CHOICEONE FINANCIAL SERVICES INC - (COFS)

10-K Filing Date: March 13, 2024

Item 1B. Unresolved Staff Comments

None.

Item 1C. Cybersecurity

 

Our bank faces various cybersecurity threats, including unauthorized access, malware, and phishing attacks. These threats could compromise the security of our information systems and the data we store and process. While we have experienced, and expect to continue to experience, cybersecurity threats, we have not experienced a material cybersecurity incident in the three year period ended December 31, 2023. The potential consequences of a material cybersecurity incident could include reputational damage, litigation with

 

16


 

third parties, regulatory criticism or proceedings and increased cybersecurity protection and remediation costs, which in turn could materially adversely affect our results of operations.

 

We have established an information security third party risk management program to identify and manage these risks. This program includes regular risk assessments, third party risk provider reviews, and implementation of security measures such as encryption and firewalls, and ongoing monitoring of our systems for potential threats. We also engage with industry consultants to assist with our risk assessments.

 

On a regular basis, the technology steering committee, led by management, receives comprehensive reports summarizing cybersecurity threat monitoring and incident management activities. These reports also include details about remediation efforts to address identified threats and incidents. Additionally, both internal and external assessments of our company’s cybersecurity threat monitoring capabilities are shared with the committee. Meeting minutes from these committee sessions are diligently maintained and provided to the Board of Directors.

 

The Board of Directors has responsibility for approving and overseeing management’s policies related to information system security and cybersecurity threats and incidents. They also supervise management’s overall approach to securing the company’s information systems. The Board of Directors delegates the oversight of cybersecurity risk management to the Information Technology Committee of the Board.

 

The Information Technology Committee, in turn, reviews reports on our cybersecurity risk management processes. These reports cover assessments of management’s handling of cybersecurity threats and incident management functions. The committee receives periodic updates from the chief information officer, including information on social engineering risks, the effectiveness of cybersecurity training, and results from vulnerability and penetration assessments conducted both internally and by external parties. Audit reports related to information systems and cybersecurity threat monitoring are also part of this reporting process.