QNB CORP - (QNBC)
10-K Filing Date: March 15, 2024
QNB maintains comprehensive and continually evolving processes for assessing, identifying, and managing material risks from cybersecurity threats, including any potential unauthorized occurrence on, or conducted through, QNB’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or any information residing on such systems. The processes relating to cybersecurity threats are integrated into the QNB’s overall risk management processes, which are overseen by the entire board of directors and not delegated to any committee or subcommittee of the board.
As part of the QNB’s overall risk management processes, it has established both the Information Technology Committee and the Security Committee. The Technology Committee comprises the executive management team, selected department heads, and the Information Security Officer ("ISO"). The Technology Committee reports to the Board of Directors. The second committee is the Information Security Committee, composed of QNB’s Chief Operations & Technology Officer (“COTO”), the Information Technology Director, and the ISO. The Information Security Committee reports to QNB’s Audit Committee. QNB’s COTO presents a detailed report on information systems and cybersecurity matters to the Board of Directors at least once annually. The Board of Directors also receives and reviews copies of minutes of all meetings of the Audit Committee and the Information Technology Committee.
QNB Bank’s information technology resources are managed by the Information Technology Department, which is responsible for identifying, assessing, and managing material risks from cybersecurity threats. The present COTO, who reports directly to the current President and Chief Executive Officer ("CEO"), has been with QNB Bank for over eight years and has over twenty-five years of experience in banking technology and operations. He has an MBA in Management Information Systems and is a current Certified Information Systems Security Professional. QNB’s IT Director and ISO report directly to the COTO. The Information Technology Department is managed by the IT Director. The present IT Director has been employed by QNB Bank in the information technology area for ten years has been in the technology industry for over fifteen years and holds numerous technology certifications. QNB's ISO, whose responsibilities include security relating to QNB’s information systems, is a Certified Information Systems Security Professional and a Certified Information Security Manager. The ISO, among other duties, supervises internal employee training relating to cybersecurity risks, conducts access reviews relating to QNB’s information systems, and monitors implemented checks and balances relating to access to information. Information relating to cybersecurity risks and cybersecurity incidents, if any, is reported by the COTO and the ISO and to both the Information Technology Committee and the Information Security Committees. Additionally, cyber security incidents are reported to QNB’s Board of Directors by the COTO no less than quarterly.
QNB maintains an Incident Response Plan that provides documented guidelines for handling potential threats and taking appropriate measures, including timely notification of cybersecurity threats and incidents to senior management and the Board of Directors when appropriate. The Incident Response Plan is managed by the Information Security Committee and is reviewed and tested at least annually.
QNB uses third-party vendors to assist in monitoring, detecting, and managing cyber threats, including managed security service monitoring, penetration testing, and vulnerability assessment. The Information Security Committee has established risk management guidelines for third-party vendors. QNB conducts due diligence reviews of third-party vendors before contracts or agreements for the provision of services are signed and conducts ongoing due diligence and oversight procedures with the frequency of the procedures determined based on a risk assessment of the services provided. Generally, QNB’s agreements with service providers include requirements related to cybersecurity and data privacy. All such agreements are reviewed at least annually. QNB cannot guarantee, however, that such agreements, due diligence, and oversight procedures will prevent a cybersecurity incident from impacting information systems. Moreover, as a result of applicable laws and regulations or applicable contractual provisions, QNB may be held responsible for cybersecurity incidents attributed to its service providers in relation to any data that QNB shares with such providers.
To date, QNB has not experienced any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect QNB, including its business strategy, results of operations, or financial condition. As discussed under “Risk Factors” in Item 1A, however, the sophistication of cybersecurity threats continues to increase, and the preventative actions taken by QNB to reduce the risk of cybersecurity threats or incidents may not be sufficient in a particular circumstance. Accordingly, QNB may not be able to anticipate all cybersecurity breaches no matter how well designed or implemented QNB’s cybersecurity controls and procedures are, and QNB may not be able to implement effective preventive measures against such security breaches in a timely manner.
- 13 -