Dime Community Bancshares, Inc. /NY/ - (DCOM)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Overview
● | Dime Community Bank (“Dime”, “the Bank”) maintains comprehensive information technology and cybersecurity programs which encompass policies, procedures, assessments, monitoring, response plans, and testing to ensure technical, administrative, and physical controls are effective. |
● | Dime’s Cybersecurity Incident Response and Business Continuity Programs are inclusive of cyber resiliency, business continuity and disaster recovery strategies to help mitigate the impact of a cybersecurity incident across all business lines. |
Management Role and Board Oversight.
● | The cybersecurity program is overseen by the Chief Information Security Officer (“CISO”) reporting into the Chief Risk Officer (“CRO”), the Enterprise Risk Management Committee, which consists of the CEO, CFO, and CTO among others, and the Enterprise Risk Committee of the Board of Directors, which consists of three independent directors. Our Board of Directors includes members who have expertise in cybersecurity, data privacy law, fraud and risk management. Cybersecurity risks are primarily assessed, monitored, and remediated by the CISO, who has extensive experience in the Information Technology and cybersecurity fields and maintains advanced cybersecurity centric certifications. The CISO’s extensive knowledge and experience in the cybersecurity field are critical to executing our cybersecurity program. Our CISO oversees proactive initiatives, remediation plans of known risks, compliance with regulations and standards, and Disaster Recovery, Business Continuity, and Incident Response efforts. Additionally, the Bank’s Risk Management function is led by the CRO, who has extensive experience in risk management and audit. The cybersecurity program includes a cross-sectional team of internal and external Information Security professionals, all of which are provided with relevant |
21
training and are required to maintain industry accredited certifications. Our Incident Response Team is chaired by our CISO and is comprised of executive management and designated managers throughout the organization. The purpose of the Incident Response Plan is to manage Information Security, and related incidents, efficiently and effectively to minimize loss and destruction, mitigate weaknesses, restore services, and notify customers, as required by state law, comply with regulatory requirements, and any third-party contractual obligations. |
● | The CISO and CRO play a pivotal role in informing the Board of all cybersecurity risks. These positions provide comprehensive updates to the Enterprise Risk Committee of the Board, at least quarterly. The briefings combine a range of updates, including the cybersecurity program, emerging risks, status of operational changes, status of regulatory compliance, and risk reporting. |
Managing Material Risks & Integrated Overall Risk Management
● | The Bank maintains documented processes, procedures, and controls for assessing, identifying, and managing material risks from cybersecurity threats. Cybersecurity threats are identified utilizing risk assessments, detection tools, information gathering and performing internal, external, and third-party contracted security assessments. |
Cybersecurity Threats
● | To assess and manage cybersecurity threats from material risks, Dime maintains an Incident Response Team comprised of members from the major business areas in the Bank to ensure appropriate subject matter experts are represented. All cybersecurity events include a determination of whether the incident has materially affected or is reasonably likely to materially affect the Bank’s business strategy, results of operations, or financial condition by following implemented processes. |
● | Dime has not identified any cybersecurity threats that have materially affected operations or financial position. |
Oversee Third-Party Risk
● | Dime has processes to oversee and identify material risks from reported cybersecurity threats from any third-party service providers or vendors. The Bank’s Third-Party Risk Management Program requires an initial due diligence, on-going monitoring, and annual recertification of third-party cybersecurity controls. |
Cybersecurity Risks
● | Dime considers Cybersecurity Risks as part of our strategic planning process. Management and the Board of Directors acknowledge that technology systems, managed both by Dime and third-party service providers, are critical to business operations and therefore require appropriate risk management. |
Engagement With Third-Parties on Risk Management
● | Cybersecurity is part of Dime’s overall risk management program, which is supported through the use of consultants, auditors and other third-parties who assist with reviewing and validating the effectiveness of cybersecurity controls. Internal Audit actively participates and engages with those managing the cybersecurity program to validate the effectiveness of implemented safeguards. External audit results are reviewed and reported on in our annual filing. Additionally, Dime is a regulated entity and undergoes regulatory reviews to ensure the Bank remains in compliance with all appropriate standards. |
22