Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - ASRV

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

ITEM 1A. RISK FACTORS

Not applicable.

ITEM 1B. UNRESOLVED STAFF COMMENTS

The Company has no unresolved staff comments from the SEC for the reporting periods presented.

ITEM 1C. CYBERSECURITY

The Company maintains comprehensive and continually evolving processes for assessing, identifying, and managing material risks from cybersecurity threats, including any potential unauthorized occurrence on, or conducted through, the Company’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or any information residing on such systems. The processes relating to cybersecurity threats are integrated into the Company’s overall risk management processes, which are overseen by the Board of Directors.

Risk Management and Strategy

The Company’s Enterprise Risk Management Policy assists the Board of Directors and management in clarifying their tolerance for identifying those credit, market, liquidity, operational, legal, compliance, strategic, reputation and security (information and physical) risks that have the potential to cause material financial harm to the institution, as well as describing a methodology for determining the proper level of controls to manage and mitigate those risks. Cybersecurity is a critical component of risk management, given the increasing reliance on technology and the increasing cybersecurity threat landscape. The Information Security Program is built on the Federal Financial Institutions

13

Examination Council (FFIEC) IT Handbooks, National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Center for Internet Security (CIS) Cybersecurity Controls (CSC), and industry best practice. The Information Security Program utilizes a defense in depth strategy that leverages multiple security measures to protect Company assets and information.

The Board of Directors is responsible for overseeing management’s development and execution of the Company’s risk management process. Risk management is administered by a senior management team called the Management Enterprise Risk Committee (MERC). Periodic risk assessments are performed to identify technical and physical risks to information systems. These risk assessments identify internal and external threats that could cause a cybersecurity incident, assessing the likelihood of potential impact of those threats, and assessing the measures and controls in place to manage the risks. As per FFIEC guidance, a Change Management Policy and Committee are in place to manage changes to technology and systems. Information Security is a member of this Committee to evaluate changes for information security impact.

The Company leverages internal and external auditors to periodically review information technology and information security policy, processes, and controls to ensure they meet regulatory compliance and operate effectively. Independent penetration testing is performed annually.

The Company maintains an Incident Response Plan and a Crisis Communication Plan that provide documented guidelines for handling potential threats and taking appropriate measures including timely notification of cybersecurity threats and incidents to senior management and the Board of Directors when appropriate. The Incident Response Plan is managed by the Chief Information Security Officer (CISO) and is reviewed and tested at least annually. The Crisis Communication Plan, managed by the Director of Marketing and Alternative Delivery, is reviewed and tested at least annually.

The Company uses third-party vendors to assist in monitoring, detecting, and managing cyber threats, including managed security service monitoring, penetration testing and vulnerability assessment. The Management Enterprise Risk Committee has established risk management guidelines for third-party vendors. Through the Third-Party Risk Management Committee, the Company conducts due diligence reviews of third-party vendors before contracts or agreements for provision of services are signed and conducts ongoing due diligence and oversight procedures with the frequency of the procedures determined based on a risk assessment of the services provided. Through the Vendor Management Committee, the Company conducts due diligence reviews of third-party vendors before contracts or agreements for provision of services are signed and conducts ongoing due diligence and oversight procedures with the frequency of the procedures determined based on a risk assessment of the services provided. Generally, the Company’s agreements with service providers include requirements related to cybersecurity and data privacy. All such agreements are reviewed periodically. The Company cannot guarantee, however, that such agreements, due diligence, and oversight procedures will prevent a cybersecurity incident from impacting information systems. Moreover, as a result of applicable laws and regulations or applicable contractual provisions, the Company may be held responsible for cybersecurity incidents attributed to its service providers in relation to any data that the Company shares with such providers.

Notwithstanding our efforts at cybersecurity, no system of prevention is impenetrable, and we cannot guarantee that we will be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. To date, the Company has not detected any material cybersecurity incident to our own systems. Future cybersecurity incidents could, however, materially affect our business strategy, results of operations, or financial condition.

Governance

The Company’s information technology resources are managed by the Information Technology Department, which is responsible for the first line of defense – identifying, assessing, and managing material risks from cybersecurity threats. The Information Technology Department is managed by the Chief Information Officer (CIO), who reports to the Company’s President and CEO. The present CIO has been employed by the Company in the information technology area for four years and was previously the CISO at the Company for two years. The present CIO has been employed by the Company in the information technology area for two and a half years and was previously the CISO at the Company for two years. The present CIO has over 37 years of IT experience, 14 of that in banking. The present CIO has over thirty-five years of IT experience, twelve of that in banking. The CIO holds a current Certified Information Systems Security Professional (CISSP) designation.

The Chief Information Security Officer (CISO) whose responsibilities constitute the second line of defense provides the vision, leadership, and strategies necessary to protect the information security of the Company. The CISO manages policy, procedure, and process to ensure the execution of the Company’s Information Security and Business Continuity/ Disaster Recovery (BC/DR) Programs. The CISO reports directly to the Chief Risk Officer to provide segregation between the first and second lines of defense. The Information Security Department, among other duties, supervises

14

internal employee training relating to cybersecurity risks, conducts access reviews relating to the Company’s information systems, and monitors implemented security measures. The present CISO has over 19 years of IT and information security experience across various organizations, including military service.

The Company has established a Management Technology Committee and a Board Technology Committee. These Committees provide oversight and governance of information technology and the Information Security Program and meet quarterly. The Board Technology Committee’s responsibilities include: (1) monitoring the strategic deployment and usage of Information Technology throughout the Company using reports and presentations from management; (2) oversight of cybersecurity preparedness through information security reports, discussion of internal events and discussion of cybersecurity topics pertinent to the Company and the industry; (3) oversight of activities in support of the Company’s business continuity/disaster recovery program to ensure optimal corporate resiliency in the unlikely event of a disaster; and (4) providing broad strategic guidance on the technology direction of the Company by, among other things, overseeing the development of the AmeriServ Strategic Technology Plan.

Recently Filed
Click on a ticker to see risk factors
Ticker * File Date
DVLT an hour ago
SFBC an hour ago
AEAE an hour ago
MRKR an hour ago
ASRV an hour ago
ASNS an hour ago
PUBC 2 hours ago
APAC 2 hours ago
ACON 2 hours ago
FTFT 2 hours ago
LIDR 2 hours ago
EBRCZ 2 hours ago
GORO 2 hours ago
HBIA 2 hours ago
XHLD 2 hours ago
DWTX 2 hours ago
FDMT 2 hours ago
AVBH 2 hours ago
OVID 2 hours ago
HD 2 hours ago
OSS 2 hours ago
HYPR 2 hours ago
HTFL 3 hours ago
NRGV 3 hours ago
ARX 3 hours ago
UBCP 3 hours ago
BBY 3 hours ago
SERA 3 hours ago
BTM 3 hours ago
DOCU 3 hours ago
MBRX 3 hours ago
PCSA 3 hours ago
XOMA 3 hours ago
PROK 3 hours ago
ELA 3 hours ago
USIO 3 hours ago
LFWD 7 hours ago
PFBX 8 hours ago
MHH 9 hours ago
NEON 9 hours ago
VACI 10 hours ago
GIFT 10 hours ago
NSPR 10 hours ago
CING 11 hours ago
PLX 12 hours ago
HIND 12 hours ago
BOBS 12 hours ago
TSSI 21 hours ago
CNTY 22 hours ago
ESLA 22 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard