Bogota Financial Corp. - (BSBK)
10-K Filing Date: March 28, 2024
Our information security program is managed through a dynamic enterprise-wide cybersecurity strategy, policies, standards, architecture, and processes. The Bank relies upon a formalized internal Information and Cybersecurity Program (“the Program”) to safeguard confidential information, maintain the confidentiality of our customers’ data and to ensure the integrity of financial transactions. The Program is approved by the Bank’s Board of Directors or a Committee thereof annually, and is designed to identify reasonably foreseeable internal and external threats, assess the likelihood and potential damage these threats could cause, and assess the appropriateness of policies, standards and procedures used to identify and mitigate risks associated with a material Cybersecurity incident. The Program has been designed to align with industry best practices, as well as Regulatory guidelines and laws; and leverages the National Institute of Standards and Technology Cybersecurity framework (“NIST CSF”) as its baseline. We are dedicated to cybersecurity and maintaining the trust and confidence of our customers and stockholders.
Additionally, we maintain an Incident Response Plan that provides established procedures for timely reporting and escalation of significant cybersecurity incidents; our commitment involves promptly notifying regulatory authorities, customers, and other stakeholders in the event of any material cyber incidents that may impact our operations or the security of sensitive information. The Incident Response Plan is coordinated through the Director of Information Technology (“Director of IT”) and key members of executive management who are responsible for escalation as part of the Plan.
We use a layered defense management approach to managing cybersecurity. The Bank’s cybersecurity operations function is headed by the Director of IT who is responsible for managing information security risks by developing and implementing information security strategies, architecture, and procedures and acts as the first line of defense. The Director of IT oversees a team of internal and external security professionals in safeguarding our critical data, systems, and assets against threats, breaches, and attacks. The Director of IT is also responsible for ensuring the confidentiality, integrity, and availability of information assets.
The information security program, policies, and standards are managed by the Vice President of Information Security Systems ("VP, ISS"), who leads the enterprise wide technology risk management function. The VP, ISS acts as the second line of defense and provides risk oversight for the Bank’s technology operating infrastructure and operations. The VP, ISS function manages testing of technology controls, technology risk assessments, risk reporting, information security third-party due diligence, monitoring the implementation of risk mitigation actions, and tracking their effectiveness over time. The Bank's internal auditors and Board of Directors act as the third line of defense, providing the independent assurance function.
In addition to the above risk management framework, we engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. Additionally, we actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections for any portion of our workforce that has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to opine on their design and operating effectiveness and make recommendations to strengthen our risk management program.
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks. For further discussion of risks from cybersecurity threats, see the section captioned “Risks Related to Our Operations” in Item 1A. Risk Factors.
As part of our governance structure, the Board of Directors, Chief Executive Officer and Director of IT play an active role in overseeing our cybersecurity program. Regular briefings on cyber risk management and incident response activities are conducted, ensuring a high level of governance and accountability in addressing cybersecurity concerns. The Bank and its vendors provide periodic reports to our Board of Directors, or Committee thereof, as well as to our senior management team as appropriate. These reports include updates on the Bank’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape.
We are steadfast in our commitment to collaborate with regulatory authorities to enhance industry-wide cybersecurity standards. Given the ongoing and changing cyber threat landscape, we are committed to invest in, improve and update our cybersecurity practices on an ongoing basis. Regular assessments, testing, audits, and training of all employees are conducted to adapt to emerging threats and enhance our ability to safeguard the interests of our customers.