CYBERSECURITY OVERSIGHT AT NORTHFIELD
Northfield Bank (the “Bank”) maintains an Information and Cybersecurity Program under the leadership of our Chief Risk Officer, Chief Information Officer, and Chief Information Security Officer, with timely Board oversight.
The framework for our Information and Cybersecurity Program includes:
- A formal Information Security Program, policy and procedures that are updated and approved by our Board of Directors, led by the Bank’s Chief Information Security Officer.
- An enterprise risk management program that incorporates information and cybersecurity concerns into routine managerial decisions and risk assessments, as well as internal audits of all related business functions.
- An information security training and awareness program for all employees and directors, emphasizing the importance of customer and data privacy and protection.
- The Board of Directors has delegated oversight responsibilities to its Compliance and IT (CIT) Committee. The Board receives Information Security Program updates from the CIT Committee at all of its regular meetings.
- The CIT Committee:
- Is comprised entirely of independent experienced directors;
- Maintains appropriate member experience in cybersecurity oversight through a combination of work-life experience, training, and banking industry association involvement;
- Engages an independent third party expert in technology and cybersecurity to provide guidance and expertise to assist the committee in its cybersecurity oversight. The independent cybersecurity consultant provides the CIT Committee with periodic reports, normally quarterly, that include, among other things, an evaluation of the Bank’s Information Security Program, strategic information technology plan, staffing adequacy, emerging cybersecurity risks and mitigation techniques, and best practice recommendations. The CIT Committee evaluates the performance of its independent consultant on annual basis, prior to appointment/reappointment;
- Performs an annual assessment of its effectiveness, including its oversight of cybersecurity, and makes a report for review, evaluation and acceptance by the Nominating and Corporate Governance Committee of the Board, with further reporting to the Board;
- Holds management accountable for ensuring appropriate internal controls are in place to govern Information and Cybersecurity, to ensure such risks, existing and emerging are appropriately identified, mitigated and monitored to reduce exposure.
- Receiving timely periodic reports, normally quarterly or more frequent as necessary, from the Chief Information Officer, Chief Information Security Officer and Chief Risk Officer on technology and information security matters, including:
- Standards and methods utilized to identify and mitigate information security risks, including the Bank’s consideration of the National Institute of Standards and Technology (NIST) framework;
- Current and emerging cybersecurity risks and controls;
- Information Technology and Information Security Staffing assessments;
- Strategic technology plan update;
- Information and cybersecurity employee training programs and employee cybersecurity testing results and related employee remediation, as necessary;
- Customer cybersecurity education and awareness initiatives.
- An annual review of the Bank’s cybersecurity insurance policy, including engagement, on a periodic basis, of a third party consultant expert in cybersecurity insurance to assist the CIT Committee in its review;
- Review of independent third party audit reports on information technology and cybersecurity, including internal and external penetration testing, and monitoring of remediation, as appropriate.