FIRST UNITED CORP/MD/ - (FUNC)
10-K Filing Date: March 15, 2024
Risk Management Strategy
Our risk management program is designed to identify, assess, and mitigate risks across various aspects of the Corporation, including financial, operational, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Cyber Security Initiative (“CSI”) committee led by our Information Security Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization. The Information Security Officer reports directly to the Chief Operating Officer and, as discussed below, regularly to the Risk and Compliance Committee of our board of directors.
Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the Cyber Risk Institute’s cybersecurity profile designed specifically for the financial services industry, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Information Security Officer, along with key members of our risk team, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.
We employe an in-depth, layered, defensive strategy that embraces a “trust by design” philosophy when designing new products, services, and technology. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employe a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We
31
have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections as a significant portion of our workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.
We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees, as discussed further below, and the Risk and Compliance Committee of our board of directors. The Incident Response Plan is coordinated through the Management Director of Information Technology and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually.
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected our Company. For further discussion of risks from cybersecurity threats, see the section captioned “A disruption, breach, or failure in the operational systems or infrastructure of our third party vendors or other service providers, including as a result of cyber-attacks, could adversely affect our business” in Item 1A. Risk Factors.
Governance
Our Information Security Officer is accountable for managing our enterprise information security processes and procedures and delivering our information security program. The responsibilities of this department include cybersecurity risk assessment, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business resilience. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the CSI Committee, provides guidance, oversight, monitoring, and challenge of the first line’s activities. The Committee as a whole, consists of information security professionals with varying degrees of education and experience as well as Information Technology professionals, and audit and fraud professionals. Individuals within the Committee are generally subject to professional education and certification requirements. In particular, our Information Security Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management.
Our board of directors has approved management commitess including the CSI Committee, which focuses on technology impact, and the Management Risk Committee, which focuses on business impact. These committees provide oversight and governance of the technology program and the information security program. These committees are chaired by managers within the Corporation and include the Chief Operating Officer, as well as his direct reports and other key departmental managers from throughout the entire company. These committees generally meet regularly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation to facilitate timely information and monitoring efforts. The Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the Risk and Compliance Committee of our board of directors on a quarterly basis (or more frequently as may be required by the Incident Response Plan).
The Risk and Compliance Committee of our board of directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our CSI Committee provides quarterly reports to the Risk and Compliance
32
Committee of our board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The Risk and Compliance Committee of our board of directors reviews and approves our information security and technology budgets and strategies annually. Additionally, the Risk and Compliance Committee of our board of directors reviews our cyber security risk profile on a regular basis. The Risk and Compliance Committee our board of directors provides a report of their activities to the full board of directors at board meetings.