ARROW FINANCIAL CORP - (AROW)

10-K Filing Date: March 11, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management & Strategy
Arrow’s cybersecurity risk management and data security program is an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. Arrow employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent cybersecurity threats. Our security framework involves processes for detection, identification, protection and response to a cybersecurity incident. Additionally, we are well prepared for recovery in the case of a cybersecurity incident with proper vendor support as well as backups both online and offline.
Arrow has implemented and regularly reviews and updates its internal controls and procedures as well as corporate governance policies and procedures intended to protect its business operations, including the security and privacy of the confidential information of its customers. Arrow also regularly assesses and tests its security systems and disaster preparedness, including the adequacy and functionality of its back-up systems. In addition, Arrow engages a variety of vendors to meet data processing and communication needs. Arrow communicates and works directly with all of our critical information technology ("IT") vendors to resolve issues and install releases. We perform business continuity plan testing on a periodic basis.
Arrow has not experienced, nor does it believe it is reasonably likely to experience, a material effect on the Company’s business strategy, results of operations or financial condition as a result of a significant compromise, significant data loss or any material financial losses related to cybersecurity incidents or other security problems.
Cybersecurity and the continued enhancement of Arrow's controls and processes to protect its systems, data and networks from cybersecurity incidents remain a priority to Arrow.

Governance
Arrow’s senior management regularly considers the impact of cybersecurity risks when developing its business strategy and financial planning. Arrow has various policies and procedures in place to mitigate cybersecurity risks and maintains a layered, defensive program to manage and maintain cybersecurity controls.
Arrow’s Board of Directors, Chief Information Officer, Director of IT and our enterprise risk management group all have a role in the cybersecurity risk management program.