FIRST OF LONG ISLAND CORP - (FLIC)
10-K Filing Date: March 08, 2024
Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including but not limited to the following risks: operational, regulatory compliance, reputational, strategic, information technology, data security and privacy, and market risks such as interest rate, credit, liquidity and price risks. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Board of Directors is responsible for risk oversight over all significant risks facing the Corporation and fulfills this responsibility mainly through its committees. While our Board of Directors takes an oversight role in cybersecurity risk tolerance, we rely to a large degree on management and outside consultants in overseeing cybersecurity risk management. Our Director of Information Security, who reports directly to our Chief Information Officer, is primarily responsible for this cybersecurity component and is a member of management's Operational Risk and IT Steering Committees, and regularly attends and presents to the Risk Committee of our Board of Directors ("Risk Committee").
Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, audits, and threat intelligence feeds to facilitate and promote program effectiveness.
We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections as a significant portion of our workforce has the ability to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.
We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including notification of and escalation to the appropriate team members as well as executive management and the Board of Directors. The Incident Response Plan is coordinated through the Director of Information Security and key members of management. The Incident Response Plan facilitates coordination across multiple departments and is evaluated at least annually.
Notwithstanding our defensive measures and processes, the threat posed by cyberattacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks. To date, the Corporation has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Corporation.
The Director of Information Security provides information security updates to the IT Steering Committee and the Risk Committee. Cybersecurity metrics are reported to the IT Steering Committee monthly and to the Risk Committee on a quarterly basis. Security training is provided to all staff through targeted training overseen by the Director of Information Security. All Board members receive cybersecurity training annually.
The Board of Directors recognizes the importance of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and has incorporated those elements in its ongoing oversight of the Information Security Program. At least annually, the Director of Information Security and the Chief Risk Officer report to the Risk Committee the overall status of the Information Security Program. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations are discussed as are management’s responses and any recommendations for program changes.