OLD POINT FINANCIAL CORP - (OPOF)

10-K Filing Date: April 01, 2024
Item 1C.
Cybersecurity

The Company considers cybersecurity a subset of information security, and as such, cybersecurity risks and controls are assessed in our information security risk assessment and managed in our ISP. The ISP is developed and maintained utilizing the FFIEC Information Technology Examination Handbook and represents the standards, policies, procedures, and guidelines defining the Company’s security requirements and related activities, which includes risk management and risk assessment practices. Management has designated the ISO, along with the IT Steering Committee, with implementing and monitoring the ISP. The Company’s IT department is led by CTO, Senior Vice President of IT who has over 30 years of experience in the IT field, and other key personnel who have years of experience and various certifications related to assessing and managing cybersecurity risk. Additionally, the Company has established a comprehensive enterprise risk management program to monitor risks related to its operations, including cybersecurity risk, and the Company’s ISO has primary responsibility for the information security risk management program. Management also engages the services of third parties to assist IT with their tasks. The Company believes that risk management is a component of overall governance, and that IT risk management is a component of overall risk management.

The Company recognizes that our overall security culture contributes to the effectiveness of our ISP. The Company maintains an information security risk management program that identifies, prioritizes, and provides a formal structure for the internal and external risks that impact the organization. The Board of Directors sets the tone and direction for the Company’s use of IT and has identified the Audit Committee as having primary responsibility for oversight of the Company’s risk exposures and risk assessments and policies, including risks related to cybersecurity. The Board of Directors and Audit Committee approve and periodically review and re-approve the ISP and other IT related policies. While the Board of Directors may delegate the design, implementation, and monitoring of certain IT activities to the CTO, Senior Vice President of IT or designee, the full Board of Directors remains responsible for overseeing IT strategies and policies, including cybersecurity. To help carry out their responsibilities, Directors, management, and all employees are periodically trained to understand IT activities and risks, including cybersecurity risks. Management, via the Senior Vice President of IT and ISO, or combination, provides a status report to the Board of Directors at least annually, with more frequent communications, as necessary. The report describes the overall status of the ISP and material matters related to the program, including security breaches, cybersecurity assessments, cybersecurity awareness training for employees and the Board of Directors and results of incident response testing.

The Company utilizes third-party threat analysis tools such as penetration testing and vulnerability scanning to assist in understanding and supporting the measurement of information security related risks. Additionally, the Company uses third-party tools to help management identify current cybersecurity risks and control maturity levels, and to evaluate overall cybersecurity preparedness. The Company has also implemented an action plan designed to identify potential actions that would improve our overall cybersecurity posture, and periodically reevaluates both cybersecurity risks and controls to assure they are commensurate with our size and complexity and are keeping pace with the overall cybersecurity threat environment.

Management also obtains, analyzes, and responds to information from various sources on cybersecurity threats and vulnerabilities that may affect the Company, while incorporating available information on cybersecurity events into our ISP. Additionally, management develops, maintains, and updates a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments, and ultimately provide updates to the Board of Directors on cybersecurity risk trends. The Company has not experienced any cybersecurity incidents in the past that have individually or in the aggregate had a materially adverse effect on our business, financial condition, or results of operations.

Additionally, the Company conducts due diligence in the selection and on-going monitoring of third-party service providers. Management is responsible for ensuring that such third parties use suitable information security controls when providing services to us. As part of the oversight of third-party service providers, management will determine whether cybersecurity risks are identified, measured, mitigated, monitored, and reported by such third parties.

© 2024 Material-Incidents. All rights reserved.