PATRIOT NATIONAL BANCORP INC - (PNBK)

10-K Filing Date: April 01, 2024
ITEM 1C. Cybersecurity
Cyber/information security is a significant and integrated component of the Company’s risk management strategy. As an insured depository institution, threats to information security are present and growing, and the potential exists for a cybersecurity incident to occur, which could disrupt business operations or compromise sensitive data. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company.
Cybersecurity Risk Management and Strategy:
The Bank maintains comprehensive policies, procedures, internal controls and practices with respect to cyber/information security, including:
Information Security Policy and Risk Management. The Bank maintains an Information Security Policy reviewed and updated as needed, and at least annually by its Board of Directors.
Information Technology & Information Security Audits. The Bank conducts independent external and internal audits of internal controls relating to information technology and information security in accordance with standards established by the Federal Financial Institutions Examination Council (FFIEC).
Information Security Management. To prepare and respond to incidents, the Bank maintains implemented multi-layered cybersecurity protocols, integrating people, technology, and processes as part of the Bank’s Information Security Program. The Information Security Program is governed by various information security and cybersecurity, systems development, change control, disaster recovery/business continuity, third-party risk management and physical asset classification and control policies. The Information Security Program identifies data sources, threats and vulnerabilities, deploys current information security technologies and ensures awareness, accountability, and oversight for data protection throughout the Bank and with trusted third parties to ensure that data is protected and able to be recovered in the event of a breach or failure (technical or other disaster). The Company engages qualified third-party vendors, consultants and independent auditors to, among other things, conduct network penetration tests and perform cyber/information security audits.
Employee Training and Awareness. Our employees are the first line of defense with respect to cyber/information security protection. Each employee is responsible for protecting the Bank and customer information. Employees are provided with training at initial onboarding and thereafter regarding information security and cybersecurity-related policies and procedures applicable to their respective roles within the organization. In addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities. In addition to training, employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from cyber/information security threats and activities intended to compromise cyber/information security.
15

Customer Data Privacy Reviews. The Bank conducts independent external and internal reviews of internal controls relating to customer data privacy and data security in accordance with the requirements of the Gramm-Leach-Bliley Act, the Right to Financial Privacy Act, and standards established by the FFIEC.
Cybersecurity Governance:
Board Oversight. The Audit Committees of the Company and the Bank review and monitor the effectiveness of the Bank’s internal controls, including those controls related to information security, based on independent external audit and internal audit reports. The Boards of Directors of the Company and the Bank review a formal Information Security Report at least annually, a Gramm-Leach-Bliley Act (“GLBA”) report annually and receive periodic reports on cyber/information security topics and matters. As required by federal banking laws and regulations, the Bank’s cyber/information security risk management practices include risk assessments, controls, and practices specifically for cybersecurity, information technology deployment and third-party information technology vendor risk management.
CIO Responsibilities. The Information Services Division of the Bank is primarily responsible for identifying, assessing and managing material risks from cyber/information security threats. Information security management is conducted by the CIO of the Bank. Our CIO monitors, evaluates and adjusts the Bank’s Information Security Program, considering any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and changing business arrangements, such as technology development initiatives, outsourcing arrangements, and changes to customer information systems. Our CIO has been working in IT infrastructure for the past 25 years. His experiences include cybersecurity and information security, IT compliance, audit reviews, policies, incident response and annual processes. He has managed IT technology at leading brokerages, and oversees information security and cybersecurity at our Bank. He received Certified Banking Security Manager (CBSM) certification in 2020. He also manages the third-party risk management at our Bank since 2021. The IT Steering Committee and Management Risk Committee reviews and coordinates the status and results of information security controls, network penetration, business continuity/disaster recovery testing, and incident response plan testing.
Information Security Incident Responses. The Bank maintains information security incident response plans for various information security/data breach scenarios. The Bank tests its incident response plans at least annually. Pursuant to applicable federal and state laws, regulations and FFIEC standards, the Bank maintains incident response notification procedures for affected customers, including notification of federal regulatory authorities and law enforcement. For the preservation of all possible avenues for law enforcement, the Bank does not disclose information security incidents to the general public unless required by law or as directed by applicable lawful authority.

16