Columbia Financial, Inc. - (CLBK)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
The Company’s information security program is managed through an effective enterprise-wide cybersecurity strategy, policies, standards, architecture, and processes. The Company is committed to compliance with the International Organization for Standardization's recognized cyber incident and cyber risk management frameworks. We are dedicated to cybersecurity and maintaining the trust and confidence of our customers and stockholders.
The Company recognizes the increasing threats posed by cyber incidents and is dedicated to implementing robust cybersecurity practices. We have a comprehensive cybersecurity program designed to protect sensitive information, ensure the integrity of financial transactions, and maintain the confidentiality of our customers' data.
26
We have established procedures for timely reporting of significant cybersecurity incidents; our commitment involves promptly notifying regulatory authorities, customers, and other stakeholders in the event of any material cyber incidents that may impact our operations or the security of sensitive information. In particular, we have enhanced disclosure controls and procedures to meet the requirement to report material cybersecurity incidents on Form 8-K within four business days after we determine that an incident is material.
Additionally, we maintain a proactive cyber risk management framework to identify, assess, and mitigate potential risks. Our cybersecurity policies and practices are regularly reviewed and updated to address emerging threats. We work closely with industry experts and third-party vendors and leverage advanced technologies to enhance our effort to continually provide adequate cyber defenses.
The Company uses a multiple lines of defense management approach to managing cybersecurity. The Company's cybersecurity operations function is headed by the Vice President Information Security Officer ("ISO") who is responsible for managing information security risks by developing and implementing information security strategies, architecture, and procedures and acts as the first line of defense. The ISO leads a team of security professionals in safeguarding the Company's critical data, systems, and assets against threats, breaches, and attacks. The ISO is responsible for ensuring the confidentiality, integrity, and availability of information assets.
The information security program, policies, and standards are managed by the Vice President of Enterprise Technology Risk Management ("ETRM"), who leads the Company's enterprise-wide technology risk management function. The ETRM function acts as the second line of defense and provides independent risk oversight for the Company's technology operating infrastructure and Operations. The ETRM function manages testing of technology controls, technology risk assessments, risk reporting, information security third-party due diligence, monitoring the implementation of risk mitigation actions, and tracking their effectiveness over time. The Company's internal audit department acts as the third line of defense, providing the independent assurance function.
Concerning governance, oversight, and compliance, the Board of Directors plays an active role in overseeing our cybersecurity program. Regular briefings on cyber risk management and incident response activities are conducted, ensuring a high level of governance and accountability in addressing cybersecurity concerns. The Bank provides periodic reports to our Technology Committee and our Board of Directors, as well as to our senior management team as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape.
We are firm in our commitment to collaborate with regulatory authorities to enhance industry-wide cybersecurity standards. Given the continuously evolving cyber threat landscape, we are committed to continuous improvement in our cybersecurity practices. Regular assessments, testing, audits, and training are conducted to adapt to emerging threats and enhance our ability to safeguard the interests of our customers.
The Company remains dedicated in its commitment to cybersecurity and compliance cyber risk management and will continue to invest in and prioritize cybersecurity to protect all critical information.