|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
The Company’s Enterprise Risk Management Policy assists the Board of Directors and management in clarifying their tolerance for identifying those credit, market, liquidity, operational, legal, compliance, strategic, reputation and security (information and physical) risks that have the potential to cause material financial harm to the institution, as well as describing a methodology for determining the proper level of controls to manage and mitigate those risks. Cybersecurity is a critical component of risk management, given the increasing reliance on technology and the increasing cybersecurity threat landscape. The Information Security Program is built on the Federal Financial Institutions Examination Council (FFIEC) IT Handbooks, National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Center for Internet Security (CIS) Cybersecurity Controls (CSC), and industry best practice. The Information Security Program utilizes a defense in depth strategy that leverages multiple security measures to protect Company assets and information.
The Board of Directors is responsible for overseeing management’s development and execution of the Company’s risk management process. Risk management is administered by a senior management team called the Management Enterprise Risk Committee (MERC). Periodic risk assessments are performed to identify technical and physical risks to
information systems. These risk assessments identify internal and external threats that could cause a cybersecurity incident, assessing the likelihood of potential impact of those threats, and assessing the measures and controls in place to manage the risks. As per FFIEC guidance, a Change Management Policy and Committee are in place to manage changes to technology and systems. Information Security is a member of this Committee to evaluate changes for information security impact.
The Company leverages internal and external auditors to periodically review information technology and information security policy, processes, and controls to ensure they meet regulatory compliance and operate effectively. Independent penetration testing is performed annually.
The Company maintains an Incident Response Plan and a Crisis Communication Plan that provide documented guidelines for handling potential threats and taking appropriate measures including timely notification of cybersecurity threats and incidents to senior management and the Board of Directors when appropriate. The Incident Response Plan is managed by the Chief Information Security Officer (CISO) and is reviewed and tested at least annually. The Crisis Communication Plan, managed by the Director of Marketing and Alternative Delivery, is reviewed and tested at least annually.
The Company uses third-party vendors to assist in monitoring, detecting, and managing cyber threats, including managed security service monitoring, penetration testing and vulnerability assessment. The Management Enterprise Risk Committee has established risk management guidelines for third-party vendors. Through the Vendor Management Committee, the Company conducts due diligence reviews of third-party vendors before contracts or agreements for provision of services are signed and conducts ongoing due diligence and oversight procedures with the frequency of the procedures determined based on a risk assessment of the services provided. Generally, the Company’s agreements with service providers include requirements related to cybersecurity and data privacy. All such agreements are reviewed periodically. The Company cannot guarantee, however, that such agreements, due diligence, and oversight procedures will prevent a cybersecurity incident from impacting information systems. Moreover, as a result of applicable laws and regulations or applicable contractual provisions, the Company may be held responsible for cybersecurity incidents attributed to its service providers in relation to any data that the Company shares with such providers.
Notwithstanding our efforts at cybersecurity, no system of prevention is impenetrable, and we cannot guarantee that we will be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. To date, the Company has not detected any material cybersecurity incident to our own systems. Future cybersecurity incidents could, however, materially affect our business strategy, results of operations, or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company maintains comprehensive and continually evolving processes for assessing, identifying, and managing material risks from cybersecurity threats, including any potential unauthorized occurrence on, or conducted through, the Company’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or any information residing on such systems. The processes relating to cybersecurity threats are integrated into the Company’s overall risk management processes, which are overseen by the Board of Directors.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board of Directors is responsible for overseeing management’s development and execution of the Company’s risk management process. Risk management is administered by a senior management team called the Management Enterprise Risk Committee (MERC). Periodic risk assessments are performed to identify technical and physical risks to
information systems. These risk assessments identify internal and external threats that could cause a cybersecurity incident, assessing the likelihood of potential impact of those threats, and assessing the measures and controls in place to manage the risks. As per FFIEC guidance, a Change Management Policy and Committee are in place to manage changes to technology and systems. Information Security is a member of this Committee to evaluate changes for information security impact.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Management Technology Committee and a Board Technology Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company has established a Management Technology Committee and a Board Technology Committee. These Committees provide oversight and governance of information technology and the Information Security Program and meet quarterly. The Board Technology Committee’s responsibilities include: (1) monitoring the strategic deployment and usage of Information Technology throughout the Company using reports and presentations from management; (2) oversight of cybersecurity preparedness through information security reports, discussion of internal events and discussion of cybersecurity topics pertinent to the Company and the industry; (3) oversight of activities in support of the Company’s business continuity/disaster recovery program to ensure optimal corporate resiliency in the unlikely event of a disaster; and (4) providing broad strategic guidance on the technology direction of the Company by, among other things, overseeing the development of the AmeriServ Strategic Technology Plan
|Cybersecurity Risk Role of Management [Text Block]
|
The Board of Directors is responsible for overseeing management’s development and execution of the Company’s risk management process. Risk management is administered by a senior management team called the Management Enterprise Risk Committee (MERC). Periodic risk assessments are performed to identify technical and physical risks to
information systems. These risk assessments identify internal and external threats that could cause a cybersecurity incident, assessing the likelihood of potential impact of those threats, and assessing the measures and controls in place to manage the risks. As per FFIEC guidance, a Change Management Policy and Committee are in place to manage changes to technology and systems. Information Security is a member of this Committee to evaluate changes for information security impact.
The Company leverages internal and external auditors to periodically review information technology and information security policy, processes, and controls to ensure they meet regulatory compliance and operate effectively. Independent penetration testing is performed annually.
The Company maintains an Incident Response Plan and a Crisis Communication Plan that provide documented guidelines for handling potential threats and taking appropriate measures including timely notification of cybersecurity threats and incidents to senior management and the Board of Directors when appropriate. The Incident Response Plan is managed by the Chief Information Security Officer (CISO) and is reviewed and tested at least annually. The Crisis Communication Plan, managed by the Director of Marketing and Alternative Delivery, is reviewed and tested at least annually.
The Company uses third-party vendors to assist in monitoring, detecting, and managing cyber threats, including managed security service monitoring, penetration testing and vulnerability assessment. The Management Enterprise Risk Committee has established risk management guidelines for third-party vendors. Through the Vendor Management Committee, the Company conducts due diligence reviews of third-party vendors before contracts or agreements for provision of services are signed and conducts ongoing due diligence and oversight procedures with the frequency of the procedures determined based on a risk assessment of the services provided. Generally, the Company’s agreements with service providers include requirements related to cybersecurity and data privacy. All such agreements are reviewed periodically. The Company cannot guarantee, however, that such agreements, due diligence, and oversight procedures will prevent a cybersecurity incident from impacting information systems. Moreover, as a result of applicable laws and regulations or applicable contractual provisions, the Company may be held responsible for cybersecurity incidents attributed to its service providers in relation to any data that the Company shares with such providers.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Chief Information Officer (CIO)
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Chief Information Security Officer (CISO) whose responsibilities constitute the second line of defense provides the vision, leadership, and strategies necessary to protect the information security of the Company. The CISO manages policy, procedure, and process to ensure the execution of the Company’s Information Security and Business Continuity/ Disaster Recovery (BC/DR) Programs. The CISO reports directly to the Chief Risk Officer to provide segregation between the first and second line of defense. The Information Security Department, among other duties, supervises internal employee training relating to cybersecurity risks, conducts access reviews relating to the Company’s information systems, and monitors implemented security measures. The CISO has over 30 years of IT and IT security experience in various organizations with 14 years in the banking industry.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company’s information technology resources are managed by the Information Technology Department, which is responsible for the first line of defense – identifying, assessing, and managing material risks from cybersecurity threats. The Information Technology Department is managed by the Chief Information Officer (CIO), who reports to the Company’s President and CEO.The Chief Information Security Officer (CISO) whose responsibilities constitute the second line of defense provides the vision, leadership, and strategies necessary to protect the information security of the Company. The CISO manages policy, procedure, and process to ensure the execution of the Company’s Information Security and Business Continuity/ Disaster Recovery (BC/DR) Programs. The CISO reports directly to the Chief Risk Officer to provide segregation between the first and second line of defense.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef