FNCB Bancorp, Inc. - (FNCB)

10-K Filing Date: March 08, 2024
Item 1C.

 

 

Cybersecurity.

 

Cybersecurity Risk Management and Strategy


Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions and its information systems, FNCB has implemented a comprehensive cybersecurity risk management program, which is a component of its overarching Information Security Program. Key components of the Information Security Program include:

 

  Information Security Risk Assessment. An information security risk assessment is a process designed to identify and assess new and existing threats, vulnerabilities, attacks, probabilities of occurrence and outcomes;
  Information Security Strategy. The information security strategy, which is updated by management and reviewed and approved by the board of directors annually, seeks to mitigate risk by integrating technology with robust policies, procedures and training;
  Security Controls Implementation. Implementing security controls is a company-wide process that ensures that the acquisition, deployment and operation of technology to include risk appropriate controls through the assignment of specific duties and responsibilities to management and staff;
  Security Controls Training. Training is provided for managers and staff to ensure that all parties understand their responsibilities and have the knowledge and skills necessary to fulfill their duties. Training also includes an awareness program that keeps employees informed about cybersecurity threats and how to safely use electronic platforms such as email, internet and cloud-based environments;
  Security Monitoring. Security monitoring utilizes various methodologies, including the use of third-party services as necessary, to gain assurance that risk are appropriately assessed and mitigated, and to verify that significant controls are effective and performing as intended;
  Security Process Updating. This updating process is a continuous system of gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on FNCB or others combined with the effectiveness of existing security controls that are maintained. Through monitoring and updating, the information security program becomes a continuous process rather than a one-time event; and
  Incident Response Plan. The incident response plan, which is modeled after the framework established by the National Institute of Standards and Technology, outlines the steps FNCB will take to respond to a cybersecurity incident. The incident response plan is tested on a periodic basis.

 

FNCB engages reputable third-party assessors to conduct various independent risk assessments on a regular basis, including but not limited to, maturity assessments and various tests. FNCB leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage and mitigate any identified risks.

 

FNCB's has a Vendor Risk Management Program that is designed to ensure that vendors providing services to FNCB meet its cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements.

 

FNCB’s cybersecurity risk management program and strategy are designed to ensure that FNCB's information and information systems are appropriately protected from a variety of threats, both natural and man-made. Periodic risk assessments are performed to validate control requirements and ensure that FNCB’s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of FNCB's information. These controls include, but are not limited to access control, data encryption, data loss prevention, incident response, security monitoring, third party risk management, and vulnerability management.

 

FNCB's cybersecurity risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with FNCB's business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards.

 

20

 

Material Effects of Cybersecurity Threats

 

While cybersecurity risks have the potential to materially affect FNCB's business, financial condition, and results of operations, FNCB does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have had a material affect on FNCB, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase and evolve, and FNCB’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented FNCB’s controls are, it will not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may materially affect FNCB’s business strategy, results of operations or financial condition, refer to Part I, Item 1A. "Risk Factors" to this Annual Report on Form 10-K.

 

Governance

 

Board of Directors Oversight

 

FNCB’s Board of Directors is charged with overseeing the establishment and execution of FNCB’s risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility the Board has delegated primary oversight responsibility over FNCB's risk management framework, including oversight of cybersecurity risk and cybersecurity risk management, to the Risk Management Committee of the Board of Directors. The Risk Management Committee has appointed the Executive Vice President and General Counsel, who serves as the Chairperson of FNCB's Enterprise Risk Management ("ERM") Committee, as the principal management-level designee for oversight of its risk management. Additionally, the Executive Vice President and Chief Financial Officer oversees FNCB's Technology Services Division. The Board of Directors receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with either of these two individuals who provide periodic updates regarding cybersecurity risks and the cybersecurity program. Additionally, awareness and training on cybersecurity topics is provided to the Board on an annual basis.

 

Management's Role

 

FNCB has an Information Technology Advisory Committee ("ITAC") that is responsible for implementing and maintaining its Information Security Program. Certain members of the IT Oversight Committee, a sub-committee of ITAC, have been designated collectively as FNCB's Information Security Officer. These members include, the Senior Vice President and Physical Security Officer who serves as Chairperson, the Executive Vice President and Chief Financial Officer and certain Technology Services Division personnel. The primary responsibility of the IT Oversight Committee, which meets monthly, is to ensure that information technology initiatives meet FNCB's cybersecurity objectives and are implemented securely, timely and transparently and for ensuring the protection of electronic and physical information through the identification and management of risk activities. As a governance and oversight function, the ITAC meets quarterly and measures and reports on the quality of information and cyber risk management across all functional areas of FNCB. The Executive Vice President and Chief Financial Officer presents information related to FNCB's Information Security Program to the Board of Directors at regular monthly meetings. Any breach or incident would be reported through ITAC, the ERM Committee and then to the Board of Directors. The IT Oversight Committeemakes a formal presentation to the Board of Directors on FNCB's Information Security Program at least annually.

 

© 2024 Material-Incidents. All rights reserved.