Finwise Bancorp - (FINW)
10-K Filing Date: March 25, 2024
Item 1C. CYBERSECURITY
The Company is exposed to cybersecurity threats and incidents that can range from uncoordinated individual attempts to gain unauthorized access to information systems to sophisticated and targeted measures known as advanced persistent threats, directed at the Company or its third party service providers. Our customers, strategic relationships and regulators expect us to maintain a suitable cybersecurity posture to identify, protect, detect, respond and recover from incidents that may impact the confidentiality, integrity and availability of sensitive information we possess. We evaluate the risks of data theft (including theft of sensitive, proprietary and other data categories, in addition to personal data), harm to customer or third party relationships and litigation or regulatory investigation or actions that could materially adversely affect our financial condition, results of operations and reputation. Cybersecurity risk is assessed and managed primarily through our operations, risk management, and audit teams and is overseen by our Board of Directors.
The Bank’s Information Security Officer (or ISO), who reports to our Chief Compliance & Risk Officer, is directly responsible for assessing and managing cybersecurity risks pursuant to the Company’s Information Security Program, which is approved by our Board of Directors periodically. The current ISO has more than 5 years of cybersecurity experience and holds multiple industry certifications.
42
The ISO provides our Board of Directors with periodic reports regarding the Company’s cybersecurity condition, key activities and recommendations for improvement of the Information Security Program. The ISO coordinates any incident responses with members of the Company’s executive management, regulators and third parties. The ISO also reports any matter relating to cybersecurity incident responses and control deficiencies to our Board of Directors and its Audit Committee, respectively.
The cybersecurity department of the Bank’s Information Technology (or IT) department is responsible for the day-to-day operations of our cybersecurity controls and defenses. The department is managed by the Bank’s Director of Information Systems and Security, who reports to the Bank’s Chief Technology Officer. The current Director of Information Systems and Security has more than 24 years of technology and cybersecurity experience. Our Chief Technology Officer periodically reports information about the Company’s cybersecurity risks and operational developments to our Board of Directors.
The IT department provides the ISO with access to its operations and alerts regarding cybersecurity events. Events that could become cybersecurity incidents are reviewed and evaluated by the ISO in consultation with the IT department. Documented escalation procedures are tested regularly as part of tabletop exercises and other activities and include notification to executive management during qualifying cybersecurity incidents. The IT department shares responsibility with the ISO for identifying and prioritizing improvements to the Company’s cybersecurity capabilities and resources.
The Bank’s IT Steering Committee, comprising the ISO and members of the Company’s executive management and IT department, generally meets on a monthly basis to review developments regarding the Company’s cybersecurity risks, defenses and remediation activities. Minutes of the meetings of the IT Steering Committee are regularly reviewed by our Board of Directors.
We perform periodic risk assessments of the Company’s information systems based on regulatory guidance issued by the Federal Financial Institutions Examination Council (FFIEC) and state and federal regulators, including the FDIC and the UDFI. We use multiple real-time and interval-based monitoring and reporting mechanisms to detect and respond to cybersecurity incidents. We also engage multiple independent third parties or cyber experts to detect and defend against cybersecurity threats and to assess information security programs and practices including penetration testing. Additionally, we participate in various cybersecurity industry forums and have access to law enforcement analyses regarding current threats.
The ISO, along with the Bank’s Third-Party Oversight Committee, evaluates cybersecurity risks and information systems of third parties whose information systems support important Company operations or with whom the Company has significant business relationships at onboarding, on an ongoing basis and upon termination of the business relationship. Such evaluations may include reviews of reports or performing assessments of a third party’s information systems pursuant to established cybersecurity frameworks such as International Organization for Standardization (ISO) ISO 27001 or Cybersecurity Framework (CSF) published by the US National Institute of Standards and Technology, as well as reviews of reports issued by a third party’s auditors developed under the attestation standards issued by the American Institute of Certified Public Accountants (AICPA). When appropriate, the Company may include additional risk mitigation measures in its onboarding requirements for third parties to address any identified risk factors, such as minimum required information security performance agreements to enable cybersecurity threats and incidents to be managed within applicable industry or regulatory standards, disclosure obligations requiring reporting to the Company of the occurrence and mitigation of cybersecurity threats and incidents, and requirements to maintain adequate levels of cybersecurity insurance coverage.
When a cybersecurity incident occurs, whether detected internally or from a third party, we evaluate the incident for criticality and potential materiality and disclosure. We consider various factors in assessing the materiality of a cybersecurity incident, including the potential for misappropriation, destruction, corruption or unavailability of critical data and confidential or proprietary information (our own or that of third parties) and business operation disruption, and may consult with external advisors, experts or legal counsel in connection with our assessment. We have escalation procedures to notify members of our executive management, Board of Directors and regulators in a timely manner based on the criticality and materiality of any cybersecurity incident.
43
While we have experienced, and expect to continue to experience, cybersecurity threats, we did not experience any material cybersecurity incident in the year ended December 31, 2023. We may nevertheless be unsuccessful in the future in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For additional information regarding cybersecurity risks, see “Risk Factors - Risks Related to Cybersecurity and Technology”.
.