UNION BANKSHARES INC - (UNB)
10-K Filing Date: March 25, 2024
Item 1C. Cybersecurity
Our Company faces a number of cybersecurity risks in connection with the operation of our business which could have a material adverse effect on our business financial condition, results of operations, cash flows, or reputation. As part of the operation of our business, the Company, and our service providers, use, store, and process data for our customers, employees, partners, and suppliers. A cybersecurity incident impacting any of these entities could materially and adversely affect our operations, performance, or results of operations. In addition, as a financial services company we are subject to extensive regulatory compliance requirements, including those established by the FRB, FDIC and the DFR. To address these risks and regulatory requirements, the Company established a robust cybersecurity risk management program. This program safeguards sensitive customer data, financial transactions, and our information systems, serving as a vital component of our broader enterprise risk management strategy.
Risk Management Oversight and Governance
The Company's Board of Directors is charged with overseeing and approving Union's risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Union's Information Security Officer (ISO) provides periodic updates regarding cybersecurity risks and the cybersecurity program to the Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Company's Board of Directors on a regular basis. Consistent with this responsibility the Board has delegated primary oversight responsibility over the risk management framework and oversight of the cybersecurity program, including oversight of cybersecurity risk and cybersecurity risk management to Union's IT Steering Committee.
Union's IT Steering Committee has representation from the following departments: information technology, information security, other department leaders and stakeholders, and Union's senior management team. This Committee receives regular updates on the state of Union's cybersecurity program, including any incidents, as well as approving information technology or information security related projects and proposals. These team members are also responsible for the resolution of any findings and implementation of recommendations from internal and external audits and examinations.
Union's ISO is responsible for implementing and maintaining the cybersecurity program with support from Union's Information Security team. The Information Security team consists of Union's ISO, members of the risk and compliance department, security staff, and information technology members, all of whom collaboratively work together to manage cybersecurity risks. The ISO reports directly to Union's Senior Risk Officer.
Cybersecurity Risk Management Program
The program is designed to identify, assess, manage, mitigate, and respond to cyber threats with the goal of preventing cybersecurity incidents to the extent feasible, while also increasing our system resilience to minimize business disruption in the event we experience a cyber event. Our program is structured to be nimble and adaptable to changes in cybersecurity threats over time and to respond to emerging threats in a timely and efficient manner.
Our Information Security team, led by our ISO, is responsible for monitoring our information systems for vulnerabilities and mitigating any issues. The Information Security team works collaboratively across the Company to understand the potential impacts of a cybersecurity incident and prioritize mitigation and other measures based on, among other things, the materiality to our business. The Information Security team has established processes designed to monitor threats in the cybersecurity landscape which include interacting with intelligence networks, working with researchers, discussions with peers at other companies, monitoring social media, reviewing government alerts and other news items and attending industry specific security conferences and trainings. The team regularly monitors our internal network and customer-facing network to identify any security issues. In addition, the Company augments the team’s monitoring via the engagement of external vendors who provide continuous threat monitoring services of the Company’s environment.
As part of our assessment of the risks to our Company, the Information Security team conducts annual cybersecurity risk assessments to evaluate the inherent risk of our applications and the strength of our controls, and identify the residual risk for each application. In addition, we conduct regular reviews and testing of critical network and application systems to monitor their security. We have adopted internal Company-wide Information Technology and Information Security policies which are reviewed and updated annually and approved by our Board of Directors. Our employees and the Board of Directors attend annual trainings that are designed to raise awareness about cybersecurity threats, reduce our vulnerability, and encourage consideration of cybersecurity threats across the Company. Additional trainings are required for employees in certain roles; these additional trainings are tailored to the employees’ specific duties.
23
We regularly review and update our investments in information technology security to identify and protect critical assets, provide monitoring and alerts, and, as needed, engage third-party experts. To assess the effectiveness of our program, we have engaged consultants to conduct penetration testing and other vulnerability assessments. Additionally, our Internal Audit department and external auditors conduct assessments of different systems to provide the Audit Committee with information on our risk management processes, including cybersecurity risk management. We also test our defenses internally and conduct regular cybersecurity simulations and tabletop exercises with members of senior management present. These tests and assessments provide useful insights into the strengths and weaknesses of our cybersecurity framework.
Our cybersecurity framework is designed to protect our customers, employees, investors, and our intellectual property. Before purchasing third-party technology or other solutions that could expose the Company’s assets and electronic information, our Information Security team completes security reviews on the vendors. Contracts are also negotiated to ensure language is included to address cybersecurity risk limitation and remediation. We also conduct ongoing reviews of cybersecurity risks associated with our third-party service providers. As part of the Company’s Vendor Management Program, annual reviews are conducted for certain third-party vendors. Members of our Information Security team work with department managers and application owners to review System and Organization Controls (“SOC”) 1 or SOC 2 reports. In the event a third-party vendor is unable to provide either a SOC 1 or SOC 2 report, this group conducts additional reviews to assess the cybersecurity preparedness of the specific vendor. This assessment of the risks associated with the use of third-party service providers is part of our overall vendor management and cybersecurity risk management framework.
To date, such cybersecurity risks have not materially affected us. We do, from time to time, experience threats to our data and systems that have been halted by the policies and systems in place. For more information about the cybersecurity risks we face, see Operational Risks in Part I, Item 1A of this Annual Report.