AUBURN NATIONAL BANCORPORATION, INC - (AUBN)

10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY
We rely extensively on
 
various information systems and other electronic resources to operate our business. In addition,
nearly all of our customers, service providers and other business partners on whom
 
we depend, including the providers of
our online banking, mobile banking and accounting systems, use their own electronic information
 
systems. Any of these
systems can be compromised, including by employees, customers and other individuals
 
who are authorized to use them,
and bad actors using sophisticated and a constantly evolving set of software, tools
 
and strategies to do so.
 
The threats are
domestic and international and range from small to large, including state
 
sponsored, terrorist and criminal organizations
with substantial funds, and technical and other resources
 
As a bank, we and our vendors, service providers and customers may be attractive targets,
 
and we confront continuous
cybersecurity threats. Insurance to fully cover these risks is unavailable in sufficient
 
amounts at reasonable costs.
 
We
believe the more effective approach is taking active measures to
 
detect, deter and reduce cybersecurity threats, and be
prepared to address and remediate any breaches and prevent similar breaches in the
 
future.
 
See “Risks Related to
Information Security and Business Interruption” section of the Risk Factors included
 
in Item 1A of this Form 10-K for
additional
 
information.
Accordingly, we have devoted
 
significant resources to assessing, identifying and managing risks associated
 
with
cybersecurity threats, including:
Implementing an Information Security Program that establishes policies and
 
procedures for security
operations and governance;
Establishing an IT Steering Committee of the Board that is responsible for security administration,
 
including
conducting regular assessments of our information systems, existing controls, vulnerabilities
 
and potential
improvements;
Implementing layers of controls and not allowing excessive reliance on any single control;
Employing a variety of preventative and detective tools designed to monitor,
 
block and provide alerts
regarding suspicious activity;
Continuously evaluating tools that can detect and help respond to cybersecurity threats
 
in real-time;
Leveraging people, processes and technology to manage and maintain cybersecurity controls;
49
Maintaining a vendor management program with periodic review processes, and
 
a third-party risk
management program designed to identify, assess and manage risks associated
 
with external service providers;
Monitoring our systems and related software and programming periodically to update
 
software and
programing, including updating data protection elements,
 
and requiring that our service providers also engage
in similar programs that are reasonably designed to deter cybersecurity breaches;
Performing initial and ongoing due diligence with respect to our third-party service
 
providers, including their
cybersecurity practices and safeguards, and service levels based on the risk they pose to the Bank;
Engaging third-party cybersecurity consultants, who conduct periodic
 
penetration testing, vulnerability
assessments and other procedures to identify potential weaknesses in our systems and
 
processes; and
Conducting periodic cybersecurity training for our employees and the Company’s
 
board of directors.
Our Information Security Program is a key part of our overall risk management system,
 
which is administered by our IT
Steering Committee and evaluated by our IT Steering Committee and chief risk officer.
 
The program includes
administrative, technical and physical safeguards to help protect the security and confidentiality
 
and availability of
customer records and information.
From time-to-time, we have identified cybersecurity threats that require us to
 
make changes to our processes, equipment
and to implement additional safeguards. While none of these identified threats or incidents
 
have materially affected us, it is
possible that threats and incidents we identify in the future could have a material adverse effect
 
on our business strategy,
customer service, data privacy and security,
 
continuity of service and reputation, and our results of operations and financial
condition.
The Company’s Chief Technology
 
Officer is responsible for the day-to-day management of
 
cybersecurity risks we face and
oversees the IT Steering Committee, which is chaired by a director of the Company’s
 
board. The IT Steering Committee
oversees the information security assessment, development of policies, standards
 
and procedures, testing, training and
security report processes.
 
The IT Steering Committee is comprised of directors and officers
 
with the appropriate expertise
and authority to oversee the Information Security Program.
Our Chief Technology Officer,
 
along with the information technology department, is accountable for managing our
enterprise information security and delivering our information security program. The
 
department, as a whole, consists of
information security professionals with varying degrees of education and experience.
 
The Chief Technology Officer
 
is
subject to professional education and certification requirements. In particular,
 
our Chief Technology
 
Officer, who is also
designated as our Information Security Officer,
 
has relevant expertise in the areas of information security and cybersecurity
risk management.
In addition, the Company’s Board,
 
both as a whole and through its IT Steering Committee is responsible for the oversight
of risk management, including cybersecurity risks. In that role, the Company’s
 
Board and the IT Steering Committee, with
support from the Company’s management and third
 
party cybersecurity advisors, are responsible for ensuring that the risk
management processes designed and implemented by management are adequate
 
and functioning as designed.
 
The Board
reviews and approves an information security program, vendor management policy (incl
 
uding third-party service
providers), acceptable use policy,
 
incident response policy and business continuity planning policy on an annual basis.
 
All
the aforementioned policies are developed and implemented by Company management.
 
To carry out their duties,
 
the Board
receives updates at least quarterly from the Chief Technology
 
Officer regarding cybersecurity risks and the Company’s
efforts to prevent, detect, mitigate and remediate any cybersecurity incidents.