's Role in Cybersecurity Risk Management
Given the important role of technology in the Company’s operations and customer service, the Company has established an Information Technology Steering Committee, which consists of our IT Manager, President, Chief Financial Officer, Chief Experience Officer, Director of Risk Management and Information Security Officer. The Information Technology Steering Committee reviews, monitors, aligns, and prioritizes all significant strategic information technology initiatives and security risks. The Information Technology Steering Committee reports to the Operational Risk Committee and minutes of the committee’s meetings are subsequently reported by the Operational Risk Committee to the Company’s Board of Directors. Our IT Manager, in collaboration with our Information Security Officer, makes quarterly reports to the Information Technology Steering Committee. Such reports include updates related to key metrics, key risk indicators, key performance indicators, penetration test results, risk assessment results, project updates, incident reports, compliance matters, and operational issues.
Risk Management Personnel
The Information Security Officer has the primary responsibility for managing the Program to identify, assess, manage, and control cybersecurity risk. The Information Security Officer reports directly to the President. The Information Security Officer has approximately 15 years of experience in cybersecurity, information security risk management, identity and access management, security architecture, vulnerability management, threat intelligence, security operations and incident management and response.
| 11 |
Monitoring Cybersecurity Incidents
The Information Security Officer is continually informed of and monitors cybersecurity risks and incidents. In the event of a cybersecurity incident, the Company has developed an incident response plan to timely report cybersecurity incidents to the executive management team, the Operational Risk Committee and Board of Directors, as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this plan also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as monitoring post-incident mitigation and remediation.
Reporting to Board of Directors
The Operational Risk Committee receives reports from the President, Information Security Officer, and Director of Risk Management, and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, bank regulatory examinations and evaluations, as well as maturity assessments of our information security program.