BERKSHIRE HILLS BANCORP INC - (BHLB)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

The Company maintains a robust Information Security Program that sets forth the Company’s commitment to the continual review and improvement of policies, processes, procedures, and standards for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, disposing, and protecting sensitive information including customer information under guidelines established as part of the Gramm Leach-Bliley Act (GLBA). The Company uses or adheres to relevant standards and frameworks from the Federal Financial Institutions Examination Council (FFIEC) and National Institute of Standards and Technology (NIST), among others, to assess information security risks and controls, as well as to assess the maturity and effectiveness of the Information Security Program.

The Board of Directors and Executive Management are responsible for ensuring that the Information Security Program within Enterprise Risk Management identifies, measures, monitors, controls, and reports risk according to significance. If risks are determined to be undesired and beyond stated and aggregated Risk Appetites, the Board of Directors and Executive Management take appropriate action to ensure that excessive risk is mitigated or eliminated, which may include reducing risk exposure. The Board of Directors has final responsibility, after consultation with management, for ensuring the Information Security Program aligns with the overall business strategy and provides oversight to protect the Company from ongoing and emerging threats, including those related to cybersecurity.

The Information Security Program is overseen by the Company’s Chief Information Security Officer (CISO), who reports directly to the Chief Risk Officer. The CISO is responsible for the implementation, maintenance, and enforcement of the Information Security Program and related policies and standards. The program is evaluated and adjusted at least annually based on the results of testing, monitoring, and the adoption of best practices. Reporting occurs annually on the status of the Information Security Program to the Board’s Risk Management, Capital & Compliance Committee. Reporting includes the overall status of the program, material matters related to the program, Key Risk Indicators ("KRIs"), cyber risk assessments results, emerging risks, risk management and control decisions, control testing results, third party security assessments, penetration test results, security breaches or violations, and recommendations for changes to the program.

The Company maintains a robust Third-Party Risk Management program to manage risks related to third-party relationships in a manner that is consistent with the Company’s strategic goals, organizational objectives, and risk appetite. This includes comprehensive risk and control assessments to ensure sensitive information is safeguarded appropriately.

The Company has a dedicated internal Security Operations Center ("SOC") and a Managed Detection and Response ("MDR") third party service that provides 24/7/365 monitoring of its environment to investigate and respond to security alerts. Log sources are mapped to the MITRE ATT&CK framework to ensure appropriate security monitoring and gap analysis to detect and respond to attacks. Threat intelligence is used with contextual risk approaches to identify threats and prioritize response. Threat hunts operate both proactively and reactively to look for relevant behaviors and indicators of compromise from cybersecurity events or zero-day vulnerabilities. An Incident Response Plan is in place to ensure the timely and effective handing of security incidents. This includes providing the Company with a detailed outline of how to respond to a security incident, team responsibilities, contact information for key resources, definitions for determining the severity and escalation of security incidents, and pre-built playbooks to respond to the most common types of security incidents including ransomware. Incident response and escalation plans are tested and reviewed for improvements at least annually. An incident response retainer with an approved third party is contracted to assist in responding to security incidents and to conduct forensic investigations involving the potential compromise of sensitive data or information assets. All employees are required to complete privacy and information security awareness training upon joining the Company and on an annual basis. This includes incident response training on how to communicate potential or actual incidents.


40


The Company continues to face risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, or reputation. Although such risks have not materially affected us, we have experienced threats to and breaches of our data, including breaches caused by human error or breaches affecting third parties of the Company. For more information about the cybersecurity risks we face, see Item 1A-RISK FACTORS.