FINANCIAL INSTITUTIONS INC - (FISI)

10-K Filing Date: March 13, 2024
ITEM 1C. CYBERSECURITY

 

Risk Management and Strategy

Based on the complex and continuously evolving cybersecurity threat landscape, we established, manage and continually enhance an enterprise-wide Information Security Program (“ISP”). The ISP is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”). The CSF provides guidance for organizations to better manage and reduce cybersecurity risk while helping organizations understand, assess, prioritize, and communicate cybersecurity risks and mitigation. The ISP encompasses critical management components such as risk management, asset management, access controls, cyber awareness training, data security, detection and response, incident response, and business continuity.

The ISP, which is part of our Enterprise Risk Management Program, is organized in an operating framework that is supported by policies, standards, procedures, and guidelines that establish the information security control environment. Information Security collaborates with additional areas of our Enterprise Risk Management Program to ensure comprehensive risk oversight and reporting. The ISP is designed and implemented to comply with or exceed regulatory control requirements. Multiple internal and independent third-party assessments and audits are conducted annually to ensure our compliance with its policies, controls, and regulatory requirements.

The execution of the ISP relies on our committed investment in people, processes, and technology. We have invested in market-leading technology and award-winning security partners to execute key processes that ensure the confidentiality, integrity, and availability of company assets.

We have a Third-Party Risk Management (“TPRM”) Program that includes the comprehensive evaluation of the cybersecurity risks of prospective and existing third-party relationships. The TPRM Program utilizes a risk-based approach to perform ongoing due diligence reviews of existing third-party relationships and new prospective third parties. Third-party risks are identified and evaluated in coordination with period reviews, although threat intelligence monitoring and sound vendor relationships are leveraged to identify third-party risks as announced. TPRM is a function of our Risk Organization overseen by the Chief Risk Officer (“CRO”).

We have not experienced any cybersecurity threats or incidents that have materially affected or are reasonably likely to affect our business strategy, results of operations, or financial condition. Risks relating to cybersecurity and their potential impact are discussed more fully in “Risk Factors” in Part I, Item 1A herein.

Governance

We have established a dedicated team to manage and execute the ISP. A Chief Information Security Officer (“CISO”) has been appointed as a Senior Vice President of the Company. The CISO leads the strategy and execution of the program while ensuring clear lines of communication with executive management, committees, the Board of Directors, and external stakeholders such as regulators and insurance carriers. The CISO was appointed in August 2023 after serving the Company as a senior officer and technology leader for over 15 years and leads a team of Information Security professionals with diverse security backgrounds including relevant certifications (e.g., CISSP, GSEC, GCTI). As a member of our risk organization, the CISO reports to the CRO, a member of the Executive Management Committee. The CRO joined the Company in February 2023 with over 30 years of progressive risk management experience.

The Company Risk Committee (“CRC”) serves as the management committee responsible for Information Security oversight and the CISO is a member of the committee. The Risk Oversight Committee (“ROC”) is a sub-committee of the Board of Directors (the “Board”) and provides direct oversight of Information Security on behalf of the Board. Kim E. VanGelder, the current Chair of the ROC, has served as a member of our Board since 2016, and has held progressive information technology leadership roles at the Eastman Kodak Company, with responsibilities including cybersecurity, global applications, and global technology infrastructure and has served as its Chief Information Officer since 2004.

- 33 -


 

The CISO reports on the status of the ISP including relevant risks, cybersecurity threats, program updates, and program reporting to the CRC and the ROC no less than four times per year. Any material cybersecurity information, including strategic program development, is reported by the CISO to appropriate management and Board representatives to ensure timely awareness and escalation as necessary. Should there be a cybersecurity incident, we have a formal Incident Response plan including escalation processes designed to keep relevant management and committees informed of the mitigation and remediation efforts. The identification of incidents may come through internal monitoring and detection resources, external threat intelligence, third-party risk management efforts or various other event escalation methods. We leverage a Managed Security Services Provider (“MSSP”) for supplemental expertise and resources with the management and enhancement of critical threat monitoring solutions. The MSSP also provides industry-leading Security Operations Center services that serve as a critical source for event and incident detection.

The Board is actively engaged in the oversight and prudent management of risk, including those relating to cybersecurity and regulatory compliance. A comprehensive program update is delivered to the Board annually by the CISO. The Board annually reviews and approves the ISP and related Information Security policies to ensure alignment with the Company’s risk appetite and strategic defense amidst the evolving cybersecurity risk landscape.