PEAPACK GLADSTONE FINANCIAL CORP - (PGC)

10-K Filing Date: March 12, 2024
Item 1C.CYBERSECURITY

 

Risk Management and Strategy

 

Peapack-Gladstone Bank’s risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Peapack-Gladstone Bank’s Information Security Officer is primarily responsible for cybersecurity and is a key member of the risk management organization, reporting directly to the Chief Risk Officer and as discussed below, periodically to the Information Technology Steering Committee and Peapack-Gladstone Bank’s board of directors.

 

Our objective for managing cybersecurity risk is to avoid or minimize the impact of external threat events or other efforts to penetrate, disrupt or misuse Peapack-Gladstone Bank systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Peapack-Gladstone Bank’s Information Security Officer and Chief Information Officer, who reports directly to the Chief Operating Officer, along with other key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.

 

We employ an in-depth, layered, defensive strategy that embraces a “trust by design” philosophy when designing new products, services, and technology. We leverage people, processes, and technology as part of Peapack-Gladstone Bank’s efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of Peapack-Gladstone Bank infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and Peapack-Gladstone Bank’s supply chain. We also actively monitor our email gateways for malicious phishing e-mail campaigns and monitor remote connections as a significant portion of Peapack-Gladstone Bank’s workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to Peapack-Gladstone Bank’s information security program, to assess their design and operating effectiveness and make recommendations to strengthen the Bank’s risk management program.

 

21


 

We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the Bank’s Information Technology Steering Committee as well as the board of directors. The Incident Response Plan is coordinated through the Information Security Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of Peapack-Gladstone Bank’s organization and is evaluated at least annually.

 

Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Peapack-Gladstone Bank’s internal systems,processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected the Company, including its business strategy, results of operations, or financial condition.

 

Governance

 

Peapack-Gladstone Bank’s Chief Information Officer, Chief Technology Officer, and Information Security Officer are accountable for managing and ensuring compliance with the Bank’s information security program. Included in the responsibilities of this management team is the oversight and the administration of the cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business resilience.

 

Peapack-Gladstone Bank’s board of directors has approved management committees including the Information Technology Steering Committee, which focuses on technology and cyber related business impact. This committee provides oversight and governance of the technology program and the information security program. The committee is chaired by managers within the enterprise information technology department and include the Chief Information Officer, Chief Technology Officer, and Information Security Officer. The committee meets quarterly to provide oversight of the risk management strategy,standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings may occur to facilitate timely informing and monitoring efforts. The Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the Bank’s board of directors.

 

The Bank’s board of directors are responsible for overseeing Peapack-Gladstone Bank’s information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Peapack-Gladstone Bank’s Information Security Officer, Chief Information Officer, and Chief Technology Officer provide reports to the Bank’s board of directors regarding the information security program, technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The board of directors reviews and approves Peapack-Gladstone Bank’s information security program, technology budgets, and strategies annually.