EVANS BANCORP INC - (EVBN)

10-K Filing Date: March 04, 2024
Item 1C. CYBERSECURITY

Overall Risk Management and Strategy

The Company manages its cybersecurity risk in a manner consistent with its overall risk management process in which recognized and emerging risks are identified, assessed, controlled, and monitored on a continual basis. The Company’s cybersecurity risk management follows the “Three Lines of Defense” framework, which is as follows: (1) in the first line of defense, our Information Security function manages cybersecurity risks and controls; (2) in the second line of defense, independent internal risk management provides cybersecurity risk governance oversight; and (3) our Internal Audit function provides independent assurance over cybersecurity practices as the third line of defense.

The Company leverages third parties to support the development and independent validation of cybersecurity risk management practices. Third-party cybersecurity risk oversight includes engaging consultants in the development and deployment of cybersecurity control processes, and a managed security services provider to provide 24/7 alert monitoring and remediation services, semi-annual independent

20


vulnerability and penetration tests from rotating providers, and an annual information security audit coordinated by the Company’s Internal Audit function.

All third-party service providers to the Company are subject to risk assessments to identify the risks, including cybersecurity-related risks, posed by that individual third-party. Changes in vendor services result in a reassessment of risk. Based on the results of the risk assessment, the Company requires each third-party service provider to meet certain due diligence requirements. These due diligence requirements require third-party service providers to provide the Company with evidence of appropriate policies, an independent examination of their control environment, financial results, and operational resilience, as appropriate.

To date, no prior internal cybersecurity incident has materially affected the Company, however, external incidents have increased attention to risk management processes which continually identify and assess threats to the Company’s operations with consideration to strategy, financial results, and business resilience.

Governance

The Enterprise Risk Committee of the Board of Directors is responsible for the oversight of cybersecurity risk at the Company. The Company has established a Cyber and Technology Risk Appetite Statement, which is approved annually by the Enterprise Risk Committee. Changes in cybersecurity risk are monitored throughout the year and are reported to the Enterprise Risk Committee.

The Enterprise Risk Committee is kept informed of these risks through reporting by the Chief Information Security Officer (“CISO”) and is also charged with reviewing cybersecurity policies, results of an annual information security risk assessment, NYS DFS Compliance Status, and other information security risk assessments or analysis of significant events that may occur throughout the year. The Enterprise Risk Committee additionally reviews the results of vulnerability and penetration testing, tabletop exercises, and other examinations performed, whether internal or external, with a focus on cybersecurity. The Enterprise Risk Committee is kept informed of cybersecurity risks through the Company’s first and second lines of defense, including the Company’s CISO, which provide the following to the Enterprise Risk Committee on a quarterly basis, or more frequently as needed: an analysis comparing actual results against the Company’s Cyber and Technology Risk Appetite Statement, an evaluation on current cybersecurity risks facing the company, and identification of any new or emerging risks associated with cybersecurity. The Audit Committee of the Board of Directors is also informed of any cybersecurity risk that is identified in annual information security specific internal audits or material cybersecurity risks that may have an impact on the financial statements and related disclosures of the Company.

The Company has established a clear chain of command in the management of cybersecurity risks by designating a CISO and Chief Information Officer (“CIO”), who jointly lead the Company’s incident response team, which also includes the company’s management team. The CISO has certifications in information security, and together, the CISO and CIO have over 25 years of cybersecurity experience combined. The CISO and CIO meet with Company senior leadership at least quarterly through an Information Technology Steering Committee in which management assess information security risk. The Company has subscribed to threat intelligence feeds that are reviewed throughout the day to ensure risks are identified and assessed in a timely manner.

In alignment with enterprise risk management processes and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Company has developed a control environment to prevent, detect, respond to, and recover from cybersecurity risk events. The Company’s control environment includes policies that set consistent cybersecurity control benchmarks across the organization and inform the CISO about the prevention, detection, mitigation, and remediation of cybersecurity incidents on an ongoing basis.

The Company’s policies require it to maintain and control an inventory of the enterprise assets throughout their life cycle, including end-user devices, network devices, servers, operating systems and applications used throughout the Company. These assets are subject to secure configuration requirements as well as data protection requirements before they may be used in operations. Once appropriate configuration requirements are met, access to these assets is based on account management procedures, which include determining appropriate ownership of the account and monitoring controls over accounts using administrator privileges. Access is generally provisioned on the “least privilege” principle, meaning that a user is given the minimum levels of access or permissions needed to perform their job functions, and consistent with the requirements of the role being provisioned. On a continuous basis, these assets are monitored to assess and track vulnerabilities within the Company’s infrastructure. Any identified vulnerabilities are remediated on a scheduled basis in alignment with an assessment of the associated risk. Upon termination or transfer of the user, processes are in place to remove user access from these assets, and additional monitoring controls are in place to certify access on a recurring basis.

The Company monitors industry events and leverages additional resources to monitor any new threats and vulnerability information. Systemic prevention controls are deployed to protect endpoints, as well as to prevent malicious code, emails, and websites from attempts to gain access to the network. Company personnel are trained on a recurring basis on best practices to protect the Company from cybersecurity risks. The Company’s assets are subject to recovery procedures to bring the asset back to its required state of operations, and these recovery procedures are tested internally by the Company to verify the capabilities of these procedures. The Company has

21


developed an Incident Response Policy and Plan that assigns appropriate responsibilities in the event of an incident. This assignment of responsibilities allows the Company to assess and respond to any incident in a timely manner. This plan is tested on a recurring basis to maintain preparedness in the event of an actual incident.