COMMUNITY BANK SYSTEM, INC. - (CBU)
10-K Filing Date: February 29, 2024
As a heavily regulated financial services company, the Company has developed a comprehensive cybersecurity process that is designed to protect the security of confidential information. Two of the more significant risks to the Company, both in terms of financial and reputational harm, are a data security breach and/or ransomware attack which cause a material financial loss to the Company and/or materially harms its operational integrity or reputation with its customers as a safe and trustworthy institution. In order to mitigate this risk and comply with the regulatory standards required by the Company’s and the Bank’s regulators, the Company has developed a cybersecurity program and framework which is administered by a team of experienced professionals and supported by external technology and consulting services. Set forth below is an overview of the Company’s cybersecurity process, the role of management and the Board, and whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company.
Cybersecurity Process and Management’s Role
Management is responsible for designing and implementing policies, processes and procedures and deploying physical and virtual technology and safeguards to measure, monitor and control cybersecurity risk. The primary executives responsible for the oversight of risk and cybersecurity are the Company’s Chief Risk Officer, who has over 36 years of experience in the banking industry, including 25 years as a national bank examiner for the Office of the Comptroller of the Currency, and the Company’s Chief Information Security Officer (“CISO”), who has an educational and experiential background in information technology and information security for public companies (bachelors degree in computer science and service as the Company’s CISO for the past nine years, with 10 prior years of information technology and information security experience). The CISO leads the members of the Information Security Department, some of whom maintain a variety of certifications including Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Security+ (Plus) Certification (SEC+). Both of these executives, along with the other professionals in the Information Security and Information Technology Departments, have the appropriate knowledge and expertise to effectively assess and manage the Company’s cybersecurity risk and establish a system of internal controls in an effort to safeguard the Company’s network and comply with regulatory requirements.
26
The Company’s cybersecurity framework includes an assessment of the Company’s hardware, software, and data platforms across its lines of business, as well as the risks associated with the Company’s business, identification of areas inside and outside of the Company that expose it to cybersecurity threats, and employing policies, systems and safeguards to manage those cybersecurity risks. The Company’s CISO is responsible for identifying systems and security measures that reflect the appropriate safeguards designed to protect the Company’s infrastructure and information and has implemented the majority of current cybersecurity controls in place with an emphasis on the confidentiality, integrity and availability (CIA) triad and a defense in depth methodology. The CISO uses a variety of threat intelligence resources, including law enforcement and industry groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), to help stay informed about current and emerging risks to the Company.
The CISO is also responsible for supervising and monitoring certain outside professionals or third party service providers that assist in enhancing the Company’s current cybersecurity safeguards. The Company has invested meaningful resources to address cybersecurity threats and partners with leading technology companies to implement solutions to address the fast-evolving threat landscape. These solutions and services help with the prevention, detection, mitigation and remediation of cybersecurity threats and incidents.
The Company’s Internal Audit Department further assists the Company to ensure that the proper safeguards are in place to protect the Company’s information by conducting internal audits on certain aspects of the information security program. Internal Audit engages professionals that specialize in information security to review and provide an annual examination and report on the sufficiency of the Company’s cybersecurity process and information security program. The Company’s independent public accounting firm also performs audit procedures regarding the information security program. In addition, the Company’s and the Bank’s regulators review and assess the Company’s information security program on an annual basis.
The Company also maintains certain management committees that further assist in the prevention, detection, and mitigation of cybersecurity risks. Specifically, the CISO works closely with the Company’s IT Steering Committee which, among other things, reviews the effectiveness of key controls and provides guidance around future initiatives that strengthen the Company’s overall security posture. The IT Steering Committee is comprised of key executives such as the President and Chief Executive Officer and Chief Financial Officer, as well as senior employees that specialize in technology and information security, including the Company’s CISO, Chief Technology Officer, and Chief Risk Officer, and a representative from the Board. This committee also monitors current events regarding cybersecurity threats to the Company and more broadly to the financial services industry to help the Company make informed decisions around any necessary internal control enhancements or adjustments.
In addition to the IT Steering Committee, the IT Subcommittee assists the CISO to prevent, detect, mitigate, and remediate cybersecurity threats and incidents. The IT Subcommittee typically meets quarterly and consists of members of the information technology and information security teams, the Director of Internal Audit, and senior management members of various business units. This committee is responsible for reviewing information technology and information security projects and the threat landscape.
Given the importance of maintaining the security of the Company’s systems and information, cybersecurity risks are also reviewed and addressed relative to assessing new products and services and any third party services providers that may be engaged to provide systems and services to the Company. As an essential element of the Company’s cybersecurity program, the Company maintains a third party service provider management program that assesses and addresses the risks associated with third parties providing systems, software and programs that access the Company’s information. As part of this oversight, the Company’s Risk Management, Legal and/or Information Security Departments review higher risk and material contracts with third party service providers, which includes an evaluation of the cybersecurity risks presented, any safeguards, and service organization controls reports provided by the third parties. Initial and continuing due diligence is also conducted on third party service providers to ensure that they are fulfilling their contractual obligations and satisfying the Company’s data security requirements.
The CISO is also responsible for monitoring data security incidents at third parties who have access to the Company’s information which may impact the Company or its customers if it was compromised. When the Company becomes aware of such events, the CISO engages with the impacted third party service providers to understand the incident, assess the risk that the Company’s information was released, and determine methods by which the Company can mitigate the damage, if any, and fulfill its notification obligations to impacted parties.
27
In an effort to remain vigilant against cybersecurity attacks, the Company further provides annual and ongoing training to all of its employees so that they have an understanding and appreciation of the cybersecurity environment and risks and the Company’s policies to combat such risks. Such training includes annual mandatory training sessions on cybersecurity for all employees, periodic informational notices regarding emerging threats, and periodic testing to ensure employees are reporting suspicious activities and are diligent in their efforts to avoid phishing attacks and cybersecurity breaches. The CISO also conducts and participates in annual table top exercises with management and on occasion, with representatives from the Board, in order to be prepared in the event of a material cybersecurity event.
The Company’s cybersecurity process and its ability to assess, manage, and remediate cybersecurity risks further centers around good communication among management. Management stays informed on cybersecurity risks through open communication with the Risk Management team, including through various reports and weekly reporting by the Chief Risk Officer to the Senior Management Committee about cybersecurity matters, as necessary. In the event there is a material cybersecurity incident, the Company’s policies and procedures set forth an action plan, which includes notification of the appropriate personnel and management within the Company, as well as regulators and impacted customers, as applicable.
Board of Directors’ Role in Cybersecurity
An integral part of Company’s risk management oversight, which includes information security, is the role of the Board. This is reinforced by the independence and reporting structure of the Chief Risk Officer, who oversees the CISO and reports to the Board Risk Committee and administratively to the President and Chief Executive Officer.
In addition, cybersecurity risk is a fundamental risk of the Company which is overseen by the Risk Committee of the Board, which consists of the entire Board, including Directors with experience in risk management, internal audit, cybersecurity and/or the operations of financial service companies. In particular, the Chair of the Board, Eric E. Stickels, has experience with the risks associated with operating a financial institution based upon his prior service as the President of Oneida Financial Corp. In addition, Lead Director Susan E. Skerritt, the former Chief Executive Officer and President of Deutsche Bank Trust Company Americas, has received the Cyber-Risk Oversight Certification issued by the National Association of Corporate Directors (“NACD”), and utilizes her business experience and cyber-risk expertise to assist the Risk Committee in its evaluation of management’s cybersecurity process. Kerrie D. MacPherson, the Chair of the Audit Committee, has also received the Cyber-Risk Oversight Certification issued by the NACD. Mark E. Tryniski, the Company’s former President and Chief Executive Officer, serves on the Board and has considerable experience in the management of financial service companies and the cybersecurity process based upon his service with the Company. Director Jeffery J. Knauss has also been selected by the Board to serve on the IT Steering Committee as its representative due to his technology experience developed through his ownership and management of a digital marketing firm. Director Knauss plays a valuable role in the oversight of the IT Steering Committee and is able to impart his knowledge and experience to the committee.
The Risk Committee meets six times a year during which management provides updates to the committee regarding the material risks facing the Company. As part of this reporting, the Chief Risk Officer and the Risk Management Department have created a risk management program that identifies and evaluates the risks associated with various aspects of the Company’s business and report their assessments to the Risk Committee for review or approval. Within the risk management process, cybersecurity risks are specifically reviewed and addressed, including risks related to current or proposed products and services to be offered by the Company, as well as the efforts taken or to be taken to mitigate such risks.
In addition, on at least a quarterly basis, the CISO presents an Information Security report to the Risk Committee, which includes the Company’s cybersecurity alert level, controls rating, current and emerging cybersecurity risks, threats and trends, mitigation efforts and projects and audit and regulatory updates.
On an annual basis, the Board’s Audit Committee also receives reports from outside consultants who perform various IT related audits, and the Company’s independent registered public accounting firm regarding the effectiveness of the Company’s cybersecurity program in connection with its review of the Company’s financial statements.
28
Risks Associated with Cybersecurity
The Company is often targeted in an effort to obtain unauthorized access to its financial records and confidential information, destroy data, disable or degrade service, or sabotage systems. Such attacks may take various forms, including the introduction of computer viruses or malware, ransomware, phishing attacks, cyber-attacks, or breaches due to errors or malfeasance by employees, contractors and others who have access to or obtain unauthorized access to the Company’s systems and networks. To date, these threats and attacks have not resulted in a material cybersecurity incident. However, a material failure, interruption or security breach could adversely affect the Company’s business and operations through financial losses, remediation expenses, reputational damage, as well as exposing the Company to customer dissatisfaction and civil litigation, regulatory fines or penalties or losses not covered by insurance.
For more information on risks to the Company from cybersecurity threats, see “Risk Factors – Operational Risks”.