OFG BANCORP - (OFG)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management Strategy

OFG has a comprehensive framework in place to assess, identify and manage material risks from cybersecurity threats. Our Information Security Officer (“ISO”) is responsible for overseeing and implementing the Company’s cybersecurity risk management framework as part of our broader Information Security Program approved by the Board. Our cybersecurity risk management framework is integrated into the Company’s broader risk management system with a focus on monitoring key risk indicators within a defined risk tolerance set by our Board.

Our cybersecurity risk management framework is focused on the following key areas:

Regular cybersecurity risk assessments;
Design and implementation of controls to mitigate any identified cybersecurity risks;
Continuous evaluation of the effectiveness of such controls; and
Implementation of an incident response plan that includes procedures for responding to cybersecurity incidents.

28


In addition, our cybersecurity risk management framework incorporates three lines of defense, each with defined roles and responsibilities. OFG conducts an annual cybersecurity maturity assessment to (a) evaluate its cybersecurity risk management practices and (b) develop action plans for improving its cybersecurity risk management program.

The cybersecurity risk management framework also establishes standards or controls for the design of our cybersecurity infrastructure, including with respect to monitoring and preventing cybersecurity incidents, authenticating the identity of persons authorized to access critical information resources, and assessing safeguards that must be implemented by our external vendors and service providers.

OFG uses external consultants and other third-party service providers to monitor our information systems for any cyberattacks, impersonators or unauthorized releases of sensitive customer data, as well as performing investigations and penetration testing, identifying system vulnerabilities and required software patches, monitoring and managing firewalls, and advising on systems and cloud architecture. OFG also conducts due diligence of third-party software and related services and reviews cybersecurity reports from technology services providers to ensure that our cybersecurity infrastructure can respond to evolving cybersecurity risks relevant to our business.

Pursuant to our cybersecurity risk management framework, our Information Security team develops an annual information security awareness plan to educate employees as to the Company’s standards, processes and practices with respect to information security, potential cybersecurity threats and proper use of information security resources entrusted to them, with the goal of minimizing possible employee security risks. Our Information Security team engages third-party consultants to assist us in the evaluation of our cybersecurity risk management practices to identify risks, perform social engineering exercises, and provide annual cybersecurity training.

Cybersecurity Governance

Our Board is responsible for overseeing OFG’s cybersecurity efforts and approving the Information Security Program, which sets forth OFG’s policy regarding the confidentiality, integrity and availability of its information assets. The Board’s Risk and Compliance Committee more directly oversees the implementation of the Information Security Program and receives quarterly reports on any cybersecurity risks.

Our ISO, under the supervision of the Chief Risk Officer, leads the development and implementation of the Information Security Program. In addition, our Information Technology Department (“IT”) also has a dedicated cybersecurity team under the supervision of our Chief Information Officer. Members of our Information Security and IT cybersecurity teams have over 50 years of combined experience in information technology systems and cybersecurity risk management and include a team member that has a ISACA Certified Information Systems Auditor certification and two team members each with a master’s degree in cybersecurity.

Our ISO provides quarterly reports to our Executive Risk and Compliance Team, which is comprised of several executive officers of OFG. In addition, our Chief Risk Officer reports to the Board’s Risk and Compliance Committee and, when necessary, the Board.

Any identified cybersecurity incidents must be reported to the ISO and the mitigation and remediation thereof is performed by the Incident Response Team, which is led by the ISO and composed of key executives, with identified call trees and key service providers to support the coordination of a rapid response.

In the last three fiscal years, OFG has not experienced any material cybersecurity incidents, and expenses incurred from any cybersecurity incidents were immaterial. For more information on the risks to the Company of future cybersecurity threats or incidents, see “Item 1A, Risk Factors — Operations and Business Risks.”