CHEMUNG FINANCIAL CORP - (CHMG)
10-K Filing Date: March 13, 2024
ITEM 1C. CYBERSECURITY
The Corporation regards information as one of its most valuable assets. As a result, safeguards have been implemented to protect corporate informational assets and associated technology resources have been established to maintain the integrity, availability, and privacy of confidential information of those assets. The Corporation has established an Information and Cyber Security Program (“Program”) that includes standards and procedures to ensure that all information belonging to or held by the Corporation will be appropriately evaluated, classified, and protected against likely forms of unauthorized or inappropriate access, use, disclosure, modification, destruction, and denial.
30
Enterprise Risk Management embeds risk management into the oversight of cybersecurity as an integral part of the business with comprehensive internal control and assurance processes linked to key risks which are then reported to the Board of Directors (“Board”). Risk oversight, including cybersecurity is a key risk which has been delegated to the Enterprise Risk Committee of the Board (“ERC”). Cybersecurity is integrated into the Corporation's Enterprise Risk Management Policy, Enterprise Risk Management Committee Charter, Escalation Policy, Risk Appetite Statement, Information Technology Steering Meetings, and Division Risk Meetings. Employees are trained on their first day of employment with regards to cybersecurity and additional training is rolled out for all employees throughout the year.
The Corporation engages with a multitude of third-party assessors, consultants, auditors and other third parties to support and maintain a robust information security practice. These partners are credentialed cybersecurity firms that assist to monitor and maintain the performance and effectiveness of our processes, procedures, and internal controls, as well as the various products and services that are deployed in our environment. The Corporation has a Third Party Risk Management program in place to monitor for any potential material risks from cybersecurity threats regarding any third-party service providers. Through our Third Party Risk Management Program we risk rate our vendors and conduct a thorough review prior to the execution of any agreement and then on an ongoing risk-based basis. The review consists of due diligence documents and information such as the Service Organizational Control (“SOC”) Reports, Information and Data Security, Business Continuity Testing and Penetration Testing.
The risks from cybersecurity threats, including any previous cybersecurity incidents, have not materially affected the Corporation to date, including our business strategy, operations, or financial condition. Cybersecurity is an evolving threat that does have the potential to materially affect the Corporation, including our business strategy, operations, or financial condition. However, with our system of internal controls, cyber defense mechanisms in place and the tenure and experience of our Chief Information Security Officer (“CISO”) and Information Security Analysts, we have sought to reduce the residual risk that is inherent of cybersecurity.
The CISO reports to ERC on a quarterly basis regarding the cybersecurity program and material cybersecurity risks. The quarterly report includes the following information: information security incidents, internal phishing risk, defensive coverage and response of our endpoints, and internal and external vulnerability scan results. The ERC is also apprised of training, regulation or guidance changes, and new products and services utilized by the Information Security Department. In addition to a cybersecurity risk assessment that is performed by the CISO, management is responsible for conducting a risk assessment to identify data security, information technology, and cybersecurity risk factors impacting their business line. The results are reviewed by the Risk Division and presented to ERC.
The CISO has over 26 years of experience with information technology management, information security, compliance, audit, and process improvement. Our Information Security Analysts have a combined 22 years of experience with information security, information technology servers and information technology networks. The CISO and Information Security Analysts are active members of the following management level committees at the Bank: Information Technology Steering Committee and the Change Control Committee.
The Program is led by our CISO, who reports directly to the Senior Risk Officer. Additionally, the CISO meets regularly and works in tandem with the Chief Information Officer and various members of Information Technology. The Information Security Department meets regularly with employees through hosted educational sessions, all-employee call presentations, Officers’ meeting presentations and individual Branch network visits. Line of business leaders regularly reach out to the CISO with regards to cybersecurity risk prevention, questions, and training. The CISO has a standing agenda item for the Information Technology Steering Committee meeting as well as ERC in order to inform the committees about prevention, detection, mitigation and remediation of cybersecurity incidents. If there are any incidents that require information to be presented to the Executive Management Team or the Board, the Senior Risk Officer presents that information. The CISO reports to ERC on a quarterly basis regarding the cybersecurity program and material cybersecurity risks.