EAGLE FINANCIAL SERVICES INC - (EFSI)
10-K Filing Date: March 29, 2024
Risk Management and Strategy
Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions, and our information systems, the Company has implemented a comprehensive Information Security Program (“Program”) which is a component of its overarching enterprise risk management program. The Program is achieved through a collaborative effort involving operations, technology, compliance, risk, and senior management. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential cyber threats.
Key components of the risk management program include:
Governance and Oversight
The Board of Directors, including its Risk Subcommittee provides oversight of Company cybersecurity risks. The Board of Directors receives periodic reports on cybersecurity threats, awareness training, and key risk indicators related to cybersecurity. Additionally, the Company’s Audit Committee provides oversight as it relates to annual audits related to information technology and cybersecurity. Management promptly reviews results of these audits to initiate necessary remediation, which are then reviewed by the Audit Committee.
The Board of Directors has designated the Security Committee and Incident Response Team with responsibilities related to information security and cybersecurity.
The Security Committee is a management committee with representation from operations, technology, compliance, risk, and senior management. The Security Committee monitors, reviews, and makes necessary changes to the Information Security Program. This Committee provides accountability for policies and procedures and reviews incidents that may affect information security.
The Incident Response Team has overall authority and responsibility for preparing and responding to incidents and consists of various sub-teams including representation from operations, technology, risk, compliance, human resources, and marketing. While key personnel have identified roles, this team ensures appropriate reports, statuses, and decisions are presented to the Executive Management and the Board of Directors.
19
The Company’s Chief Technology Officer (“CTO”) oversees the Company’s information technology programs and investments. The Company’s CTO has over 30 years of information technology experience. The Company’s Compliance and Security Officer, who oversees the Company’s information security programs, has over 10 years of experience and reports to the Chief Operating Officer. The Compliance and Security Officer is designated as the program coordinator responsible for coordinating and overseeing the Information Security Program.
Material Effects of Cybersecurity Threats
While cybersecurity risks have the potential to materially affect the Company's business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including because of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner.
For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, refer to Item 1A, Risk Factors of this Form 10-K.