CENTRAL PACIFIC FINANCIAL CORP - (CPF)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity remains a top financial services industry risk due to increases in the quantity and sophistication of cyberattacks, which include ransomware, supply chain, and other prevalent attack methods resulting in unauthorized access to systems or sensitive data.

The Company maintains a formal and comprehensive enterprise-wide Information Security and Cybersecurity Program (the "Information Security Program") that protects the confidentiality, integrity, and availability of the Company’s information assets and to manage reasonably foreseeable cybersecurity risks and threats. The Information Security Program includes a threat intelligence program, policies and procedures, multi-layered cybersecurity technical safeguards, third-party security risk assessments, a formal incident response program, mandatory trainings for employees and independent contractors upon hire and regularly thereafter, compliance to banking regulations, annual audits, and reviews of vendors who handle sensitive information.

Governance

As a regulated financial institution, the Company must adhere to the security requirements and expectations of the applicable regulatory agencies, which include requirements related to cybersecurity, data privacy, vendor security risk management, systems availability, and business continuity planning, among others. The regulatory agencies have established responsibility guidelines for the Board of Directors and senior management, which include establishing policy, appointing and training personnel, implementing review and testing functions, and ensuring an appropriate frequency of reporting. The Company is examined annually, and its Information Security Program, policies and standards are designed to meet regulatory requirements and industry standards to implement physical, administrative, and technical controls to comply with the Gramm-Leach-Bliley Act ("GLBA"), Sarbanes-Oxley Act ("SOX") of 2002, and industry frameworks such as the Federal Financial Institutions Examination Council ("FFIEC").

The Board of Directors overall, including the Board Risk Committee more specifically, oversees cybersecurity risk. The Executive Committee overall, and the Chief Legal Officer, Chief Technology Officer, and Information Security Manager more specifically, manages cybersecurity risk and the associated programs at the operational level. Regular updates on cybersecurity are provided to the Management Risk Committee, to the Board Risk Committee and/or the Board of Directors.

Risk Management and Strategy

The Company has complex information systems used for a variety of functions by customers, employees, and vendors. In addition, third parties with which the Company does business or that facilitate business activities (e.g., vendors, exchanges, clearing houses, central depositories and financial intermediaries) could also be sources of cybersecurity risk to the Company, including breakdowns or failures of their systems, misconduct by the employees of such parties, or cyberattacks which could affect their ability to deliver a product or service to the Company.

Our systems are regularly targeted by attacks aimed at disrupting services, misusing or accessing customer data without authorization, seeking financial extortion, or executing fraudulent activities. To date, no such incidents have significantly impacted the Company’s operations or adversely affected our customers, nor have they materially influenced our operational results. Nevertheless, it is important to acknowledge that we cannot guarantee the prevention or detection of sophisticated cyber-attacks. In the event of significant service disruptions, unauthorized access leading to the misuse of customer information, or fraudulent activities affecting our or third-party systems, the Company may face operational, regulatory, legal, and reputational challenges, which could adversely affect our business and financial conditions.

The Company’s Information Security Program includes key program stakeholders who meet regularly to discuss and execute on continually improving the Company’s Information Security Program through ongoing initiatives. The Company’s Information Security Program focuses on the following key areas to mitigate cyber risks:

i.Risk Assessment – At least annually, a risk assessment is conducted that incorporates security assessments and testing conducted throughout the year, ongoing and completed security initiatives, evaluation of the cyber threat landscape, compliance, incidents, etc. The assessment results are presented to executive management and the Board of Directors.
34


ii.Technical Safeguards – Multi-layered controls, defenses, and continuous monitoring tools are used to protect, detect, and respond to cyber threats and incidents. External independent assessments, regular threat intelligence review, and lessons learned from incident response drive continuous tool and process improvements.
iii.Incident Response and Recovery - The Company's formal Incident Response and Business Continuity Programs establish a clear, consistent, standard, and organized process by which cybersecurity incidents will be promptly responded to by the Company's incident response teams.
iv.Third-Party Risk Management – The Company's formal vendor management program includes security risk assessments requiring the vendor to meet or exceed appropriate security requirements prior to the hosting or sharing of sensitive information by third parties. The Company’s standard contract provisions obligate third-party compliance with industry standard security protections.
v.Education and Awareness - The Company conducts cybersecurity training, both formally through mandatory courses and informally through written communications and other updates. Employees are tested periodically with phishing tests to reinforce training. The Company has held webinars and also sends periodic emails to its customers with tips and suggestions to protect themselves against cybersecurity incidents.

External Assessments

The Company’s Information Technology and Information Security Departments are examined annually by our financial institution regulator, which includes reviewing our risk management activities to ensure we are properly and adequately managing our risks appropriate to the size and complexity of our business and operations. In addition to annual examinations, the Company's Information Security Program, policies and practices, and cyber posture is subject to regular external independent reviews including annual audits, annual penetration tests, and quarterly third-party cyber risk assessments.