TOMPKINS FINANCIAL CORP - (TMP)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Risk management and strategy
The Company takes very seriously the responsibilities to protect sensitive information, technology resources, and shareholder value from the risk of cyber threats and incidents.
The Company maintains an enterprise-wide and Board-approved Information and Cyber Security Program (the “Program”), which includes strategy, written policies, procedures, guidelines and standards to address the assessment, identification and management of cybersecurity risks. The Company designed the Program to be consistent with industry standards and in compliance with applicable federal and New York state laws, regulations and guidelines.
The Company has adopted the Factor Analysis for Information Risk (FAIR) assessment approach, an industry standard risk assessment methodology. Under the FAIR approach, the Company identifies, catalogs, assesses and manages material cyber risks by: (a) documenting threat actors and organizations (i.e., cybercriminals, nation state actors, hackers, company insiders), (b) analyzing their likelihood of attack, their motives, capabilities and tactics; (c) assessing the potential impacts of such threat actor attacks against company assets, and documented vulnerabilities (or cyber exposures), both internally and externally of the organization; and (d) evaluating the implemented security controls and effectiveness of those controls against defined risk scenarios. The Company rates vulnerabilities based on the criticality of a vulnerability and/or the value of the asset associated with the vulnerability (people, systems, customer data, money). When a residual risk exceeds the desired threshold set by the Board-defined risk appetite of the organization, additional controls are recommended and implemented to reduce the potential risk to an acceptable level and provide appropriate management of the cyber risk exposure.
In conjunction with the FAIR assessment, the Company uses the MITRE Attack framework to identify the various exploitation techniques and tactics used by the most likely threat actors. This framework informs the risk management process with valuable insight into some of the most common, or likely, cyber attacks the Company should address.
Additionally, the Company leverages insights from independently-conducted penetration testing provided by external third-party assessors, as required by NY Department of Financial Services (DFS) cybersecurity regulations, to discover and evaluate potential vulnerabilities across the enterprise that should be contemplated within the overall cyber risk program. The Company also engages independent third-party auditors to provide additional subject matter expertise, as well as to perform comprehensive independent audits of the Program. Audits are conducted no less than annually to evaluate the effectiveness and maturity of the Program. Audits include a review of the cyber risk assessment process, security control effectiveness, and compliance with regulatory requirements.
To manage the risks identified, the company implements controls and tests those controls for effectiveness. The Company uses the Federal Financial Institutions Examination Council Cyber Assessment Tool (CAT), the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), the NYS DFS cybersecurity requirements and the Center for Internet Security (CIS) Critical Controls to help inform the Company of best practices for control implementation and potential risk mitigation opportunities that align with defined risk scenarios, and generally as a baseline for best practice control implementation.
As part of the Program, the Company has established policies and procedures to oversee, identify and mitigate material cybersecurity risks associated with the use of any third-party service providers. The Company evaluates and risk rates third-party relationships against a defined set of minimum-security requirements under its enterprise-wide Third-Party Risk Management program. Higher risk third party service providers are reviewed in more detail and as part of the continual due diligence process to ensure changes to the relationship and/or risk posture are identified and managed appropriately.
The Company is not aware of any cybersecurity incidents that have materially affected the Company, including its business strategy, results of operations or financial condition. For a discussion of cybersecurity threats that could materially affect the Company’s business strategy, results of operations or financial condition, please see Item 1A. Risk Factors.
Governance
The Program is governed by the Board of Directors and specifically, the Audit and Risk Committee, as well as two management committees, the Enterprise Risk Management Committee (“ERMC”) and the Technology and Information Security Committee (“TISC”).
Annually, the Audit and Risk Committee reviews and recommends for approval to the Board the Information Security Policy, which outlines the roles, responsibilities, and objectives for the Program. On a quarterly basis, the Company’s Information
22
Security Officer presents the Company’s cybersecurity report and related material for review by the Audit and Risk Committee and the Board. This report includes emerging risks, overall program effectiveness/status, cybersecurity incidents, staffing, risk exceptions, and recommended enhancements to the program, as applicable. Annually, the Information Security Officer provides security related education to the Board and Audit and Risk Committee.
The Company’s Technology and Information Security Committee (“TISC”) oversees the governance of the Company’s enterprise technology and information security programs, including strategy, management principals, risk and compliance. The TISC reviews the policies, strategy, emerging topics, risks and general compliance of the programs to ensure they are adequate and sufficient to govern and manage the associated risk of the Company. The TISC coordinates and communicates with the Audit and Risk Committee on risk-related items through Company’s Enterprise Risk Management Committee. The TISC provides a forum for advising and sharing information among members of the Company’s senior leadership team and is compromised of Company risk owners with expertise across a wide range of financial, technical, operational, strategic, and cybersecurity skill sets. The TISC is co-chaired by the Chief Technology Officer, who is responsible for the enterprise-wide information technology program and the Information Security Officer, who is responsible for the enterprise-wide information security program. The Information Security Officer is a Certified Information Systems Security Professional (CISSP), with over 20 years of experience in a combination of information technology and information security roles. The Information Security Officer has over eight years of leadership experience in the field of information security, and holds a Bachelor’s degree in Information Technology, with an Associate’s degree in Computer Network Management.
The Program includes a Security Response Team (“SRT”) assigned the responsibility to ensure the Company responds to, communicates and effectively remediates, isolates and restores business operations during any security incident. The SRT procedures are derived from the National Institute of Standards and Technology (NIST) Computer Security and incident Handling framework.
The Enterprise Risk Management Committee (“ERMC”) is responsible for overall risk governance and management across Tompkins. As such, the committee reviews cyber risk exceptions, emerging risks, minutes from the TISC meetings, and reports on the health and risk associated with the Program. The ERMC is comprised of senior leadership team members as well as critical subject matter experts with risk management experience. The ERMC reports information about risk to the Audit and Risk Committee on a quarterly basis. The ERMC is chaired by the Director of Enterprise Risk Management and the Chief Risk Officer, who oversees the governance of enterprise-wide Risk Management program(s).