UNITED BANCORP INC /OH/ - (UBCP)
10-K Filing Date: March 20, 2024
General
All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. To mitigate the threat to our business and address regulatory requirements, we take a comprehensive approach to cybersecurity risk management and have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. As described in more detail below, we have established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats. We devote significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure.
Legal Overview
Pursuant to the requirements of section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p–1) and sections 501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801, 6805(b)), the federal bank regulatory agencies adopted the Interagency Guidelines Establishing Information Security Standards (the “Guidelines”). The requirements of the Guidelines apply to all FDIC-insured depository institutions, most subsidiaries of such entities, and to state savings associations. Federal law also mandates that information security procedures and controls be routinely evaluated by the Bank’s state and federal regulators as part of the standard safety and soundness examination process.
Bank Security Policy
To comply with all applicable federal requirements, the Bank’s Board of Directors has adopted the Unified Bank Information Security Policy (the “ISP”), which establishes a program that the Bank’s management and board can use to:
● | Ensure the security and confidentiality of customer information; |
● | Protect against any anticipated threats or hazards to the security or integrity of such information; and |
● | Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. |
Under the ISP, the Board of Directors or an appropriate committee thereof is required to oversee all efforts with respect to the development, implementation and maintenance of an effective information security program. In addition, the ISP charges management with responsibility for identifying all reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of Bank information, and directs management to develop and implement procedures and other controls designed to reduce or eliminate identified risks.
The Bank has also implemented controls designed to identify and mitigate cybersecurity threats associated with our use of the Bank’s critical third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and based on risk profile. A variety of inputs are used in such assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.
In addition to being subject to routine examination by the Bank’s state and federal regulators, the efficacy of the Bank’s information security program is also audited annually by an independent third-party auditing firm.
Managerial and Board Oversight
To facilitate oversight, the Bank has established a front line committee, the Compliance Risk Assessment Committee, which is comprised of all members of senior management, the head of information security and certain other operationally significant employees. This Committee, which meets quarterly, is responsible for monitoring all key operational risks applicable to the Bank. Cyber risk assessments are routinely conducted and reported to the Audit Committee of the Board of Directors In addition, key members of senior management also meet annually with a cyber risk consultant who apprises management on emerging cyber threats and evaluates the Company’s adequacy of cyber risk insurance coverage. The findings of this meeting are also reported to the Executive Committee. All significant matters are reported by the Executive Committee to the full Board of Directors.