CITIZENS & NORTHERN CORP - (CZNC)

10-K Filing Date: March 11, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy- The Corporation’s cybersecurity risk management program is designed to assess, identify, and manage material risks from cybersecurity threats and is an integral part of the overall risk management program. Cybersecurity risk includes exposure to failures or interruptions of service or security breaches resulting from malicious technological attacks that impact the confidentiality, integrity, or availability of our or third parties’ operations, systems, or data. The Corporation assesses its cyber security procedures and controls on an on-going basis as safeguarding its systems and data is critical to its operations and business strategy.

The Corporation uses third-party vendors, including a managed security service provider, to assist in monitoring, detecting, and managing cyber threats. The Board of Directors has established risk management guidelines for third-party vendors. Further, the Corporation conducts due diligence reviews of third-party vendors before contracts or agreements for provision of services are signed and conducts ongoing due diligence and oversight procedures with the frequency of the procedures determined based on a risk assessment of the services provided. The Corporation generally has agreements in place with its service providers that include requirements related to cybersecurity and data privacy. Due diligence and oversight procedures may include, but are not limited to, reviews of financial information, internal control reports, business continuity and disaster recovery plans, and information security and cyber security policies and associated tests of effectiveness. The Corporation cannot guarantee, however, that such agreements, due diligence, and oversight procedures will prevent a cyber incident from impacting our systems or information. Additionally, the

9

Corporation may not be able to obtain adequate or any reimbursement from its insurance coverage or from its service providers in the event it should suffer any such incidents. Due to applicable laws and regulations or contractual obligations, the Corporation may be held responsible for cyber incidents attributed to its service providers in relation to any data that the Corporation shares with them.

During 2023, the Corporation has not experienced a cybersecurity threat or incident that has materially affected or is reasonably likely to materially affect the Corporation, including its business strategy, results of consolidated operations or financial condition. Refer to the risk factor captioned “Cyber Security Risks and Technology Dependence” in Part I, Item 1A. “Risk Factors” for additional information.

Governance- The Board of Directors provides oversight of the risk management program and setting the Corporation’s cyber risk profile, which includes risks from cybersecurity threats, enterprise cyber strategy, and key cyber initiatives. The Board has appointed a Risk Management Committee currently made up of five members of the Board with governance and oversight of the Corporation’s enterprise-wide risk management program. The members of the Risk Management Committee collectively have years of business management and professional experience in the banking industry and other industries including exposure to cyber risk management considerations. The Board also meets with our internal and external auditors, and federal and state regulators to review and discuss reports on risk, examination, and regulatory compliance matters. In fulfilling its role, the Risk Management Committee is actively engaged with management regarding cyber security procedures and controls to manage and mitigate cybersecurity-related risks. Management provides at least quarterly information security reports to the Risk Management Committee who provides a report to the Board of its discussions and decisions. These reports to the Risk Management Committee address management’s efforts to monitor, detect and prevent cyber threats. In addition, the Board of Directors is engaged, as needed, in accordance with the Incident Response Plan.

The Corporation has an information security program that is primarily managed by the Information Security Department, which is led by the Chief Risk Management Officer and the Director of Information Security and supported by the Information Technology Operations Department, which is led by the Chief Information Officer. The Information Security Department is led by the Director of Information Security, and is responsible for day-to-day management of the information security program including system monitoring, vulnerability scans, employee security training including phishing exercises, security controls, and building strong relationships with security vendors. The Chief Risk Management Officer, the Chief Information Officer, the Director of Information Security and the other members of the Information Security Department are qualified by years of experience, post-secondary education, industry certifications and regular continuing education. A network penetration test and vulnerability assessment are performed at a minimum annually by a third-party vendor. The Information Security Committee is the management committee responsible for the oversight of the Information Security Program and is also responsible for policy development and information security risk assessment. This committee meets at least quarterly to discuss and review the information security program. The Information Security Program is updated at least annually and the Board of Directors, with input from the Risk Management Committee, approves all material changes.

The Corporation has an Incident Response Plan that provides a documented guideline for handling potential threats and taking appropriate measures including timely notification and escalation to executive leadership and the Board of Directors. The Incident Response Plan is managed by the Incident Response Team which includes the Director of Information Security, Chief Risk Management Officer, Chief Information Officer, and other essential members of management. The Incident Response Plan is reviewed and tested at least annually.