CITIZENS FINANCIAL SERVICES INC - (CZFS)

10-K Filing Date: March 07, 2024
ITEM 1C – CYBERSECURITY
 
Risk Management and Strategy
 
Cybersecurity is a critical component of our risk management program, given the increasing reliance on technology and potential of cyber threats. Our Information Security Officer is primarily responsible for the cybersecurity / information security program. The Information Security Officer reports directly to the Chief Operations Officer, and periodically reports to the Audit and Examination Committee of our board of directors.
 
Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around regulatory guidance and related industry standards. In addition, we leverage various cyber-related associations, threat intelligence feeds, and audits to facilitate and promote program effectiveness. The information security program is periodically reviewed by the Information Security Officer in collaboration with information technology management with the goal of addressing changing threats and conditions.
 
We employ a layered defensive strategy when designing our cybersecurity controls. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations, and tabletop exercises. We engage in regular monitoring and assessments of our technology infrastructure using internal staff and third-party specialists. We conduct ongoing social engineering testing and training across our entire employee base. We maintain a vendor management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. Our independent auditors periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.
 
We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including engagement of appropriate third parties such as insurance providers and incident response professionals, and timely reporting to our CEO and Board of Directors as appropriate. The Incident Response Plan is coordinated by the Information Security Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple areas of our organization and is evaluated at least annually.
 
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is always present. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks. While we have experienced cybersecurity incidents in the past, risks from cybersecurity threats have not materially affected our company to date. For further discussion of risks from cybersecurity threats, see the section captioned “We are subject to certain risks in connection with our use of technology” in Item 1A. Risk Factors.
 
16

Governance
 
Our Information Security Officer is responsible for managing our information security program, inclusive of cybersecurity risk assessment, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, and business continuity. Some of these responsibilities are carried out in collaboration with other internal departments, such as the information technology department. In any case, the Information Security Officer provides guidance, oversight, and monitoring of the information security program, and acts in an independent role, reporting directly to the Chief Operations Officer and subsequently to the Audit and Examination Committee of the board of directors. Our Information Security Officer has extensive bank operations experience, has attained Certified Banking Security Manager certification with the banking industry, and attends relevant cybersecurity training sessions on a regular basis. Our information technology department consists of technology professionals with varying degrees of education and experience. Our information technology management team has significant technology and operational experience, including experience in mitigating and responding to cybersecurity threats.
 
The Audit and Examination Committee of our board of directors is responsible for overseeing our information and cybersecurity risk management program, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Information Security Officer provides quarterly reports to the Audit and Examination Committee of our board of directors regarding the information security program, cybersecurity and/or privacy incidents, key cybersecurity initiatives, and other matters relating to cybersecurity processes. These reports may occur more frequently if a significant issue or incident is being addressed.