ALERUS FINANCIAL CORP - (ALRS)
10-K Filing Date: March 08, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy. The Company relies extensively on various information systems and other electronic resources to operate its business. In addition, nearly all of the Company’s customers, service providers and other business partners on whom the Company depends, including the providers of the Company’s online banking, mobile
58
banking and accounting systems, use these systems and their own electronic information systems. Any of these systems can be compromised, including by employees, customers and other individuals who are authorized to use them, and bad actors using sophisticated and constantly evolving set of software, tools and strategies to do so. The nature of the Company’s business, as a financial services provider, and the Company’s relative size, make the Company and its business partners high-value targets for these bad actors to pursue. See “Item 1A. RISK FACTORS—Operational, Strategic and Reputational Risks”.
Accordingly, the Company has devoted significant resources to assessing, identifying and managing risks associated with cybersecurity threats, as noted below:
● | Identifying and assessing cybersecurity threats: The Company regularly evaluates its systems and data for potential vulnerabilities and analyzes the evolving cyber threat landscape, to ensure it proactively addresses risks before they materialize. The Company employs monitoring tools that can detect and help respond to cybersecurity threats in real-time. |
● | Integration with Overall Risk Management: Cybersecurity risks are seamlessly integrated into the Company’s broader risk management framework, ensuring a holistic view and prioritized mitigation strategies. |
● | Management of Third-Party Risk: The Company’s comprehensive third-party management process includes rigorous due diligence, oversight and identification of cybersecurity risks associated with vendors and service providers. |
● | Team: The Company has an internal cybersecurity team that is responsible for conducting regular assessments of its information systems, existing controls, vulnerabilities and potential improvements. |
● | Engagement of Expert Assistance: The Company leverages the expertise of independent consultants, legal advisors, and audit firms to evaluate the effectiveness of our risk management systems and address potential cybersecurity incidents efficiently. |
● | Training: The Company conducts periodic cybersecurity training for its workforce. |
This information security program is a key part of the Company’s overall risk management system, which is administered by the Director of Information Security. The program includes administrative, technical and physical safeguards to help protect the security and confidentiality of customer records and information. These security and privacy policies and procedures are in effect across all of the Company’s businesses and geographic locations.
From time-to-time, the Company has identified cybersecurity threats and cybersecurity incidents that require the Company to make changes to its processes and to implement additional safeguards. While none of these identified threats or incidents have materially affected the Company, it is possible that threats and incidents the Company identifies in the future could have a material adverse effect on its business strategy, results of operations and financial condition.
Governance. The Company’s management team is responsible for the day-to-day management of cybersecurity risks it faces, including the Company’s Executive Vice President and Chief Technology Officer and Director of Information Security. The Company’s current Director of Information Security has over 28 years of experience. For the past 7 years, the Company’s Director of Information Security has successfully managed teams, implementing and maintaining robust cybersecurity and data protection controls to safeguard the Company’s information assets. The Company’s Director of Information Security reports directly to our Executive Vice President and Chief Technology Officer, who possesses extensive expertise gained through over 39 years in various IT and leadership roles. This combined experience ensures exceptional guidance and oversight of our cybersecurity program.
In addition, the Company’s Board of Directors, both as a whole and through its Risk Committee (the “Risk Committee”), is responsible for the oversight of risk management, including cybersecurity risks. In that role, the
59
Company’s Board of Directors and the Risk Committee, with support from the Company’s cybersecurity advisors, are responsible for ensuring that the risk management processes designed and implemented by management are adequate and functioning as designed. To carry out those duties, both the Company’s Board of Directors and the Risk Committee receive quarterly reports from the Company’s management team regarding cybersecurity risks and the Company’s efforts to prevent, detect, mitigate and remediate any cybersecurity incidents.