PEOPLES FINANCIAL SERVICES CORP. - (PFIS)

10-K Filing Date: March 15, 2024
Item 1C.

Cybersecurity.

Cybersecurity Risk Management and Strategy

The current threat environment from phishing emails to cyber-attacks has created an urgent need for increased awareness on cyber and information security. Peoples and Peoples Bank take a risk-based approach to managing these threats. The Bank’s leadership team and its Board of Directors engages in the management of this risk by participating in the information security and cybersecurity strategy and review process.

Cyber and information security programs are designed around industry best practices. Compliance with these best practices along with federal and state regulatory requirements are examined annually by the Pennsylvania Department of Banking, the FDIC and we regularly engage other third-party external auditors and consultants to assess our compliance.

Our cyber defense strategy includes continuous monitoring, integrated risk assessment, identification of vulnerabilities and human risk factors, and employee awareness. Cyber exercises with other financial services companies and government agencies help prepare the Bank for cyber-attacks. Incident response scenarios and business continuity exercises test the organizations preparedness for disaster events. The organization also utilizes several national and global third party advisors to ensure the appropriateness of the Bank’s security posture, effective operation of the cyber security discipline and proper assessment of risk.

-40-

Third-Party Risk Management

The Bank has an established third party information security risk management program that reviews and assesses third parties prior to engagement and throughout the third party relationship. This program requires periodic risk assessments to be conducted throughout the term of the engagement. Third parties and their employees are required to adhere to information security standards and best practices. The Bank includes in its contracts with third parties that third parties maintain confidentiality, security provisions and business continuity practices.

Education and Awareness

Peoples Security Bank and Trust Company employees are required to complete training on customer information protection at least annually. They receive monthly training and testing on phishing emails and other timely information security topics. They are also required to abide by the Bank’s Code of Business Conduct and Ethics Policy. Annual review and acknowledgement of the employee’s information security responsibilities are required. Information security tips are provided on the Bank’s website for all customers to review. We provide additional information security advantages to our customers using our online banking systems and encourage the Bank’s digitally active business customers to take advantage of the cyber and phishing training provided free of charge by the Bank.

Material Effects of Cybersecurity Threats

While cybersecurity risks have the potential to materially affect the Company's business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, have, to date, materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A Risk Factors.

Cybersecurity Governance

Board of Director Oversight

Our Board of Directors has ultimate oversight of cybersecurity risk. The Board of Directors is assisted by the Board Information Technology Committee (“IT Committee”) which regularly provides reports to the Board of Directors. The IT Committee is comprised of members with experience in managing cybersecurity risks. The IT Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Information Officer (“CIO”), and the Chief Risk Officer (“CRO”) through quarterly meetings. Cybersecurity reviews are completed at least twice annually and provided to the Board of Directors Audit Committee. Additionally, awareness and training on cybersecurity topics is provided to the whole Board on an annual basis.

Management’s Role

The CIO along with the Information Security Officer is responsible for implementing and maintaining the Company’s cybersecurity risk management program. The Information Security department is led by the Information Security Officer, who reports directly to the CIO and the Board of Directors with dotted-line reporting to the CRO. The Company’s CIO has over 30 years of experience in technology and cybersecurity which includes 24 years in the financial services industry. The Information Security Officer has over 20 years in the financial services industry with the last 14 years as a Risk Analyst and then Information Security Officer.

The Company’s Information Security department measures and reports on the quality of information and cyber risk management across all functions. Information security risk is reported by both the Information Security and Enterprise Risk departments through monthly management metric reporting working groups and multiple layers of quarterly risk

-41-

committees to achieve an appropriate flow of information risk reporting to the Board. The risk committees include the Executive Risk Management Committee, the Management Information Technology Steering Committee and the Information Technology Committee of the Board of Directors. In addition, we have an escalation process in place to inform senior management and Board of Directors of material cybersecurity issues

© 2024 Material-Incidents. All rights reserved.