LAKELAND BANCORP INC - (LBAI)

10-K Filing Date: February 28, 2024
ITEM 1C - Cybersecurity

Risk Management and Strategy

Cybersecurity is a critical component of the Company’s enterprise risk management program given the Company’s extensive reliance on technology and increased and evolving risks from cyber threats. Our Chief Information Security Officer (“CISO”) is primarily responsible for the Company’s information systems and cyber security program, which is designed to protect the confidentiality, integrity, and availability of our technology systems and data. The information systems and cyber security program is vital to protecting our customers, maintaining our reputation, and preserving shareholder value, as well as safeguarding the interests of other stakeholders. The CISO is a key member of the Company’s risk management organization and reports directly to the Chief Risk Officer (“CRO”) and, periodically, to the Risk Committee of the Board of Directors.
The Company leverages a variety of industry frameworks and regulatory guidance to develop and maintain its information systems and cyber security program, including but not limited to Interagency Guidelines Establishing Information Security Standards, Federal Financial Institutions Examination Council (“FFIEC”) Information Technology Examination Handbook (with particular emphasis on the FFIEC’s Information Security and Business Continuity Management handbooks), FFIEC Cybersecurity Assessment Tool, Gramm-Leach-Bliley Act (“GLBA”) 501(b), and National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. In addition, the program leverages certain industry and government associations, third-party benchmarking, audits, and third-party threat intelligence sources to facilitate and enhance the effectiveness of the program.
The CISO and the Chief Information Officer (“CIO”), who oversees the Company’s Information Technology functions and reports directly to the Chief Administrative Officer, along with key members of their respective teams, regularly collaborate with peer institutions, industry groups, consultants, and others to discuss cybersecurity trends and issues, emerging risks, and best practices. The information systems and cyber security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.
The Company’s information systems and cyber security policy defines standards, specifies controls, and establishes management responsibilities with respect to identity and access management, authentication requirements, system and device hardening, network security, virus and malware protection, threat intelligence, security event logging and monitoring, endpoint protection, incident response, third-party information security, cybersecurity awareness and training, data backup and restoration, and program governance. In addition, the Company maintains complementary policies that similarly address standards, controls, and responsibilities pertaining to data classification and protection, acceptable use of information technology assets, vulnerability and patch management, business continuity and resilience, information technology lifecycle and asset management, change management, project management, and quality assurance.
The Company employs an in-depth, layered, defense strategy to mitigate information systems and cyber security risks. The Company leverages people, processes, and technology as part of its efforts to manage and maintain cybersecurity controls. The Company uses a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. Processes and systems designed to mitigate cybersecurity risks, including regular and on-going education and training for our associates, preparedness simulations and tabletop exercises, and recovery and resilience testing, have been established. The Company engages in regular assessments of our technology infrastructure, software systems, network architecture, and data repositories, including periodic penetration tests and vulnerability assessments and social engineering simulations performed by third-party specialists. Additionally, vulnerabilities are identified via the use of internally-managed automated scanning tools. Vulnerabilities identified via third-party assessments and internal scans, and the status of corresponding remediation efforts, are inventoried and tracked by the Information Security department, under the direction of the CISO, and regularly reported to management. Summarized results of external and internal assessments and related remediation efforts are reported to the Risk Committee on a quarterly basis.
The Company leverages internal auditors and independent external partners to periodically review processes, systems, and controls, including with respect to the Company’s information systems and cyber security policy and program, to assess their design and operating effectiveness and make recommendations to strengthen the risk management program.
The Company also maintains a third-party risk management (“TPRM”) program designed to identify, assess, and manage risks, including technology and cybersecurity risks, associated with vendors and other external service providers. The TPRM program defines standards and identifies management responsibilities relative to risk assessment, due diligence, contract review and structuring, and third-party oversight and ongoing monitoring; the program aligns with Interagency Guidance on Third-Party Relationships: Risk Management. The TPRM program is a second line function that is overseen by the Company’s Operational Risk Manager, who reports directly to the CRO. The status of the TPRM program is reported to management on a regular basis and, periodically, to the Risk Committee.
-24-

The Company also maintains an Incident Response Program that establishes security incident response protocols, principally relevant to the Information Security and Information Technology teams, including identification, containment, recovery, and follow up related to security incidents. The Incident Response Program specifies when an incident is deemed a potential information security breach requiring escalation of handling in accordance with the Company’s Crisis Communication Plan and Protocols. The Crisis Communication Plan and Protocols supplement the Incident Response Program and, although they may be used as general guidance with respect to a variety of incidents, they are designed to assist the incident response team in responding to an actual or possible systems or data breach incident. In connection with an incident involving an actual or possible systems or data breach, the Crisis Communication Plan and Protocols establish a cross-functional response team to identify incidents, determine whether systems or data have been compromised and, if so, initiate protocols to identify the extent of the incident, contain and mitigate any damage, communicate the incident to all necessary parties (including regulatory agencies and law enforcement agencies, as applicable), maintain the Company’s brand integrity, sustain customer trust, and establish the foundation to recover from the incident and rebuild the Company’s brand reputation.

Governance

The Company’s Board of Directors, through the Risk Committee, provides direction and oversight of the enterprise-wide risk management framework of the Company, including the management of risks arising from information systems and cyber security threats. The Risk Committee periodically receives presentations which include updates on cybersecurity risks, including the threat environment, evolving standards, projects and initiatives, vulnerability assessments, third-party reviews, technological trends, and other cybersecurity related topics. The Risk Committee also receives information regarding any material cybersecurity incidents, as well as ongoing updates regarding any such incidents until they have been addressed. On a quarterly basis, the Risk Committee and the Board of Directors receive updates on key risk and key performance metrics related to the Company’s information systems and cyber security posture with the Risk Committee receiving additional information regarding noncompliance with risk limits and associated remediation efforts. On at least an annual basis, the full Board of Directors discusses the Company’s approach to information systems and cyber security risk management with the CISO.
The CISO is accountable for managing the Information Security department and the information systems and cyber security program. The responsibilities of Information Security include overseeing the design, implementation, ongoing enhancement, monitoring, and testing of the Company's information systems and cyber security program to ensure the confidentiality, availability, and integrity of information assets in accordance with applicable laws, regulations, and regulatory guidance. Information Security establishes appropriate standards for information system security and access, and develops and implements relevant policies, procedures, and controls to ensure such standards are maintained. The Information Security department has overall responsibility for security awareness and training programs, business continuity analysis and planning, and initial assessment and periodic monitoring of key third-party technology service providers, as well as data classification and risk assessments related to information and cyber security. Information Security also provides guidance on and participates in incident response planning and protocols.
The Information Technology department, under the direction of the CIO, is principally responsible for managing first line functions to protect and secure the Company’s technology infrastructure, systems, and data. Second line functions, including Information Security under the direction of the CISO, provide guidance, oversight, monitoring and challenge of the first line’s activities. Second line functions are separated from first line functions through organizational structure and ultimately report directly to the Chief Risk Officer. Information Security consists of information security professionals with varying degrees of education and experience. Associates within the department with information systems and cyber security related responsibilities and job duties typically hold professional certifications and regularly participate in continuing education in their field. The CISO has substantial relevant experience in information and data security, cybersecurity risk management, and information technology infrastructure and operations. The CISO has served in various roles in Information Security and Information Technology with the Company for over 30 years and maintains several professional affiliations, including serving as a member of the cybersecurity advisory board of a state university and as a member of the governing body of a cybersecurity peer exchange.
To our knowledge, cybersecurity threats have not materially affected the Company, including its business strategy, results of operations, or financial condition. With regard to the possible impact of potential future cybersecurity threats or incidents, refer to the section titled “Information Technology or Cybersecurity Risks” under Item 1A, Risk Factors.
-25-