UNITED SECURITY BANCSHARES - (UBFO)

10-K Filing Date: March 26, 2024
Item 1C - Cybersecurity

Management of the Company’s wholly-owned subsidiary, United Security Bank (Bank), reports to the Board of Directors, or an appropriate committee of the board, at least annually. This report describes the overall status of the information security program and the Bank’s compliance with these guidelines.
The report discusses material matters related to the information security program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.
The intent of this report is to communicate the overall status of the information security program, including any updates to the program components.
In regard to cybersecurity threats and controls, the information security program addresses the Bank’s cybersecurity strategy.
Cybersecurity is an element of information security. Information security deals with information, regardless of its format – paper documents, digital and intellectual property, and verbal or visual communications.
Cybersecurity focuses on protecting digital assets from intentional attacks. These assets include networks, computer hardware/software, and information that is processed, stored, or transported by networked systems and devices.
The Information Security Program was initially designed, and is regularly updated, to comply with the following laws and regulations:
The Gramm-Leach-Bliley Act (GLBA) regarding protection of nonpublic personal information,
The Federal Financial Institutions Examination Council’s “Interagency Guidelines Establishing Information Security Standards,”
Supplemental federal and state banking regulations and guidelines regarding protection of nonpublic customer information, as applicable to this program.
Oversight of the Bank’s cybersecurity program is the responsibility of the IT Committee of the Board of Directors. This committee is also responsible for approving the program’s budget and staffing. Management of the program is the responsibility of the Bank’s information security officer.
To ensure appropriate segregation of duties, the information security officer is independent of IT operations staff and reports to the Bank’s chief risk officer. The information security officer is responsible for responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.
The IT Committee of the Board of Directors meets bi-monthly, or as needed, to review risks resulting from cybersecurity threats.
Testing is conducted annually using external third-party penetration testing and internal vulnerability assessments.

While cybersecurity risks have the potential to materially affect the Company’s business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches, preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks, and the Company may not be able to implement effective preventive measures against cyber security breaches in a timely manner.