ENB Financial Corp - (ENBP)
10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity
Cybersecurity, data privacy, and data protection are critical to our business. In the ordinary course of our business, we collect and store certain confidential information such as the personal information of depositors and borrowers and information about our employees, contractors, vendors, and suppliers. We rely heavily on the secure processing, storage, and transmission of sensitive and confidential financial, personal, and other information in our computer systems and networks.
The Corporation has developed and implemented an Information Security Program based on the Cybersecurity Framework (CSF) best practices and recommendations from the National Institute of Standards and Technology (NIST), applicable regulatory guidance, and other industry standards. Components of the program include a risk assessment program to identify, assess, and mitigate cybersecurity risk; a vendor management program to address third-party cybersecurity risk; a business continuity program (BCP) to ensure continuity of operations; and an incident response program documenting cybersecurity incident response and notification procedures. The Corporation’s Information Security Officer (ISO) oversees the programs and reports on their statuses to management committees including the Senior Leadership Committee, ERM Governance Committee, and Operational Risk Committees. The ISO is part of the risk management function, reporting directly to the Chief Risk Officer, who in turn, reports directly to the Board of Directors. The ISO has over twenty years of professional experience in cybersecurity, vendor management, business continuity, and incident response, and holds multiple relevant professional certifications. The ISO provides periodic updates to the Board of Directors, including a comprehensive annual report. The Information Security, Vendor Management, BCP, and Incident Response Programs are approved by the Board annually.
The ISO maintains risk assessments for critical IT systems, vendors, and processes. A third party cybersecurity risk assessment tool, as well as the FFIEC's Cybersecurity Assessment Tool (CAT) are used annually to assess these
24
ENB FINANCIAL CORP
risks. Third parties are assessed to address their risks according to service type, compliance risk, financial risk, operational risk, and security risk. The level of due diligence and ongoing monitoring that is performed is based on that assessment.
The ISO conducts training on cybersecurity risks for all new employees, and at least annually for existing employees and the Board of Directors. In addition to this training program, simulated phishing attempts are sent to employees on a regular basis to evaluate their understanding of these risks and to provide supplemental training as needed. The Corporation uses data loss prevention and web filtering software to ensure malicious data does not enter the Corporation's network, and sensitive information does not leave the network unless properly secured. Penetration tests and vulnerability scanning are performed on a regular basis. We employ an in-depth, layered, defensive strategy with respect to our products, services, and technology. We leverage people, processes, and technology to manage and maintain cybersecurity controls. We employ various preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats.
Access to data on the Corporation's networks is granted only if needed for job functions. The Information Security Department approves all changes to access and critical systems are subject to annual review.
An Incident Response Team that includes representatives from key areas of the Corporation meets in the event of cybersecurity incidents. This Team receives special training, including an annual tabletop exercise. The Team ensures the proper notifications are made to comply with all relevant laws, rules, regulations, and policies.
During the year ended December 31, 2023, there were no cybersecurity incidents that materially affected or are reasonably likely to materially affect the Corporation.