BayFirst Financial Corp. - (BAFN)

10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity
29

Cybersecurity Risk Management and Strategy
Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. We use people, process, and technology controls to manage and mitigate cybersecurity risk. The Company’s Board of Directors delegates oversight of the Bank's processes for identifying, assessing, and mitigating material risks, including cybersecurity risks, to the Board Audit and Risk Management Committee. Senior Leadership, including the CTO and CRO, managed third-party service providers and advisors to maintain and continuously enhance the Bank's Information Security Program. The CTO, CRO, and the Bank's third-party virtual ISO regularly present to the Board Audit and Risk Management Committee on the state of cybersecurity at the Bank, including any business-impacting incidents and emerging industry risks. The virtual ISO has over 30 years of experience in IT, Information Security, Business Continuity, and Technology Risk in the Financial Services sector and maintains several industry-recognized security, audit, privacy and governance certifications.
Key elements of the comprehensive Information Security Program include:
A mix of administrative and technical tools and controls appropriate to the size and complexity of the Bank to protect the confidentiality, integrity, and availability of critical systems and data, including the privacy of customer data, in compliance with applicable laws and regulations.
Risk assessments are conducted to: (a) identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of critical Bank systems and data, (b) determine the likelihood and potential impact of the threats, and (c) determine the sufficiency of controls and mitigating factors to reduce the risks identified.
A detailed Cyber Incident Response Plan which includes engagement of a third-party that specializes in cybersecurity for financial institutions to assist in incident response and recovery and communications with the Board, regulators, law enforcement and Federal and State Government offices, as required. While the Bank has not experienced a business-impacting cyber incident to date, the Cyber Incident Response Plan is tested at least annually and updated as required so that personnel are prepared for an actual incident.
Security Awareness training to help employees understand their information protection and cybersecurity responsibilities, including targeted campaigns on common social engineering techniques utilized by threat actors.
A third-party risk management program to classify suppliers according to risk and identify those that require enhanced cyber due diligence.
Annual independent third-party penetration tests, vulnerability scans, assessments and audits of the Bank's Information Security Program elements.
While cybersecurity risks have the potential to materially affect the Company's business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks have materially affected the Company, including its business strategy, results of operations or financial condition. As of the date of this Form 10-K, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion, please see Item 1A. “Risk Factors” for a discussion of cybersecurity risks.
30