Kearny Financial Corp. - (KRNY)
10-K Filing Date: August 23, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We structure our information security program around the Federal Financial Institutions Examinations Council (FFIEC) Information Security program guidance, including the FFIEC Cybersecurity Assessment Toolkit, regulatory guidance, and other industry standards. We leverage industry and government associations, third-party benchmarking, audits and threat intelligence feeds to promote program effectiveness. Our Chief Technology and Innovation Officer ("CTIO"), along with key members of their team, regularly collaborate with peer banks, industry groups, and policymakers.
We employ an in-depth, layered, defensive strategy with respect to our products, services and technology. We leverage people, processes and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats.
We have established processes and systems to mitigate cyber risk, including regular education and training, preparedness simulations and tabletop exercises, and recovery and resilience tests. Our processes, systems and controls are reviewed periodically by internal and external auditors, Federal and State bank examiners, and independent external partners to assess design and operating effectiveness. We also maintain information security risk insurance coverage.
We engage third party security experts to supplement our internal Information Security team as well as for assessments, penetration tests and program enhancements, including vulnerability assessments, security framework maturity assessments and
identification of areas for continued focus and improvement. In addition, our third-party experts work with us to conduct cybersecurity tabletop exercises and internal phishing awareness campaigns. We use the findings of these exercises to improve our practices, procedures, and technologies. We also engage third party security experts to support our cybersecurity threat and incident response management and maintain information security risk insurance coverage.
We engage with a range of external experts, including cybersecurity assessors, consultants, auditors, and legal counsel in evaluating and testing our risk management systems. This enables us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain current.
In the past three years, we have not experienced any material computer data security breaches as a result of a compromise of our information systems and we are not aware and have not had a significant cybersecurity breach or attack that had a material impact on our business or operating results to date.
Our Board is actively engaged in the oversight of our cybersecurity program. Specifically, the Risk Committee is responsible for overseeing our information security program, including management’s actions to identify, assess, mitigate, and remediate material cyber issues and risks. Our CTIO provides quarterly reports to the Risk Committee regarding information security programs, key enterprise cyber initiatives, and significant cybersecurity and privacy incidents.
Our CTIO is part of the risk management function, reporting directly to our Chief Executive Officer (“CEO”). Various management committees provide oversight of the information security and technology programs. These committees generally meet quarterly and summaries of key issues discussed and actions taken are provided to the Risk Committee.