CNB FINANCIAL CORP/PA - (CCNE)
10-K Filing Date: March 07, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Corporation maintains robust processes for assessing, identifying, and managing material risks from cybersecurity threats. The Corporation’s cybersecurity program is based on the Federal Financial Institutions Examination Council (“FFIEC”) framework which tailors the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to be more financial services focused. The risk of cybersecurity threats is integrated into its Enterprise Risk Management (“ERM”) program, led by the Corporation’s Chief Risk Officer. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned a risk owner to establish action plans and implement risk mitigation strategies. The cybersecurity threat risk action plan is managed at the enterprise level by the Chief Information Technology & Security Officer (the “CITSO”), the VP of Information Technology, and the VP of Information Security. Each quarter, the risk owners review and update the cybersecurity threat risk action plan to provide the status on specific risk mitigation actions and to identify new threats. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third party service providers, the Corporation maintains a third-party security operations center with round-the-clock monitoring, and the CITSO receives regular reports on industry activity. Management also assesses the cybersecurity proficiency of potential third-party suppliers before utilizing their services. The assessment identifies cybersecurity-related risks and makes recommendations to enhance the security of all new computing services. The Corporation reassesses all suppliers on a regular interval.
22
The Corporation works closely with its internal auditors to assess, identify, and manage cybersecurity risks. In addition, the Corporation engages with third party cybersecurity specialists to provide an independent assessment of the Corporation’s cybersecurity programs and to prepare a 3-year plan to maintain compliance and operational excellence. Management periodically reviews the 3-year plan and modifies it in response to changes in the threat landscape or otherwise as needed. Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Corporation, including its business strategy, results of operations or financial condition. See “Item 1A. Risk Factors” above for more information.
Governance
The Board of Directors is responsible for overseeing the assessment and management of enterprise-level risks that may impact the Corporation. The Audit Committee has primary responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. Management, including the CITSO, reports on cybersecurity matters regularly to the Board, primarily through the Audit and IT Committees, including an annual report regarding specific risks and mitigation efforts within the Bank and a 3-year cybersecurity threat assessment conducted by third party experts. Management provides benchmarking information and updates on key operational and compliance metrics to the Board. In addition, cybersecurity training is provided to the full Board of Directors to educate directors on the current cyber threat environment and measures companies can take to mitigate risk and impact of cyber attacks.
The Corporation maintains a Cybersecurity Incident Response Plan (the “CSIRP”), which establishes an organizational framework and guidelines intended to facilitate an effective response and handling of cybersecurity incidents that could jeopardize the availability, integrity, or confidentiality of the Corporation’s assets. The CSIRP outlines roles and responsibilities, criteria for measuring the severity of a cybersecurity incident, and an escalation framework, including processes for informing the General Counsel and the Board of Directors of material cybersecurity incidents. As described above, management is actively involved in assessing and managing the Bank’s material cybersecurity risks. The CITSO and the VP of Information Security primarily lead these efforts. The CITSO, who reports directly to the CEO, is responsible for the oversight of the Corporation’s IT operation, including the cybersecurity program, and holds a Bachelor of Science degree in Information Technology and Security and a Master of Science in Information Security and Assurance. He also holds 20 industry recognized Technology and Security certifications. The VP of Information Security reports directly to the CITSO and has responsibility for leadership of the Bank’s cybersecurity program. He holds a bachelor’s degree in mathematics and computer science, as well as several industry recognized information security certifications.