ACNB CORP - (ACNB)

10-K Filing Date: March 14, 2024
ITEM 1C - CYBERSECURITY

ACNB recognizes the critical importance of identifying, assessing and managing material risks from cybersecurity threats and is committed to implementing and maintaining a comprehensive information security program to manage such risks and safeguard its systems and data. Governance of cybersecurity risk is based on the Corporation’s Information Security Program and related policies and procedures, which are designed in conformance with industry standards and compliance with Section 39 of the Federal Deposit Insurance act and sections 501 and 505(b) of GLBA, and to protect the confidentiality, integrity and availability of its information assets. The Corporation’s Board of Directors is responsible for overseeing the development, implementation and maintenance of the Corporation’s overall information security standards. The Audit Committee of the Board of Directors has enterprise risk management oversight responsibilities, which includes information security. Information Security-related functions are performed by both ACNB Bank Risk Management and Technology Services personnel. The Information Security Committee is an ACNB Bank management committee which is responsible for providing oversight and direction for information security matters and standards and meets periodically throughout the year with minutes of their meetings provided to the Corporation’s Board of Directors. ACNB Bank’s Information Security Officer is responsible for managing and monitoring the Information Security Program, and is a part of the Risk Management department, which ultimately reports to the Chief Risk Officer. Additionally, the Information Security Program is supported by ACNB Bank’s Technology Services Department which is led by the Technology Services Manager who reports to the Chief Credit and Operations Officer.

The Information Security Program includes Information Security strategy, an incident response plan for incident management; access rights management; threat and vulnerability management; security training; risk and maturity assessments; security systems controls and standards; data use, reproduction, storage and destruction standards, intrusion prevention management, patch management, physical and environmental protections, encryption standards, malicious code prevention, intelligence sharing, and Information Security Monitoring, including architecture considerations, activity monitoring and condition monitoring. On an annual basis, Information Security-related risk assessments and a maturity analysis are performed and reported to the Board of Directors or the Board Audit Committee. Risks from cybersecurity threats associated with use of third-party service providers are addressed as part of the vendor management program, in initial and ongoing assessment of service
26

Table of Contents
providers. Information Security training is conducted for both employees and the Board of Directors annually. Training includes sharing educational communications to increase employee awareness of cybersecurity risks.

ACNB engages independent third-party assessors and auditors in connection with its information security program, including to conduct external and internal penetration testing and internal vulnerability scanning, independent audits and risk assessments. Technology Services personnel perform internal security practices, including periodic internal vulnerability scanning using commercial software tools and follow-up with corrective measures as required, monitoring for unauthorized access attempts, uses dynamically updated Endpoint Security for anti-malware, and deploying dynamically updated firewalls to protect against unknown actors. The Information Security Officer performs monthly phishing exercises with the reporting of results to the Information Security Committee and an annual summary of results to the Audit Committee. ACNB Bank also utilizes third-party service providers in the ordinary course of business. As part of ACNB Bank’s management program, initial and ongoing information security due diligence is reviewed and assessed on ACNB Bank’s service providers as appropriate, based on level of access to, storage of and processing of corporate and customer confidential information. Such due diligence may include review of service organization control reports and other independent testing, information security and incident response programs.

As a regulated financial institution, ACNB Bank is also subject to financial privacy laws and its cybersecurity practices are subject to oversight by the federal banking agencies. For additional information, see “Supervision and Regulation” included in Part I. Item 1 – Business of this report.

Although ACNB has not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected its business strategy, results of operations or financial condition, there can be no guarantee that ACNB will not experience such an incident in the future or the potential impact thereof. For additional information regarding the risk ACNB faces from cybersecurity threats, please see the risk factors titled “ACNB’s operations of its business, including its transactions with customers, are increasingly done via electronically, and this has increased its risks related to cybersecurity.” and “ACNB’s communications, information, and technology systems may experience a failure, interruption or breach in security.” included in Part I. Item 1A. – Risk Factors of this report.