Item 1C. Cybersecurity.

 

Overview. Our Board of Directors and management consider information security and cybersecurity as high priorities in our strategic and operational plans. We understand the critical nature of the confidentiality, integrity, and availability of customer and bank sensitive information. Any loss of confidentiality, integrity, or availability introduces operational, compliance, strategic, transactional, reputational, legal, and capital risks which we actively seek to avoid. It is understood that any one of these risks, if realized, will have a negative impact upon Quant Oak Bancorp and Quaint Oak Bank. Our approach to information and cybersecurity is proactive and strives to avoid incidents where possible through the use technical, administrative, and physical controls.

 

Governance. Our efforts for increased information and cybersecurity readiness are driven from the top of the organization. The Board of Directors reviews and approves an Information Technology and Information Security Risk Appetite Statement which guides the actions of the management team, staff members, and supporting third-party service providers. In addition, the Board is active in the review and approval of all policies concerning information technology and information security. The Board further reviews reports provided by the management team regarding the status of Quaint Oak Bank’s GLBA compliance, risk management program, vendor management program, and the results of tests and exercises conducted for business continuity, disaster recovery, cybersecurity incident response, and pandemic response. Lastly, the Board of Directors reviews and approves the budget for information and cybersecurity, ensuring that we have sufficient resources to properly address all current and foreseeable information and cybersecurity threats.

 

Management and Strategy. Senior management takes the guidance provided by the Board of Directors and transforms this guidance into operational priorities which are implemented and maintained by the staff members and third-party service providers. In addition, the senior management team ensures that budgeted resources are allocated in a timely manner to support the various security initiatives.

 

Operational Information Technology and Information Security staff members, and third-party service providers utilize the direction and resources provided by the senior management team to develop procedures, standards, and guidelines to achieve the strategic goals defined by the Board of Directors. Operational and security health is reported monthly to Operating Risk and Executive Committees and the Board of Directors. Recommendations for improvements are shared between operational staff and the senior management team as part of a continuous improvement program for information security and cybersecurity.

 

Operational staff members actively maintain, review, update, and exercise plans and procedures designed to enhance our overall business resiliency. All staff members are trained annually on current information and cybersecurity trends, techniques, and their responsibilities to keep our information confidential, accurate, and available.

 

 

We also utilize the services of third-party providers to conduct an IT audit, external and internal vulnerability testing, external and internal penetration testing, and social engineering testing on at least an annual basis. The results of these independent audits and tests are sent to the Board of Directors for review.

 

Finally, Quaint Oak Bank complies with its regulatory requirements by having Federal and State safety and security examinations performed on a schedule dictated by the regulatory agencies. The results of these examinations are reviewed and approved by the Board of Directors. Additionally, all findings from these examinations are recorded and prioritized for remediation.

 

Conclusion. Our Board of Directors and management take very seriously the information security and cybersecurity obligations Quaint Oak Bancorp and Quaint Oak Bank have to their respective customers, shareholders, staff members, and regulatory agencies. In support of these obligations, we have and actively maintain a robust information security and cybersecurity program based upon industry best practices, regulatory requirements, and the expertise of staff members and supporting third-party vendors.

 

To our knowledge, we have not had a cybersecurity incident that has materially affected Quaint Oak Bancorp, its business strategy, financial condition, or results of operation.