BAR HARBOR BANKSHARES - (BHB)
10-K Filing Date: March 11, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity threats pose a risk to the Company as crimes committed through or involving the internet. Examples of those threats are malware, phishing, hacking, denial of service attacks, stealing information, unauthorized intrusions into internal systems or the systems of third-party vendors that could adversely impact operations or damage reputations.
We utilize third party service providers to support and facilitate business and operational activities to achieve strategic goals. However, third parties may expose us and our customers to various risks. We have implemented a Vendor Risk Management (“VRM”) framework, which provides the tools and practices utilized in the oversight of third-party service providers, with an objective to meet legal and regulatory obligations, contractual requirements, performance expectations,
32
and our own principles and values. For the 2023 period, there were no material incidents affecting the VRM framework or controls.
We have developed cybersecurity and data privacy programs designed to enable and safeguard the confidentiality, integrity and availability of our information systems and data by providing proactive security expertise and risk assessments, creating and maintaining a resilient and secure environment, and fostering a culture of security awareness and compliance throughout our organization. We maintain a robust Information Security Program that sets forth our commitment to the continual review and improvement of policies, processes, procedures, and standards for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, disposing, and protecting sensitive information, including customer information under guidelines established as part of the Gramm Leach-Bliley Act (GLBA).
The Bank manages cybersecurity threats proactively and maintains robust controls to protect its critical systems and data by investing in secure, reliable and resilient technology infrastructure, fostering a culture of technology risk awareness and continuously improving its technology risk management practices. Our process for monitoring and mitigating cybersecurity risk is designed in conjunction with our overall Risk Management Policy and Information Security Program. One of the key aspects of these programs are various risk assessments that are used to identify industry and company-specific risks, measure control effectiveness, identify any gaps that need to be addressed, and linking our controls with applicable policies, standards and guidelines to ensure that responsible parties are aware of their obligations with respect to this program. Annually, we engage a third party to perform penetration testing and ongoing analysis to identify potential vulnerabilities and areas for additional enhancements as well as a full-scope independent audit of IT and Information Security processes.
All of our employees also have a responsibility to protect the privacy of Company and Bank confidential and proprietary information. They are required to undergo periodic information security awareness training to ensure a clear understanding of their roles in protecting information assets and to create a security-minded culture. Additionally, the Company carries out regular phishing simulation tests throughout the year to keep employees alert, spread awareness and ensure that employees have the knowledge and resources necessary to report suspicious activity.
The management of cybersecurity risks is ultimately the responsibility of Company management and is governed by the Board. They devote significant time and attention to the oversight of cybersecurity and information security risks. The Board through its BRC reviews monthly information technology and Information Security and Vendor Management reports that highlight key areas of focus and risk. The Board also reviews and approves the Information Security Program, the central program outlining cyber-security processes and controls annually and frequently receives presentations on and discusses cybersecurity and information security risks, industry trends and best practices.
We are subject to extensive federal and state regulation of customer privacy and the security of financial information. Our federal regulator, the FDIC, is part of the Federal Financial Institutions Examination Council (FFIEC), which publishes extensive guidelines and examination procedures that are used to review the security of financial institutions.
To date, we have not experienced a cybersecurity incident or data breach that has materially affected us or our business strategy, results of operations, or financial condition.
33