Pathfinder Bancorp, Inc. - (PBHC)
10-K Filing Date: March 22, 2024
The Company considers cybersecurity a subset of information security, and as such, cybersecurity risks and controls are assessed in our information security risk assessment and managed in our Information & Cybersecurity Program & Policy ("ICPP"). The ICPP is developed and maintained utilizing the Federal Financial Institutions Examination Council ("FFIEC") Information Technology Examination Handbook, FDIC, NYSDFS, and Gramm-Leach–Bliley Act, and represents the standards, policies, procedures, and guidelines defining the Company’s security requirements and related activities, which includes risk management and risk assessment practices. Management has designated the Information Security Officer ("ISO"), who has over 14 years of experience, along with the Technology Steering Committee, with implementing and monitoring the ICPP. The Company’s Information Technology ("IT") department consists of the Chief Information Officer ("CIO"), who has over 35 years of experience in the IT field, including 25 years with the Company, and other key personnel who have years of experience and various certifications related to assessing and managing cybersecurity risk. Additionally, the Company has developed a comprehensive enterprise risk management program to monitor risks related to its operations, including cybersecurity risk, and the Company’s Chief Risk Officer has primary responsibility for the enterprise risk management program. Management also engages the services of third parties to assist the ISO with their tasks. The Company believes that risk management is a component of overall governance and that IT risk management is a component of overall risk management.
The Company recognizes that our overall security culture contributes to the effectiveness of our ICPP. The Company has developed an enterprise risk management program that identifies, prioritizes and provides a formal structure for the internal and external risks that impact the organization. The Board of Directors sets the tone and direction for the Company’s use of IT and has identified the Technology Steering Committee as having primary responsibility for oversight of the Company’s risk exposures and risk assessments and policies, including risks related to cybersecurity. The Board of Directors and Technology Steering Committee approve and periodically review and re-approve the policy and other IT related policies. While the Board of Directors may delegate the design, implementation, and monitoring of certain IT activities to the CIO or designee, the full Board of Directors remains responsible for overseeing IT strategies and policies, including cybersecurity. To help carry out their responsibilities, Directors, management, and all employees are periodically trained to understand IT activities and risks, including cybersecurity risks. Management, via the Technology Steering Committee and ISO, or combination, provides a status report to the Board of Directors at least annually, with more frequent communications as necessary. The report describes the overall status of the ICPP and material matters related to the program, including security breaches, cybersecurity assessments, cybersecurity awareness training for employees and the Board of Directors.
The Company utilizes third-party threat analysis tools such as penetration testing and vulnerability scanning to assist in understanding and supporting the measurement of information security related risks. Additionally, the Company uses a third-party tool to help management identify current cybersecurity risks and control maturity levels, and to evaluate overall cybersecurity preparedness. The Company conducts gap analysis and action plans designed to identify potential actions that improve our overall cybersecurity posture, and periodically reevaluates both cybersecurity risks and controls to assure they are commensurate with our size and complexity and are keeping pace with the overall cybersecurity threat environment.
Management also obtains, analyzes, and responds to information from various sources on cybersecurity threats and vulnerabilities that may affect the Company, while incorporating available information on cybersecurity events into our risk assessment. Additionally, management develops, maintains, and updates a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments, and ultimately provide updates to the Board of Directors on cybersecurity risk trends. The Company has not experienced any cybersecurity incidents in the past that have individually or in the aggregate had a materially adverse effect on our business, financial condition or results of operations.
Additionally, the Company conducts due diligence in the selection and on-going monitoring of third-party service providers. Management is responsible for ensuring that such third parties use suitable information security controls when providing services to us. As part of the oversight of third-party service providers, management will determine whether cybersecurity risks are identified, measured, mitigated, monitored, and reported by such third parties.
- 25 -