TRUSTCO BANK CORP N Y - (TRST)
10-K Filing Date: March 11, 2024
Cybersecurity
Cybersecurity Risk Management and Strategy
At TrustCo, we recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that our customers share with us. Using guidance set forth in our Enterprise Risk Management program, we have implemented an Information Security Program to lead and support the management of information security risks in accordance with our risk profile and business strategy. We utilize the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool to benchmark these controls and procedures.
Our Information Security Program includes a number of components designed to identify, analyze, and respond to cybersecurity risks, including reliance on a layered system of preventative and detective technologies, controls, and policies designed to detect, mitigate, and contain cybersecurity threats. As part of our Information Security Program, we maintain an Information Security Policy that outlines internal controls and procedures designed to protect information systems. Information security program risk assessments and third-party attestations and assessments are conducted periodically by both internal and external resources. We leverage qualified third-party security assessors to identify vulnerabilities through both internal and external penetration tests and perform internal cybersecurity maturity assessments. In addition, our internal audit team conducts an information security and information technology audit on an annual basis. We are also subject to examinations by applicable regulators. We conduct annual cybersecurity awareness training for employees to enhance awareness of how to detect and respond to cybersecurity threats, as well as periodic phishing training campaigns. We also provide quarterly cybersecurity updates for our employees, and table-top exercises are conducted annually to simulate a response to a cybersecurity incident.
As part of our Information Security Program, TrustCo maintains a formal Third-Party Risk Management program that provides oversight of cybersecurity risks related to supplier relationships. During supplier onboarding, we perform risk-based due diligence for suppliers with access to confidential TrustCo information or that require technical integration with TrustCo systems. This program includes encryption and password requirements for our suppliers, as well as ongoing monitoring and assessment, and contract review.
Furthermore, we recognize the growing risk associated with highly sophisticated actors targeting corporations and maintain an Incident Response Plan, which is part of our broader business continuity planning. We have access through our insurer to computer forensics firms and specialized legal counsel in case of a cybersecurity incident. While we maintain cybersecurity insurance to assist in the cost of recovery from a cybersecurity incident, such coverage may not be sufficient to cover all costs resulting from such incidents.
To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and incidents and protect our systems and information may not successfully protect against all cybersecurity threats and incidents. For more information on the risks that we face from cybersecurity threats, see “Risk Factors - Risks Related to Cybersecurity, Third Parties, and Technology.” in Part I, Item 1A of this report.
33
Cybersecurity Governance
The Board of Directors has overall responsibility for risk oversight and has delegated oversight of our cybersecurity program to both our Risk Committee and our Audit Committee. The Risk Committee directly oversees information technology and information security risks through regular reports from management on information technology, cyber security, and related risk assessments. The Risk Committee also receives annual reports on the Information Security Program and approves the Information Security Policy. In addition, the Audit Committee of the Board monitors internal audit’s coverage of cybersecurity governance, risks, and related controls, including any identified deficiencies, from cybersecurity or other risks, that could adversely affect the ability to record, process, summarize, and report financial data. The Risk Committee coordinates with the Audit Committee for review of information security matters, as needed. The Board also receives an annual update on the Company’s enterprise services, which includes both information technology and information security.
Our Information Security Program is run by our Senior Vice President, Chief Compliance Officer and Chief Information Security Officer (“CISO”), who reports to our Executive Vice President of Corporate Services and Risk (“EVP”). Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, and through the use of technological tools and software and results from third party audits. Our management-level IT Steering Committee meets on a monthly basis to discuss cybersecurity and related topics. Our CISO and EVP have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has served in that position since 2013, is a Certified Information Security Manager, and has over 20 years of experience working at TrustCo. Our EVP, who has been an employee of TrustCo since 1986, has served in his role as Executive Vice President of Corporate Services and Risk TrustCo since 2013. Our CISO and EVP report directly to the Risk Committee on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues.