Cullman Bancorp, Inc. /MD/ - (CULL)
10-K Filing Date: March 22, 2024
Cybersecurity is a significant and integrated component of Cullman Savings Bank’s risk management strategy. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident to occur, which could disrupt business operations or compromise sensitive data. To date, we have not, to our knowledge, experienced an incident materially effecting or reasonably likely to materially affect Cullman Savings Bank.
To prepare and respond to incidents, we have implemented a multi-layered cybersecurity strategy, integrating people, technology, and processes. This includes employee training, the use of innovative technologies, and the implementation of policies and procedures in the areas of Information Security, Data Governance, Business Continuity and Disaster Recovery, Privacy, Third-Party Risk Management, and Incident Response. We engage third-party consultants and independent auditors to, among other things, conduct penetration tests and perform cybersecurity risk assessments and audits.
The Information Technology (IT) Department of Cullman Savings Bank is primarily responsible for identifying, assessing and managing material risks from cybersecurity threats. The IT Department is managed by the Vice President IT ("VP IT"). She has more than 13 years of experience with Cullman Savings Bank and a degree in Management Technology. The VP IT also oversees our Information Security Program, which is governed by various information security and cybersecurity, systems development, change control, disaster recovery/business continuity and physical asset classification and control policies. The Information Security Program identifies data sources, threats and vulnerabilities and brings awareness, accountability, and oversight for data protection throughout Cullman Savings Bank. Our program and with trusted third parties help ensure that data is protected and able to be recovered in the event of a breach or failure (technical or other disaster). The IT Department conducts on-going threat assessments, addresses the latest threats and conducts penetration, business continuity/ disaster recovery testing, and incident response plan testing. The VP IT presents information security and cybersecurity updates on a weekly basis to the Operations Committee, which consists of members of management, including the Chairman, President and Chief Executive Officer and the Information Security Officer (ISO).
The Operations Committee provides oversight, from a risk perspective, of information systems security. As referenced above, the VP IT provides information security updates to the Operations Committee at each scheduled meeting. In addition, as discussed below, we have implemented an Incident Response Plan (IRP) to provide a structured and systematic incident response process for
26
information security incidents that affect any of our information technology systems, network, or data. The IRP is implemented and maintained by the VP IT and is subject to annual review and approval by the Compliance Committee and Board.
The Board of Directors recognizes the importance of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and has incorporated those elements in its ongoing oversight of the Information Security Program.
Risk Assessment. On a quarterly basis, the VP IT identifies and documents system internal and external vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer records. Based on the results of the risk assessment, our Information Security Program may be revised to protect against any anticipated threats or hazards to the security or integrity of such information. The Compliance Committee reviews changes to the program designed to monitor, measure, and respond to vulnerabilities identified.
Response to Security Vulnerabilities. In response to identified risks, management may take certain steps to correct and respond to security vulnerabilities, which may include:
Internal Controls, Audit, and Testing. Regular internal monitoring is integral to our risk assessment process, which includes regular testing of internal key controls, systems, and procedures. In addition, independent third-party penetration testing to test the effectiveness of security controls and preparedness measures is conducted at least annually or more often, if warranted by the risk assessment or other external factors. Management determines the scope and objectives of the penetration analysis.
Service Providers. Like many companies, we rely on third-party vendor solutions to support our operations. Many of these vendors, especially in the financial services industry, have access to sensitive and proprietary information. In order to mitigate the operational, informational and other risks associated with the use of vendors, we maintain a Third-Party Risk Management Program, which is implemented through a Vendor Management Policy and includes a detailed onboarding process and periodic reviews of vendors with access to sensitive data. The Vendor Management Policy applies to any business arrangement between Cullman Savings Bank and another individual or entity, by contract or otherwise. The Vendor Management Program is audited as part of our annual Internal Audit Risk Assessment.
Employees and Training. Employees are the first line of defense against cybersecurity measures. Each employee is responsible for protecting Cullman Savings Bank and client information. Employees are provided training at initial onboarding and thereafter regarding information security and cybersecurity-related policies and procedures applicable to their respective roles within the organization. In addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities. In addition to training, employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection/prevention systems, endpoint protection, network monitoring, multi-factor authentication, and data backups. Notable services include 24/7 security monitoring and response, vulnerability scanning, third-party monitoring, and threat intelligence.
Board Reporting. At least annually, the Board reviews the overall status of the Information Security Program and The Corporation’s compliance with the Interagency Guidelines for Safeguarding Customer Information. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations are discussed as are management’s responses and any recommendations for program changes. violations.
27
Program Adjustments. The VP IT monitors, evaluates, and adjusts the Information Security Program, considering any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.
Incident Response Plan (IRP). In our effort to ensure that information security incidents can be recovered from quickly and with the least impact to The Corporation and its customers, The Corporation maintains a structured and systematic IRP for all information security incidents that affect any of the IT systems, network, or data of The Corporation, including The Corporation’s data held, or IT services provided by third-party vendors or other service providers. The VP IT and the ISO are responsible for implementing and maintaining the IRP, which includes: