OCEANFIRST FINANCIAL CORP - (OCFC)

10-K Filing Date: February 23, 2024
Item 1C.Cybersecurity
Cybersecurity Risk, Management and Strategy
Cybersecurity is a significant and integrated component of the Company’s risk management strategy, designed to protect the confidentiality, integrity, and availability of sensitive information contained within the Bank’s information services. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident disrupting business operations, compromising sensitive data or both. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company.
To prepare and respond to incidents, the Company has implemented a multi-layered “defense-in-depth” cybersecurity strategy, integrating people, technology, and processes. This includes employee training, innovative technologies, and policies and procedures in the areas of Information Security, Data Governance, Business Continuity and Disaster Recovery, Privacy, Third-Party Risk Management, and Incident Response.
Core activities supporting the Company’s strategy include cybersecurity training, technology optimization, threat intelligence, vulnerability and patch management and the testing of incident response, business continuity and disaster recovery capabilities.
Employees play a significant role in the defense against cybersecurity threats. Every employee is responsible for protecting the Bank and client information. Accordingly, employees complete formal training and acknowledge security policies annually. In addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities.
Employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection systems, security automation and response capabilities, user behavior analytics, multi-factor authentication, data backups to immutable storage and business continuity applications. Notable services include 24/7 security monitoring and response, continuous vulnerability scanning, third-party monitoring, and threat intelligence.
Like many other companies, the Company relies on third-party vendor solutions to support its operations; many of these vendors have access to sensitive and proprietary information. Third-party vendors continue to be a notable source of operational and informational risk. Accordingly, the Company has implemented a Third-Party Risk Management program, which includes a detailed onboarding process and periodic reviews of vendors with access to sensitive company data.
As indicated above, supporting the operations are incident response, business continuity, and disaster recovery programs. These programs identify and assess threats and evaluate risk. Further, these programs support a coordinated response when responding to incidents. Periodic exercises and tests verify these programs’ effectiveness.
Validating solution and program effectiveness in relation to regulatory compliance and industry standards is important. Accordingly, the Company engages third-party consultants and independent auditors to conduct penetration tests, cybersecurity risk assessments, external audits, and program development and enhancement where applicable.
Cybersecurity Governance
Management Committee Oversight

The Company has established an Information Technology and Security Management Committee consisting of department leaders across multiple functional areas including Data Engineering, Enterprise Applications, Strategic Planning, Technology, and Cybersecurity. These functional areas are led by qualified financial service technology professionals, with extensive certifications and advanced degrees in cybersecurity. Cybersecurity knowledge is expanded across all areas of Information Technology and is foundational in the approach from planning to execution. The committee focuses on strategic and tactical delivery, policy oversight, and the assessment and management of material risks from cybersecurity threats. Policies are also shared with the management Risk Committee to provide a second line review in alignment with Enterprise Risk functions. All Information Security activity is led by the Chief Information Security Officer, which includes developing and implementing the information security program and reporting on cybersecurity matters to the Board. The Chief Information Security Officer has several years of experience leading cybersecurity operations in financial services, supported by a team with various security,
39


technical, risk, audit and leadership certifications. Management provides cybersecurity statistics and details to the board monthly.
Board Committee Oversight
The Company’s Risk and IT Board Committees provide oversight of the cyber program. Each committee consists of Board members, chaired by an independent director. Committee members have extensive expertise in various disciplines, including risk management, communications, information technology, litigation, banking and transactional matters, regulatory compliance, and cybersecurity. Board Committees receive regular reports informing on the effectiveness of the overall cybersecurity program and the detection, response, and recovery from significant cyber incidents. Cybersecurity metrics are reported quarterly to both committees and Key Risk Indicators are reported to the Risk Committee.

© 2024 Material-Incidents. All rights reserved.