First Northwest Bancorp - (FNWB)
10-K Filing Date: March 15, 2024
The Company recognizes cybersecurity as a critical risk to its operations and the management of this risk is a top priority. We are committed to protecting the confidentiality, integrity, and availability of our customer information, information systems, data, and assets from unauthorized access, use, disclosure, disruption, modification, or destruction. The Company adheres to cybersecurity industry best practices such as the National Institute of Standards and Technology cybersecurity framework and Federal Financial Institutions Examinations Council ("FFIEC") guidance. FNWB management has integrated its processes for assessing, identifying, and managing material risks from cybersecurity threats into the Company’s overall risk management program, including regularly conducting risk assessments and gap analyses in order to identify and prioritize cybersecurity threats and vulnerabilities across our entire digital estate which is comprised of our IT infrastructure as well cloud-based applications and storage. These assessments consider industry best practices, evolving threats, and the specific needs of our business.
The Company implements a defense in depth, or layered, approach to security controls, including network security, intrusion detection and prevention, anomaly detection, endpoint security, data encryption, identity and access management, and security awareness training. Staff evaluate and update our controls on an ongoing basis to address emerging threats. We have a documented incident response plan in place to identify, contain, and remediate cybersecurity incidents. The plan includes roles and responsibilities for key personnel, communication protocols, and procedures for recovery and notification. We also maintain business continuity, crisis management, and disaster recovery plans to ensure the continued operation of critical business functions in the event of a major disruption, including a cyberattack, which are tested regularly through tabletop exercises, simulations, parallel testing, and functional testing.
The Company adheres to a continuous improvement philosophy in regard to cybersecurity and leverages external experts, consultants, auditors, and assessors on a regular basis to complement the internal staff in identifying and remediating any gaps in the Company’s cybersecurity program.
The Company has a well-defined and mature vendor management program that includes controls to address third-party cybersecurity risks throughout the vendor management lifecycle.
The FNWB Board of Directors has oversight responsibility for enterprise-wide risks, including cybersecurity risks. The Board recently welcomed a cybersecurity expert as a director to help further understand and anticipate risks in this area. A designated committee of the Board, the Audit Committee, is responsible for overseeing the Company's cybersecurity risk management program and reviewing its effectiveness. The Chief Information Officer and Security Officer ("CIO/SO") is responsible for assessing and managing material risks from cybersecurity threats, with a dedicated staff of information security professionals. The CIO/SO has over 25 years of education, training, and experience managing technology and cybersecurity risks, and over 12 years of experience in the banking industry specifically. The CIO/SO regularly updates executive and senior management, including the Enterprise Risk Management Committee, as well as the Board Audit Committee on cybersecurity risks and mitigation strategies. The Company has implemented internal controls to address the effectiveness of our cybersecurity program. These controls include risk assessments, vulnerability assessments and scans, periodic audits, and periodic penetration testing.
We are committed to disclosing material cybersecurity incidents to investors and other stakeholders in a timely and transparent manner in compliance with applicable regulations and in keeping with market practices. Management will assess the materiality of a cybersecurity incident based on its potential impact on our financial condition, results of operations, reputation, or ability to meet our business objectives. The Company is not aware of any current cybersecurity threats that are reasonably likely to affect the Company’s business strategy, results of operations or financial condition.
See "We are subject to certain risks in connection with our use of networks and technology systems" in Item 1A. Risk Factors of this Form 10-K for additional information regarding the risks we face from cybersecurity threats.