ORRSTOWN FINANCIAL SERVICES INC - (ORRF)

10-K Filing Date: March 14, 2024
ITEM 1C – CYBERSECURITY
We use, store and process data for and about our customers and employees. We have implemented a cybersecurity risk management program that is designed to identify, assess, and mitigate risks from cybersecurity threats to this data and our systems.
Risk Management Oversight and Governance
Under the ultimate direction of our Chief Executive Officer and executive management team, our Information Security Core Committee has primary responsibility for overseeing our management of cybersecurity risks. This committee is chaired by our Chief Information Security Officer, or CISO, who reports directly to our Chief Risk Officer. Other members of the committee include representatives from Information Technology, Operations, Privacy, Compliance, BSA, Audit. Business Continuity, Vendor Management, Human Resources, Physical Security, Unified Fraud, Retail, Wealth Management, Lending, and Enterprise Risk Management.
Our CISO, working with his team and the Information Security Core Committee, has primary responsibility for assessing and managing our cybersecurity threat management program. He has more than 25 years of experience in building and leading information security teams and has worked at a technology start-up and a large, publicly-traded financial institution before joining the Company. His experience as a technology engineer has prepared him to lead a variety of teams, both large and small, design, implement and execute executive cyber and information security controls. He studied Computer Science at the University of Virginia and holds a Certified Information Systems Security Professional ("CISSP") certification.
In addition to frequent electronic communication, the committee meets monthly and more frequently, as circumstances warrant, to discuss and monitor prevention, detection, mitigation and remediation of risks from cybersecurity threats. When appropriate, meetings will also include our Chief Risk Officer, Chief Financial Officer, General Counsel and members of our disclosure committee. On a regular basis, the CISO also updates the executive management team on developments within the cybersecurity sphere.
The Board of Directors has delegated oversight of the Company’s cybersecurity program to the Enterprise Risk Management Committee of the Board of Directors. The Enterprise Risk Management Committee is responsible for reviewing reports on data management and security initiatives and significant existing and emerging cybersecurity risks, including
27

cybersecurity incidents, the impact on the Company and its stakeholders of any significant cybersecurity incident and any disclosure obligations arising from any such incidents.
Our CISO meets quarterly with the Enterprise Risk Management Committee of the Board of Directors to discuss management’s ongoing cybersecurity risk management programs. He provides information about the sources and nature of risks the Company faces, how management assesses such risks – including in terms of likelihood and severity of impact, progress on vulnerability remediation and current developments in the cybersecurity landscape. This presentation is shared with the full Board of Directors to enable discussion of cybersecurity risk management at the full board level.
Processes for the Identification of Cybersecurity Threats
Under the guidance of the Information Security Core Committee and the CISO, we have adopted a cybersecurity risk management program that addresses, among other areas:
Identification of assets at risk from cybersecurity threats;
Identification of potential sources of cybersecurity threats;
Assessment of the status of protections in place to prevent or mitigate cybersecurity threats; and
Given that landscape, how to manage cybersecurity risks.
Our risk assessment and mitigation program is centered on three key components:
Identification of risks, which involves input from different groups across the Company;
Evaluation of the likelihood of the risks manifesting, the severity of the potential consequences and prioritization of different risk items based on, among other things, importance to the business and cost/benefit analysis to fully address; and
Execution – establishment of a program to address.
Our information security team is responsible for monitoring our information systems for vulnerabilities and mitigating any issues. It works with other groups in the Company to understand the severity of the potential consequences of a cybersecurity incident and to make decisions about how to prioritize mitigation and other initiatives based on, among other things, materiality to the business. The information security team has processes designed to keep the Company apprised of the different threats in the cybersecurity landscape – this includes interacting with intelligence networks, working with researchers, discussions with peers at other companies, monitoring social media, reviewing government alerts and other news items and attending security conferences. The team also regularly monitors our internal network and out customer-facing network to identify security risks.
Our Internal Audit function updates the Enterprise Risk Management Committee of our Board of Directors on a quarterly basis about the Company’s enterprise risk management program. These reports are the culmination of a process that involves discussions with leaders across the Company and incorporates a multitude of enterprise risk factors, including cybersecurity threats. The Enterprise Risk Management Committee Chair, in turn, reports to the full Board of Directors a summary of the enterprise risk management presentation.
We have an employee education program that is designed to raise awareness of cybersecurity threats to reduce our vulnerability as well as to encourage consideration of cybersecurity risks across functions.
As part of the assessment of the protections we have in place to mitigate risks from cybersecurity threats, we engage third parties to conduct risk assessments on our systems. To assess the effectiveness of our program, we also have engaged consultants to conduct penetration testing and other vulnerability analyses. Over a cycle of several years, our Internal Audit function, with the assistance of outside technical advisors, will conduct an assessment of different systems to provide the Enterprise Risk Management Committee with information on our risk management processes, including cybersecurity risk.
Before purchasing third party technology or other solutions that involve exposure to the Company’s assets and electronic information, our information technology team requires those companies to complete a security review before being approved to work with the Company.