Citizens Community Bancorp Inc. - (CZWI)

10-K Filing Date: March 05, 2024
ITEM 1C. CYBERSECURITY
We maintain an information security program and governance framework that are designed to protect our information systems against operational risks related to cybersecurity.
Risk Management and Strategy
Cyber risk management is a critical component of our risk management framework. Processes for assessing, identifying, and managing material risks arising from cybersecurity threats are integrated in our policies and procedures, including our enterprise risk appetite, risk assessment, risk treatment, risk acceptance or exceptions, and third party risk management policies.
Our cybersecurity program (“Cybersecurity Program”) provides a framework for compliance with applicable cybersecurity and data protection laws. Our program is designed to ensure the security and confidentiality of customer information, protect against known or evolving threats to the security or integrity of customer records and personal information and protect against unauthorized access to or use of such information. We work with our regulators to ensure that these policies are adequately designed to appropriately safeguard personal information. We use a variety of processes and technologies to monitor for and identify cybersecurity threats, including vulnerabilities scans, endpoint and network monitoring software, and email scanning software. We also have a Cyber Incident Response Policy and detailed plans. We conduct annual cybersecurity risk assessments which drive strategic decisions. Employees are required to abide by our cybersecurity and data protection policies. We maintain a corporate cyber risk insurance policy as part of our cybersecurity risk strategy that is reviewed annually.
To date, the Company has not experienced a material cybersecurity incident.
Governance
Cybersecurity and data protection are important for the Company to maintain the trust of our customers, team members and stakeholders. Overseen by the Board of Directors and its Risk Committee, we regularly review, and as appropriate, adapt our Cybersecurity Program to an evolving landscape of emerging threats, evaluate effectiveness of key security controls, and assess cybersecurity best practices.
The Chief Information Security Officer (“CISO”) and the Chief Technology Officer (“CTO”) are key management roles responsible for assessing and managing material risks from cybersecurity threats. The CISO reports to the Risk Committee and is responsible for implementing and maintaining our enterprise cybersecurity organization. The CISO will maintain an Incident Response Plan. The CISO ensures that the Incident Response Plan is tested annually and will present testing results to the Risk Committee. The CISO and/or its delegate will share applicable threat information to ensure Board members and staff are informed on the evolving threat environment. The CISO is responsible for ensuring the Board of Directors and staff are trained annually on cybersecurity and information security awareness. Additionally, the CISO ensures staff is adequately trained on Incident Response Plan procedures. The CISO will ensure security incidents are logged and maintained. The CTO provides our Cybersecurity Program with the technical and functional resources to achieve its strategic goals and objectives, and partners and collaborates with the CISO.
The Risk Committee is responsible for overseeing the Company’s management of cybersecurity risk, including oversight into appropriate risk mitigation, strategies, processes, systems, and controls. The CISO has regular and direct communication with the Risk Committee, providing a written cybersecurity report to the Risk Committee and a written cybersecurity report and briefing to the full Board on an annual basis (more frequently as necessary), in order to inform the Risk Committee of the state of the Company’s Cybersecurity Program. These reports cover, but are not limited to, the Company’s cybersecurity posture, overall status of the Company’s compliance with the Cybersecurity Program, threat environment, material cybersecurity risks and events, Cybersecurity Program improvements and effectiveness, and other material matters related to the Cybersecurity Program.
20