LAKE SHORE BANCORP, INC. - (LSBK)
10-K Filing Date: March 22, 2024
The Company recognizes the security of our operations is critical to protecting our customers and maintaining the reputation of the Company. Management is committed to managing Information Security Risk, which includes cybersecurity, that may impact the Company. The Enterprise Risk Committee (ERC) of the Board of Directors provides oversight of the Company’s written Information Security Management and Information Technology Governance Programs (the "Programs"). Through the Programs, the Company has established polices, processes, controls, and systems designed to identify, assess, measure, manage, monitor, and report risks related to cybersecurity and help prevent or limit the effect of possible cybersecurity threats and attacks. As cybersecurity threats continue to evolve, the Company expects to continue to monitor and enhance the current controls and systems in place to detect and prevent cybersecurity attacks and to remediate discovered vulnerabilities.
The Company’s Information Security Officer (ISO) is responsible for the design and execution of the Information Security Management Program and the information and cyber security aspects of the Information Technology Governance Program. The ISO provides the ERC with regular reports on the status and effectiveness of the Programs and risk management activities, as well as cyber and information security issues that may affect the Company. In addition, the ISO regularly reports the status to Executive Management.
The Company utilizes the following guidelines and frameworks to develop and maintain the Information Security Management Program: Federal Financial Institutions Examination Council (FFIEC) Information IT Examination Handbooks, FFIEC Cybersecurity Assessment Tool (CAT), Center for Internet Security Critical Security Controls, National Institute of Standards and Technology Special Publication 800 Series, National Institute of Standards and Technology Cybersecurity Framework (CSF), 12 CFR Appendix B to Part 30 - Interagency Guidelines Establishing Standards for Safety and Soundness Gramm-Leach-Bliley Act (GLBA) 501(b).
The Information Security Management Program features layered controls of network and endpoint intrusion detection and prevention, enterprise malware protection, threat-monitoring, and a Security Operations Center that provides
full time support and additional operational measures to monitor and respond to data breaches and cyberattacks. The Company leverages regular assessments to identify current and potential threats and vulnerabilities within the Company’s environment. Technical vulnerabilities are identified through regular automated vulnerability scanning tools and periodic vulnerability and penetration testing performed by independent third parties. Non-technical vulnerabilities are identified through the Information Technology and Information Security Assurance Program by conducting regular process and procedural reviews as well as risk assessments. The Company uses the FFIEC CAT to help identify cybersecurity risks and determine our cybersecurity preparedness. The Company’s information security and cybersecurity risk appetite statements define the levels of risk the Company is willing to accept and guide the risk management decisions of the Company. The risk appetite statements are approved by the Board of Directors annually.
The Company has an Incident Response Plan to help reduce the risks related to security incidents by providing guidelines on responding to incidents; focusing on a roadmap for coordinating personnel, policies, and procedures to ensure incidents are detected, analyzed, and handled appropriately.
The Company also recognizes the risks associated with the use of third party providers and maintains a Third Party Risk Management Program that is responsible for the oversight of outsourced services. This enables the Company to identify risks related to third parties through an inherent risk assessment and a due diligence review process designed to ensure third parties are in compliance with the Company’s risk and information security expectations.
The Company’s Security Awareness Program provides annual, mandatory training for personnel on information security to prepare personnel with the knowledge of how to properly use and protect Company resources from internal and external threats. The Program also conducts regular phishing assessments and targets new hires and other groups with specific training related to their job activities or risk levels. The Program also communicates information security policies, standards, and practices to personnel and requires annual review and acknowledgement of the policies.
The ISO has served various roles in audit, information risk, information technology, and information security in multiple industries for over 12 years. The ISO holds an undergraduate degree in Management Information Systems and has attained the ISACA Certification in Certified Information Systems Auditor (CISA). The ISO reports to the Chief Financial Officer (CFO) as well as the Chairperson of the ERC.
For the year ended December 31, 2023, the Company has not identified any specific risk from a cybersecurity threat that has materially affected, or is reasonable likely to affect, the Company’s business strategy, results of operation, or financial condition, other than those described in Item 1A. Risk Factors - Risks Related to Technology.