COLONY BANKCORP INC - (CBAN)
10-K Filing Date: March 14, 2024
Item 1C
Cybersecurity Risk Management and Strategy
Cybersecurity is an important aspect of Colony’s business operations and the execution of our strategic plans, including growth initiatives. As a financial institution, we face a variety of cybersecurity threats that range from common attacks, such as ransomware and denial-of-service, to more intricate and sophisticated attacks from highly organized adversaries that specifically target the financial services industry. Our customers, vendors, and partners are also vulnerable to cybersecurity risks, and any incident affecting us or any of these stakeholders could significantly impact our operations, performance, and financial results. To address these challenges, we maintain a comprehensive cyber risk management program aimed at identifying, assessing, mitigating, managing, and responding to cybersecurity threats. This program is incorporated into our enterprise risk management framework, covering both our internal information technology systems and customer-facing products and services.
Colony has implemented a formal risk management process to address cyber-related risks, encompassing identification, assessment, monitoring, consultation, communication, and review of cyber-related risks which is designed in accordance with industry standards and best practices for cybersecurity and information technology. Annually, our information security standards undergo external audits against the System and Organizational Controls (SOC). Our program undergoes periodic evaluations utilizing the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool to gauge our cybersecurity readiness, ensure alignment with associated risks, identify potential areas for improvement or enhancement in our risk management practices and controls, and guide our risk management strategies..
Our information security program incorporates a diverse range of technologies aimed at safeguarding our operations and proprietary information. We have an established Business Continuity/Disaster Recovery program that undergoes regular updates and testing to ensure the protection of our networks, data, systems, and facilities against attacks or unauthorized access. Furthermore, we maintain an Incident Response program outlining Colony's protocols, procedures, and roles for addressing cybersecurity incidents. This program undergoes frequent testing via tabletop exercises, which often yield valuable insights and lead to subsequent enhancements in our Incident Response protocols.
We believe Colony’s employees have a vital role in the Company’s cybersecurity defenses. Employees at all levels and in all lines of business and support functions participate in training programs on cybersecurity and social engineering to mitigate risk. Exercises to test their effectiveness are conducted on a monthly basis.
Third-party cyber advisors play an important role in Colony's cybersecurity framework, and we have established partnerships with leading cybersecurity entities and organizations to harness external technology and expertise as needed. We regularly enlist independent third-parties to conduct periodic reviews and assessments of our information security program, as well as
32
annual penetration tests on our network. Additionally, we maintain cyber coverage through our insurance carrier to mitigate risks associated with cybersecurity incidents, subject to customary terms and exclusions. Additionally, we exercise cybersecurity due diligence and oversight over critical third-party relationships and vendors ensuring that those with access to personal, confidential, or proprietary information adhere to cybersecurity practices consistent with applicable legal standards and industry best practices
Colony remains committed to investing in the development and improvement of our security processes and controls, as well as maintaining our technology infrastructure. These processes include a comprehensive plan for notifying, informing, consulting, analyzing, and communicating any risks or incidents to a range of internal stakeholders, including executive management and the Board, as well as external stakeholders such as regulators, affected individuals, and the investment community, as deemed necessary and appropriate based on the circumstances.
Colony’s business relies on the availability, security, reliability, and confidentiality of our information systems, networks, and data. Any disruption, compromise, or breach of these systems or data due to a cybersecurity incident or threat could materially impact our business strategy, financial condition, or results of operation. While the Company has encountered, and will continue to encounter, cyber incidents in the normal course of business, to date, the Company has not experienced a cybersecurity incident that has materially impacted our business strategy, financial condition, or results of operation. Despite our ongoing efforts to continually strengthen our cybersecurity program, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in safeguarding our systems and information. We face risks from certain cybersecurity threats that, if realized, could reasonably be expected to materially affect our business strategy, financial condition, or results of operation. See “Part I - Item 1A. Risk Factors – Risks Related to our Business” of this Report.
Cybersecurity Governance
Colony’s Information Security Officer ("ISO"), reports to Colony’s Chief Risk Officer. Our ISO has ten years of information security experience specific to the financial services industry which includes cybersecurity risk management. The ISO holds relevant certifications and completes annual training. The ISO is responsible for assessing and managing Colony’s cyber risk management program and strategy, informing executive management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents, and supervising such enterprise-wide efforts.
Our Board is actively engaged in the oversight of Colony’s information security risk management and cybersecurity programs and has delegated primary oversight of cybersecurity to its Technology and Risk Management Committees. The Technology Committee receives quarterly and as needed updates from the Company’s ISO on the Company’s information security and cyber risk strategy, cyber defense initiatives, cyber event preparedness, and cybersecurity risk assessments. As a part of these quarterly updates, the ISO updates the Technology Committee on the development of any new or emerging cyber risks or threats and the appropriate mitigation actions. The Technology Committee routinely provides a report of their activities to the full board of directors.