AMERICAN NATIONAL BANKSHARES INC. - (AMNB)
10-K Filing Date: March 15, 2024
Overview
The cybersecurity threat environment is volatile and dynamic, requiring a robust and dynamic framework to reduce and mitigate cybersecurity risk. Cybersecurity risk includes exposure to failures or interruptions of service or security breaches resulting from malicious technological attacks that impact the confidentiality, integrity, or availability of our or third parties' operations, systems, or data. We seek to mitigate cybersecurity risk and associated reputational and compliance risk by, among other things:
● | maintaining privacy policies, management oversight, accountability structures, and technology design processes to protect private and personal data; |
● | actively monitoring and mitigating cybersecurity threats and risks with a three lines of defense structure to provide oversight, governance, challenge, and testing; |
● | using a third-party cybersecurity oversight program; |
● | maintaining oversight of our information security program by senior management, our board-level Technology and Information Security Subcommittee that reports to our board-level Risk and Compliance Committee and our Board of Directors; and |
● | maintaining an incident response program intended to enable us to mitigate the impact of, and recover from, any cyberattacks, and facilitate communication to internal and external stakeholders, as needed. |
We had no material cybersecurity incidents in 2023.
Risk Management and Strategy
Our cybersecurity risk management strategy is integrated into our risk management practices and is embedded in each of our three lines of defense, as detailed below. We use a combination of management expertise and Board oversight, as discussed below, as well as outside consultants to assist us in overseeing our cybersecurity risk management program. We deploy safeguards designed to protect customer information and our own corporate information and technology. We have programs and processes in place designed to mitigate known attacks, and we use both internal and external resources to scan for vulnerabilities in our applications, systems, and platforms. We implement backup and recovery systems and require the same of our third-party service providers.
We use independent third-party service providers to perform penetration testing of our infrastructure to help us better understand the effectiveness of our controls, improve our defenses, and conduct assessments of our program for compliance with regulatory requirements and industry guidelines. We also engage with outside risk experts and industry groups to help us evaluate potential future threats and trends, particularly with respect to emerging information security and fraud risks. We generally have agreements in place with our service providers that include requirements related to cybersecurity and data privacy. We cannot guarantee, however, that such agreements will prevent a cyber incident from impacting our systems or information. Additionally, we may not be able to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. Due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers in relation to any data that we share with them.
While to date, we have not experienced a significant compromise, attack, or loss of data related to cybersecurity attacks, due to the nature of our business, we are under constant threat of an attack and could experience a significant cybersecurity event in the future. Potential risks we could face from a cybersecurity event are discussed in "Risk Factors" above.
Governance
Through established governance structures, including our problem and incident management process and cyber incident response plan, we have processes and procedures to help facilitate appropriate and effective oversight of cybersecurity risk. These processes and procedures enable our three lines of defense and management to review and manage cybersecurity risks, monitor threats, and provide for further escalation to executive management, our board-level Technology and Information Security Subcommittee reporting to our board-level Risk and Compliance Committee, or to the full Board, as appropriate.
Role of the Board of Directors
Our Board of Directors plays a critical role in the oversight of risk, including risks from cybersecurity threats, and has established a risk oversight structure that seeks to ensure that cybersecurity risks are identified, monitored, assessed, and mitigated appropriately. In that regard, our Board is actively engaged in the oversight of our cyber risk profile, which includes risks from cybersecurity threats, enterprise cyber strategy, and key cyber initiatives. Our Board regularly receives reports on such matters from our Chief Information Officer, Chief Information Security Officer, and other relevant personnel. Our Board also meets with our internal and external auditors, and federal and state regulators to review and discuss reports on risk, examination, and regulatory compliance matters.
Our board-level Risk Committee is responsible for assisting the Board in its oversight of risk, including cybersecurity threats, and for overseeing our enterprise risk management framework. The Risk Committee actively engages with our risk group and other members of management to discuss major risk exposures, establish risk management principles, and determine our risk appetite, and regularly reports on its activities, and makes recommendations to, the full Board. The Risk Committee receives a quarterly summary analysis of cybersecurity risks, threats, and incidents. In addition, the Risk Committee is engaged, as needed, in accordance with our Cybersecurity Incident Response Plan.
Role of Management
Our cybersecurity risk management program is built on three lines of defense, which collectively are designed to assess, identify, assess, and manage our material risks from cybersecurity threats.
Our Information Security department, which is our first line of defense, operates under our Chief Information Security Officer, who manages preventative and detective controls to protect against cybersecurity risks and responds to cyber incidents and data breaches. At least annually, the first line conducts mandatory teammate training on information security and provides ongoing information security education and awareness for teammates, such as online training classes, mock phishing attacks and information security awareness materials. Our cybersecurity risk management program is designed to maintain and challenge our information security defense system, as well as monitor, respond, evaluate, and escalate cyber threats.
The second line of defense independently evaluates, monitors, and challenges our risk mitigation efforts to proactively identify cybersecurity risks, including early-stage engagement and risk management with emerging threats. Second line teammates provide effective challenge to the cybersecurity risk management efforts of the first line through ongoing engagement in problem incidents, regular reviews of cybersecurity risk reporting, and inquiries into the sufficiency of risk management activities. Our second line of defense is led by our management-level Enterprise Risk Committee which governs our technology and operational risk tolerances, including cybersecurity and third and/or fourth party provider risks. This committee includes the Information Security Officer and is co-sponsored by the Chief Information Officer and the Chief Operating Officer. These individuals have relevant financial, technical, and business degrees, hold relevant certifications, and each have over 20 years of experience in their respective areas of expertise, with a minimum of 10 years in leadership roles, including multiple years at financial institutions. The Committee is responsible for escalating key risks to our Management Risk Committee, which includes all members of our Executive Leadership Team.
Internal Audit serves as the third line of defense and provides independent assurance on how effectively we are mitigating, managing, and challenging our cybersecurity risks.