EAGLE FINANCIAL SERVICES INC - (EFSI)

10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity

 

Risk Management and Strategy

 

Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions, and our information systems, the Company has implemented a comprehensive Information Security Program (“Program”) which is a component of its overarching enterprise risk management program. The Program is achieved through a collaborative effort involving operations, technology, compliance, risk, and senior management. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential cyber threats.

 

Key components of the risk management program include:

A risk assessment process that identifies and prioritizes material risks; defines and evaluates the effectiveness of controls to mitigate the risks; and reports results to executive management and the Board of Directors.
Third-party managed detection and response service, which monitors the security of our information systems around-the-clock, including intrusion detection and alerting.
A patch management system that safeguards our environment by keeping software up-to-date and resilient against threats.
Internal and external penetration testing that is conducted and reviewed either by independent third parties or qualified employees.
A third-party risk management program that is designed to ensure our vendors meet our cybersecurity requirements.
A training and awareness program that educates employees about cybersecurity risks and how to protect themselves from cyberattacks.
An incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident, which is tested at least annually.

 

Governance and Oversight

 

The Board of Directors, including its Risk Subcommittee provides oversight of Company cybersecurity risks. The Board of Directors receives periodic reports on cybersecurity threats, awareness training, and key risk indicators related to cybersecurity. Additionally, the Company’s Audit Committee provides oversight as it relates to annual audits related to information technology and cybersecurity. Management promptly reviews results of these audits to initiate necessary remediation, which are then reviewed by the Audit Committee.

 

The Board of Directors has designated the Security Committee and Incident Response Team with responsibilities related to information security and cybersecurity.

 

The Security Committee is a management committee with representation from operations, technology, compliance, risk, and senior management. The Security Committee monitors, reviews, and makes necessary changes to the Information Security Program. This Committee provides accountability for policies and procedures and reviews incidents that may affect information security.

 

The Incident Response Team has overall authority and responsibility for preparing and responding to incidents and consists of various sub-teams including representation from operations, technology, risk, compliance, human resources, and marketing. While key personnel have identified roles, this team ensures appropriate reports, statuses, and decisions are presented to the Executive Management and the Board of Directors.

19


 

 

The Company’s Chief Technology Officer (“CTO”) oversees the Company’s information technology programs and investments. The Company’s CTO has over 30 years of information technology experience. The Company’s Compliance and Security Officer, who oversees the Company’s information security programs, has over 10 years of experience and reports to the Chief Operating Officer. The Compliance and Security Officer is designated as the program coordinator responsible for coordinating and overseeing the Information Security Program.

 

Material Effects of Cybersecurity Threats

 

While cybersecurity risks have the potential to materially affect the Company's business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including because of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner.

 

For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, refer to Item 1A, Risk Factors of this Form 10-K.