FIRST CAPITAL INC - (FCAP)

10-K Filing Date: March 29, 2024
ITEM 1C. CYBERSECURITY

 

The Company’s cybersecurity risk management program is integrated into our enterprise risk management program and is designed to expeditiously identify, analyze and protect against security threats to its computer systems, software, networks, storage devices and other technology assets. Our management team, with input from our Board of Directors, proactively manages the Company’s cybersecurity risks to avoid or minimize the impacts of attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt service, sabotage systems or cause other damage. Specifically, the Company has appointed a Chief Information Officer (“CIO”) to maintain a comprehensive information security program. Our strategy includes a continuous improvement mindset along with a defense in depth approach to cybersecurity. Our layered security architecture consists of innovative technology to detect, prevent, and mitigate cybersecurity threats. Ongoing proactive analysis of cyber threat intelligence ensures that we are taking the appropriate counter measures to defend against the latest threats. We use monitoring and preventive controls to detect and respond swiftly to data breaches and cyber threats involving our systems. We regularly evaluate our systems and controls and implement upgrades as necessary. This includes regular consultation with external cybersecurity experts. In addition, we participate in external tabletop exercises on a regular basis in addition to conducting our own internal tests of our systems. We also attempt to reduce our exposure to our vendors' data privacy and cyber incidents by performing initial vendor due diligence that is updated periodically for critical vendors, negotiating service level standards with vendors, negotiating for indemnification from vendors for confidentiality and data breaches, and limiting third-party access to the least privileged level necessary to perform outsourced functions. The additional cost to us of data and cybersecurity monitoring and protection systems and controls includes the cost of hardware and software, third-party technology providers, consulting and testing firms, insurance premium costs, legal fees and the cost of personnel who focus a substantial portion of their responsibilities on data security and cybersecurity.

 

The Company uses an Agility Preparedness Plan (“Agility Plan”), along with incident response policies, to enable management to respond timely to cybersecurity incidents, coordinate such responses within the Company and with our Board of Directors, notify law enforcement, regulatory bodies, and other government agencies, and notify customers and employees. The Agility Plan provides a documented framework for identifying and responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the Crisis Management Team (“CMT”). The CMT facilitates coordination across key stakeholders of the Company. The Company’s CIO and key members of management are members of the CMT. The Company provides the CIO and the information security team the latest tools and techniques to protect the confidentiality, integrity and availability of the Company’s data for the benefit of our customers, employees and shareholders. We regularly engage third-party consultants to assess the effectiveness of our strategy, tools and techniques, and overall information security program. Independent oversight and assurance activities specifically include internal audits, vulnerability assessments and penetration testing. The Company’s cybersecurity professionals are well-trained on how to protect customer and employee information through ongoing education and awareness initiatives. The CIO and other members of the information technology team receive ongoing training related to developing threats, proactive solutions and industry best practices in order to effectively protect the Company and its stakeholders.

 

36

 

The Company maintains a third-party risk management program designed to identify, analyze and monitor risks, including cybersecurity risks, associated with vendors and outside service providers. Our vendor risk management team collaborates closely with the information security team to ensure third parties meet certain information security control requirements. Our information security team proactively monitors our internal systems and email gateways for phishing email attacks. Remote connections are also assessed and monitored given a portion of our workforce works remotely. Personnel serve as members of both teams helping to effectively identify and communicate issues as they develop.

 

Our Board of Directors provides direction and oversight over the Company’s enterprise-wide risk management program, including risks related to cybersecurity. The entire Board of Directors is provided regular updates regarding the Company’s information technology policies, procedures, risks and operating status. These updates include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape.

 

Cybersecurity incidents are managed through the Agility Plan, and other appropriate response policies, which provide direction to management allowing for the timely transfer of information throughout the organization. Our policy requires material incidents to be reported within 36 hours after an incident is determined to be material with the materiality determination to be completed without unreasonable delay. The CMT has developed a plan to facilitate making timely determinations as to whether and when incidents should be disclosed. If a material incident occurs, the Company will describe in detail the material aspects and nature, scope and timing of the incident, along with the impact to its financial condition and results of operations via the timely filing of Form 8-K.

 

To our knowledge, previous cybersecurity incidents have not materially affected the Company, its business strategy, financial condition or results of operation. With regard to the possible impact of future cybersecurity threats or incidents, see "Item 1A. Risk Factors."

 

 

 

 

 

 

 

 

 

 

 

 

 

 

37