First Bancorp, Inc /ME/ - (FNLC)
10-K Filing Date: March 08, 2024
ITEM 1C. Cybersecurity
Risk Management & Strategy: The Company is committed to maintaining strong and meaningful privacy and security protections for our customers’ information by making available sufficient human and financial resources to protect against and monitor cybersecurity threats. These threats have increased as the use of technology has proliferated in our core business. Examples include internet banking, mobile banking, remote deposit capture, work from home accommodations, and advance function ATMs.
The Company has programs in place for the ongoing assessment of cybersecurity threats and risks, has data security programs designed to prevent and detect threats, attacks, incursions and breaches, and processes in place for the management, mitigation and remediation of potential, and any actual, cybersecurity and information technology risks and breaches. The Company maintains a robust vendor management program to oversee and identify material risks stemming from third-party service providers. Information technology staff regularly participates in relevant education opportunities and attends industry events that include cybersecurity matters. The Bank is a member of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and is a participant in the Federal Financial Institutions Examination Council (FFFIEC) Cybersecurity Assessment Tool. Information security training is required for all employees no less than annually.
To assist with its information security programs, the Company engages with multiple third-party providers and specialists, including firms with personnel credentialed by internationally recognized organizations such as ISC2, the SANS Institute, and ISACA. Services provided include but are not limited to network evaluations, configuration and vulnerability assessments, penetration testing, and business continuity planning, the results of which are shared with management along with any remediation plans. In addition, an annual information systems and security audit is conducted by the Company's internal audit provider with results reported to the Audit Committee of the Board. Information security matters also fall within the scope of periodic examinations by the Bank's primary regulator, the Office of the Comptroller of the Currency (OCC).
Included in our mitigation strategy is a comprehensive cybersecurity insurance policy. The Board and Management recognize that cybersecurity matters, including expenditure related threats and the impact of incursions or breaches, may trigger disclosure
The First Bancorp - 2023 Form 10-K - Page 18
requirements under SEC rules and regulations, and intend to remain vigilant with respect to the cybersecurity aspects of these obligations.
Neither the Bank nor the Company have experienced any information security breaches of its systems in the past five years. Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, despite our cybersecurity risk management processes, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that may materially affect us. For additional information, see Item 1A. “Risk Factors” for a discussion of cybersecurity risks that we face.
Governance: Our Board has overall oversight responsibility with respect to the Company’s approach to risk management, including cybersecurity risks. Although the Board has the ultimate responsibility for risk oversight, operational responsibility for cybersecurity matters is delegated to the Chief Information Officer (CIO) who oversees all technology needs of the Company, including the assessment and management of material risks from cybersecurity threats. The CIO has over thirty years experience in bank operations including network security and cybersecurity matters. The Bank employs a full-time Cybersecurity Analyst (CA) who brings over twenty-five years of information technology and network security experience to the role. In addition, we have various management- and Board-level committees that also oversee risk to the extent it relates to the committee’s responsibilities and provides reports to the Board in its respective area of responsibility. Information security matters are a standing topic for the Management-only Technology Steering Committee (TSC) where membership includes the CIO, CA and other senior level managers, and the Management-Board level Enterprise Risk Management (ERM) Committee where membership includes the CIO, senior level managers, and a represent from the Board. Minutes from each ERM session are reported to the Audit Committee of the Board, and the CIO provides information security updates at each meeting of the Board.