FLUSHING FINANCIAL CORP - (FFIC)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity.

Overview

The Company maintains comprehensive information technology and cybersecurity programs which encompass policies, procedures, assessments, monitoring, response plans, and testing to ensure technical, administrative, and physical controls are effective.

The Bank’s Incident Response and Business Continuity Programs are inclusive of cyber resiliency, business continuity and disaster recover strategies to help mitigate the impact of a cybersecurity incident across all business lines.

Management Role and Board Oversight

The cybersecurity programs are supervised by the Bank’s Chief Information Security Officer (“CISO”) reporting to the Chief Risk Officer (“CRO”) and dotted line to the Chief Information Officer. The Chief Risk Officer has reporting responsibility to the Board’s Risk and Compliance Committee while the Chief Information Officer has reporting responsibility to the Board’s Information Technology Committee. The Risk and Compliance Committee consists of eight directors, seven of whom are independent, while the Information Technology Committee consists of three directors, two of whom are members of the Risk and Compliance Committee. The Company Board includes members who have expertise in cybersecurity, fraud, and risk management. Cybersecurity risks are primarily assessed, monitored, and remediated by the CISO who has a Ph.D. in Information Technology with a concentration in Information Assurance and experience in the information technology and cybersecurity fields and maintains advanced cybersecurity centric certifications. The CISO’s knowledge and experience in the cybersecurity field are key to executing our cybersecurity program. Our CISO oversees proactive initiatives, remediation plans of known risks, compliance with regulations and standards and disaster recovery, business continuity, and incident response efforts. Additionally, the Bank’s CRO who leads the management risk function, has extensive experience in risk management.

The cybersecurity programs include a cross-function team of trained internal and external information security professionals, all of whom are required to maintain industry accredited certifications. We have an Incident Response Team chaired by our Chief Operating Officer that is comprised of executive management and designated managers, including the CISO. The purpose of our incident response plan is to manage incidents, including information security incidents, efficiently and effectively to minimize loss and destruction, mitigate weaknesses, restore services, notify customers, as required by law, comply with regulatory requirement and any third-party obligations.

The CISO and CRO play a pivotal role in informing the Board of all cybersecurity risks. These positions provide comprehensive updates to the Risk Management Committee of the Board, at least quarterly. The briefings combine a range of updates, including the cybersecurity program, emerging risks, and risk reporting. The CISO and CRO also provide a monthly overview of the cybersecurity landscape to the Board of Directors.

Managing Material Risks and Integrated Overall Risk Management

The Company maintains documented processes, procedures, and controls for assessing, identifying, and managing material risks from cybersecurity threats. Cybersecurity threats are identified utilizing risk assessments, detection tools, information gathering and performing internal, external, and third-party contracted security assessments.

52

Cybersecurity Threats

To assess and manage cybersecurity threats, the Company maintains an Incident Response Team comprised of members from the major business areas in the Company to ensure appropriate subject matter specialists are represented. All cybersecurity events include a determination of whether the incident has materially affected or is reasonably likely to materially affect the Company’s business strategy, results of operations or financial condition by following implemented processes.

The Company has not identified any cybersecurity threats that have materially affected operations or financial position.

Oversee Third-Party Risk

The Company has processes to oversee and identify material risks from reported cybersecurity threats from any third-party service providers or vendors. The Company’s vendor management program requires initial due diligence, on-going monitoring, and annual recertification of third-party cybersecurity controls.

Cybersecurity Risks

Management and the Board of Directors acknowledge that technology systems, managed both by the Company and third-party service providers, are critical to business operations and therefore require appropriate risk management.

Engagement with Third Parties on Risk Management

Cybersecurity is an integral part of the risk management program, which is supported through the use of consultants, auditors and other third-parties who assist with reviewing and validating the effectiveness of cybersecurity controls. Our internal audit function actively participates and engages with those managing the cybersecurity program to validate the effectiveness of implemented safeguards. Our external audit results are reviewed and reported in our annual filing and to the Board Audit Committee. Additionally, the Company and the Bank are regulated entities and undergo regulatory reviews to ensure the Company and the Bank are in compliance will all appropriate standards.