PENNS WOODS BANCORP INC - (PWOD)
10-K Filing Date: March 13, 2024
ITEM 1C CYBERSECURITY RISK MANAGEMENT, STRATEGY AND GOVERNANCE
The Corporation maintains comprehensive and continually evolving processes for assessing, identifying, and managing material risks from cybersecurity threats, including any potential unauthorized occurrence on, or conducted through, the Corporation’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or any information residing on such systems. The processes relating to cybersecurity threats are integrated into the Corporation’s overall risk management processes, which are overseen by the entire board of directors and not delegated to any committee or subcommittee of the board.
As part of the Corporation’s overall risk management processes, the board of directors has established both a senior management Risk Management Committee and a separate senior management Information Technology Steering Committee. Each of these Committees meets regularly and consists of the Corporation’s senior management department heads, plus the Chief Executive Officer and the President and Chief Financial Officer of the Corporation (each of whom also serves as a director of the Corporation). The Information Technology Steering Committee reports directly to the board of directors, with the Corporation’s Chief Information Officer (“CIO”) presenting to the board a detailed report on information systems and cybersecurity matters at least once annually. The board of directors also receives and reviews copies of minutes of all meetings of both the Risk Management Committee and the Information Technology Steering Committee.
The Corporation’s information technology resources are managed by a separate Information Technology Department, which is responsible for identifying, assessing, and managing material risks from cybersecurity threats. The Information Technology Department is managed by the CIO, who reports to the Corporation’s President and Chief Financial Officer. The present CIO has been employed by the Corporation in the information technology area for twenty-eight years and holds an undergraduate degree in computer science. The Information Technology Department also employs a separate Information Security Officer (“ISO”), whose responsibilities include security relating to the Corporation’s information systems. The present ISO is a Certified Information Systems Security Professional and also a Certified Fraud Examiner. The ISO reports directly to the Information Technology Steering Committee and to the Chief Risk Officer. The ISO, among other duties, supervises internal employee training relating to cybersecurity risks, conducts access reviews relating to the Corporation’s information systems, and monitors implemented checks and balances relating to access to information. Information relating to cybersecurity risks and cybersecurity incidents, if any, is reported by the CIO and the ISO to both the Risk Management Committee and to the
11
Information Technology Steering Committee, each of which Committees includes the Chief Executive Officer and the President and Chief Financial Officer who are also directors of the Corporation.
The Corporation maintains an Incident Response Plan that provides documented guidelines for handling potential threats and taking appropriate measures including timely notification of cybersecurity threats and incidents to senior management and the board of directors when appropriate. The Incident Response Plan is managed by the Information Technology Department, including the ISO, and is reviewed and tested at least annually.
The Corporation uses third-party vendors to assist in monitoring, detecting, and managing cyber threats, including managed security service monitoring, penetration testing and vulnerability assessment. The Risk Management Committee has established risk management guidelines for third-party vendors. The Corporation conducts due diligence reviews of third-party vendors before contracts or agreements for provision of services are signed and conducts ongoing due diligence and oversight procedures with the frequency of the procedures determined based on a risk assessment of the services provided. Generally, the Corporation’s agreements with service providers include requirements related to cybersecurity and data privacy. All such agreements are reviewed at least annually. The Corporation cannot guarantee, however, that such agreements, due diligence, and oversight procedures will prevent a cybersecurity incident from impacting information systems. Moreover, as a result of applicable laws and regulations or applicable contractual provisions, the Corporation may be held responsible for cybersecurity incidents attributed to its service providers in relation to any data that the Corporation shares with such providers.
To date, the Corporation has not experienced any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Corporation, including its business strategy, results of operations, or financial condition. As discussed under “Risk Factors” in Item 1A, however, the sophistication of cybersecurity threats continues to increase, and the preventative actions taken by the Corporation to reduce the risk of cybersecurity threats or incidents may not be sufficient in a particular circumstance. Accordingly, the Corporation may not be able to anticipate all cybersecurity breaches no matter how well designed or implemented the Corporation’s cybersecurity controls and procedures are, and the Corporation may not be able to implement effective preventive measures against such security breaches in a timely manner.
12