AMES NATIONAL CORP - (ATLO)

10-K Filing Date: March 08, 2024
ITEM 1C. CYBERSECURITY

 

Risk Management and Strategy

 

Our information security program includes administrative, technical and physical safeguards and is designed to provide an appropriate level of protection to maintain the confidentiality, integrity and availability of our Company’s and our customers’ information. This includes protecting against known and evolving threats to the security of customer records and information, and against unauthorized access, compromise, or loss of customer records or information.

 

Our information security program is designed to continuously adapt to an evolving landscape of emerging threats and available technology. Through data gathering and evaluation of emerging threats from internal and external incidents and technology investments, security controls are regularly monitored and adjusted on an as needed basis. We have developed a data security strategy that is integrated within our overall risk management strategy and implemented through layers of controls embedded throughout our technology environment that establish multiple control points between threats and our assets. We test the effectiveness of our controls and data protection processes through internal and independent external audits and assessments, including regular penetration tests, vulnerability scans, disaster recovery tests and cyber exercises to simulate hacker attacks. Our information security program is supported by regular training of information technology employees and awareness training and activities for executives, directors, and employees companywide through which we communicate our information security policies, standards, processes and practices.

 

Further, our information security program is designed to provide oversight of third parties who store, process or have access to sensitive Company or customer data, and we require similar levels of protection from third-party service providers as are required for the Company. We maintain supplier risk assessment processes to identify risks associated with third-party service providers.

 

We employ business continuity, backup and disaster recovery procedures for systems that are used for storing, processing and transferring customer information, and we periodically test and validate our disaster recovery plans to validate our resilience capabilities. Additionally, we maintain insurance coverage that, subject to applicable terms and conditions, may cover certain aspects of cybersecurity and information risks. However, there can be no assurance that liabilities or losses we may incur will be covered under such policies or that the amount of insurance will be adequate.

 

Our information security program is designed and managed to be consistent with the framework and guidelines of the FFIEC Information Security IT Examination Handbook, FFIEC Business Continuity Planning Handbook and FFIEC Cybersecurity Assessment Tool. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cyber threats when they occur. Along with periodically being examined by our regulators, the Company regularly engages external experts to audit, evaluate and validate our controls against these standard frameworks, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these examinations, audits and evaluations.

 

Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company to date. While we are not currently aware of any cybersecurity threats that are reasonably likely to materially affect the Company there is no assurance that we will not be materially affected by such threats in the future. For additional information on our risks related to cybersecurity, see Item 1A, Risk Factors—Operational Risks.

 

24

 

Governance

 

Our Board of Directors and executive officers are responsible for oversight of our information technology framework, including cybersecurity, information security, information technology and business continuity. The Chief Information Officer (“CIO”) and other members of senior management report to the Board of Directors and executive officers at least annually and on an as needed basis. In the event of an immediate cyber threat to our business operations, the CIO would promptly initiate the Company’s incident response plan including notifying executive officers, Board of Directors and regulators.

 

While our Board of Directors provides oversight of our information technology environment, the ultimate responsibility for our processes for identifying, assessing and managing cybersecurity risks resides with management. The CIO, with assistance from internal and external resources, is responsible for the implementation and providing oversight to our organization and maintaining the appropriate level of expertise to manage and implement cybersecurity policies, programs and strategies. The CIO has served for over 30 years in information technology and various roles within the Company.