UWHARRIE CAPITAL CORP - (UWHR)
10-K Filing Date: March 06, 2024
Risk Management and Strategy
The Company recognizes the importance of a cybersecurity risk management program designed to assess, identify, and manage risk associated with cybersecurity threats. Our cybersecurity risk management program (the “Program”) is consistent with the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool, which incorporates bank regulatory guidance and principles from the National Institute of Standards and Technology Cybersecurity Framework and includes the following risk-based principles:
Our Program is designed to adapt to an evolving landscape of emerging cybersecurity threats and advancing technology to determine the Company’s cybersecurity preparedness. Through routine data gathering, emerging risks, internal incidents, technology investments and internal controls, our Program and overall cybersecurity risk strategy is adjusted as needed.
Our Program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees through which we communicate our cybersecurity policies, standards, processes and practices to foster a culture of cybersecurity risk management across the Company.
Integrated Risk Management
The Program is integrated into the Company’s enterprise risk management framework and functions to identify risk, form a strategy to manage risk, implement the strategy, test the implementation, and monitor our technology environment to control risk. Our information technology team works closely with stakeholders across security, risk, compliance, operations, other business stakeholders, and senior leadership to conduct an annual cybersecurity risk assessment utilizing the FFIEC Cybersecurity Assessment Tool.
Engagement of Third Parties in Connection with Risk Management
The Company engages various third parties to evaluate the effectiveness and maturity of our Program. The Company engages an independent third party to audit the cybersecurity risk strategy and preparedness. The Company also maintains cybersecurity insurance, however, the costs related to cybersecurity threats or disruptions may not be fully insured. The Company also engages third parties to perform regular penetration tests, vulnerability scans, disaster recovery tests and cyber exercises to simulate threat actor
13
attacks. Our relationships with third parties enable us to leverage their cybersecurity expertise and industry knowledge to assess our Program and make adjustments as needed.
Oversight of Third-party Risks
Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact the Company in certain circumstances. In response, we have implemented processes for overseeing and managing these risks. The processes include limiting the exposure of our information systems to external systems to the least practical amount, assessing the third parties’ information security practices before allowing them to access our information systems or data, requiring third parties to implement appropriate cybersecurity controls in our agreements with them, conducting ongoing monitoring of their compliance with those requirements, and requiring third parties to agree to contractual requirements designed to ensure cybersecurity concepts are appropriately addressed.
Risks from Cybersecurity Threats
As of the date of this report, we have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.
Governance
Board of Directors Oversight
Our Board’s Audit Committee oversees cybersecurity risk.
Management's Role in Cybersecurity Risk Management
Given the important role of technology in the Company’s operations and customer service, the Company has established an Information Technology Steering Committee, which consists of our IT Manager, President and Chief Risk Officer, Chief Operations Officer, Chief Financial Officer, Mortgage Systems Administrator and Enterprise Risk Manager. The Information Technology Steering Committee reviews, monitors, aligns, and prioritizes all significant strategic information technology initiatives and security risks. The Information Technology Steering Committee reports to the Audit Committee and minutes of the committee’s meetings are subsequently reported by the Audit Committee to the Company’s Board of Directors. Our IT Manager, in collaboration with our Enterprise Risk Manager make monthly/quarterly reports to the Information Technology Steering Committee. Such reports include updates related to key metrics, key risk indicators, key performance indicators, penetration test results, risk assessment results, project updates, incident reports, compliance matters, and operational issues.
Risk Management Personnel
The IT Manager has the primary responsibility for managing the Program to identify, assess, manage and control cybersecurity risk. The IT Manager reports directly to our Chief Operations Officer. Our IT Manager has approximately 20 years of experience in cybersecurity, information security risk management, identity and access management, security architecture, vulnerability management, threat intelligence, security operations and incident management and response.
Monitoring Cybersecurity Incidents
The IT Manager is continually informed of and monitors cybersecurity risks and incidents. In the event of a cybersecurity incident, the Company has developed an incident response plan to timely report cybersecurity incidents to our executive management team, the Audit Committee and Board of Directors, as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this plan also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as monitoring post-incident mitigation and remediation.
Reporting to Board of Directors
The Audit Committee receives reports from the Chief Operations Officer, IT Manager or Enterprise Risk Manager and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, bank regulatory examinations and evaluations, as well as maturity assessments of our information security program.
14