NBT BANCORP INC - (NBTB)

10-K Filing Date: February 29, 2024
ITEM 1C.
  CYBERSECURITY



Risk Management and Strategy

The Company maintains a cyber risk management program that is designed to identify, assess, manage, mitigate and respond to cybersecurity threats. The program addresses both the corporate information technology (“IT”) environment and customer facing products. In line with our dedication to upholding strong corporate governance standards and safeguarding the security of our operations, we maintain a continuous effort to assess and mitigate cybersecurity risks that could impact our business, stakeholders and the integrity of our systems. Additionally, we maintain a similar risk-based approach to our third-party vendor management program including identifying and overseeing cybersecurity risks they present.

The underlying controls of the cybersecurity program are based on recognized best practices and standards for cybersecurity and information security, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”). This framework organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. The Company regularly assesses the threat landscape of cybersecurity risks, with a layered defense in depth strategy that is focused on prevention and detection.

Employing comprehensive methodologies for risk assessment, we diligently identify and evaluate potential cybersecurity threats and vulnerabilities across our systems, networks and data assets. This process involves regular examinations of emerging threats, conducting penetration tests, vulnerability scanning and thorough analysis of industry-specific risks. We actively participate in industry forums, information sharing initiatives and collaborate with relevant stakeholders to exchange threat intelligence and best practices.

The Company continues to expand investments in Information Technology security, including additional end-user training, using layered defenses, identifying, and protecting critical assets, strengthening monitoring and alerting. We emphasize continuous training for our staff to improve their ability to identify and address diverse cybersecurity threats. We invest in cybersecurity technology and talent to support this endeavor. Furthermore, we conduct thorough reviews of our vendors and mandate specific security standards for third-party providers. Our comprehensive policies and procedures are designed to safeguard the integrity and security of information collected by us and our service providers on our systems. Additionally, we have implemented security measures to prevent unauthorized access to personal data and minimize the consequences of potential incidents. We consistently learn from any event and look at postmortem improvements where necessary to enhance our security and resilience.

The Company consistently collaborates with third party experts to conduct audits, penetration testing, assessments and validations of our controls, aligning them with established frameworks like the NIST CFS. We adapt our cybersecurity policies, standards, processes and practices accordingly based on the insights provided by these reviews. These audits and assessments are useful tools for maintaining a robust cybersecurity program.

Governance

It is the responsibility of the Risk Management Committee (“RMC”) of the Board to oversee the Company’s cybersecurity risk exposures and action taken by management to monitor and mitigate cybersecurity risks. Cybersecurity risks are reported to the RMC at least quarterly and those reports include key performance indicators, test results, recent threats and how the Company is managing those threats, along with the effectiveness of the Information Security and cyber risk program. The RMC is responsible for monitoring our Information Security Program (“ISP”) and is led by a member of our Board of Directors. The RMC reports quarterly to the Board regarding its activities, including those related to cybersecurity risk oversight. The Board receives briefings from executive management on the overall Information Security program at least annually.

The Company has appointed the Senior Director of Information Security (“DISO”) to oversee the implementation, coordination, and maintenance of the ISP. The responsibilities of the DISO include developing and implementing our information security program, designing appropriate administrative, technical, and physical safeguards to protect institutional data and ensuring the implementation and maintenance of safeguards across the Company as needed. The DISO reports to our Chief Risk Officer and has over a decade of experience leading cybersecurity oversight along with expertise in cyber-crime prevention, threat intelligence, social engineering, identity access and governance, identity theft and fraud prevention through prior roles in the organization. The Information Security team has cybersecurity experience or certifications, such as the Certified Information Systems Security Professional and Certified Information Security Manager from the Information Systems Audit and Control Association.

The DISO also administers the Incident Response Team (“IRT”) and its members, which is comprised of various high-ranking executive personnel such as the Chief Audit Officer, Chief Compliance Officer, General Counsel, and representatives from Technology, Operations, Accounting and Corporate Communications. Members of the NBT IRT have extensive knowledge regarding the security protocols, operational processes and IT infrastructure for the Company. This allows cross-functional response efforts in the detection, mitigation and prevention of a cybersecurity incident suffered by the Company or its third party service providers. Upon detection of an incident, the IRT promptly convenes and updates executive leadership to assess its severity level, categorizing it as low, moderate, or high. The Company actively performs simulations and tabletop exercises at a management level and incorporates external resources as needed to stay current to cyber threat vectors. The Incident Response Plan also maintains procedures and escalation protocol to escalate significant cybersecurity matters to the Executive Committee, RMC and/or full Board, as deemed necessary.

23


During the incident response process, senior management, in collaboration with relevant personnel from information technology, information security, and, when necessary, external cybersecurity firms specializing in forensic investigations will assess the materiality of the breach alongside the severity scale. This evaluation aims to accurately identify risks and potential operational and business impacts. Materiality determination involves an objective analysis of both quantitative and qualitative factors, including an evaluation of immediate impact and reasonably likely future impacts.

Although cybersecurity threats, including those stemming from prior incidents, have not had a significant impact on the Company in the previous fiscal year, and there are no known imminent cybersecurity threats likely to materially affect us, we cannot guarantee that we will remain unaffected in the future. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. Cybersecurity threats are expected to continue to be persistent and severe. For further discussion of such risks, see the section entitled “Risk Factors” in Item 1A of this Form 10-K under the heading “Risks Related to Cybersecurity and Data Privacy.”

© 2024 Material-Incidents. All rights reserved.