Bank7 Corp. - (BSVN)
10-K Filing Date: March 25, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We outsource substantially all of our IT functions, including cybersecurity, through BankOnIT, LLC (“BankOnIT”), a third-party banking technology service provider. BankOnIT provides significant resources to identify, assess and manage risks from cybersecurity threats, including:
• | Continuous 24/7/365 monitoring of our information systems; |
• | Scanning of our information systems; |
• | Continuous updating and testing processes; |
• | Performing vulnerability assessments; and |
• | Maintaining up-to-date firewall and anti-virus protections. |
BankOnIT leverages certain industry and government associations and threat-intelligence resources to keep up to date on, and respond to, the latest cybersecurity threats.
We engage in regular assessments of our infrastructure, software systems, and network architecture utilizing third-party cybersecurity professions, including annual penetration testing and audits of our information technology systems to identify vulnerabilities and areas for additional enhancement. Employees receive regular virtual and in-person security awareness training through simulated tests, company communications, and in-person training. We also maintain a third-party vendor management program to identify and assess risks of our third-party service providers.
Due to the type and volume of information that we collect and store to provide banking services to our customers, we are an attractive target for cyber threat actors seeking financial gain. Our failure to maintain the safety of our customer’s information could have a material adverse effect on our reputation, financial condition and results of operations. To date, we have not experienced a cybersecurity incident that resulted in a material adverse effect on our business strategy, results of operations, or financial condition; however, there can be no guarantee that we will not experience such an incident in the future. Although we maintain cybersecurity insurance, the costs and expenses related to cybersecurity incidents may not be fully insured. We describe whether and how risks from identified cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition under Item 1A. Risk Factors. We are exposed to cybersecurity risks associated with our internet-based systems and online commerce security, including ‘hacking’ and ‘identify theft.’”
Governance
Our cybersecurity function is overseen by our Senior Vice President/ Operations & IT Manager who has over 9 years’ experience managing such functions. IT functions are also managed through our IT Committee which is comprised of several senior level executive officers and other Company employees and chaired by our Senior Vice President/ Operations & IT Manager. The IT Committee governs all IT functions at the Company and selects, monitors and manages our third-party IT service providers that implement and maintain our cybersecurity functions.
We also maintain a Cyber Incident Response Team, which includes a board representative and an executive officer representative and is chaired by our Senior Vice President/ Operations & IT Manager. The Cyber Incident Response Team is charged with developing and implementing incident response and recovery plans to guide our employees, management and the Board in their response to a cybersecurity incident.
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, including cybersecurity risks. The full Board receives a network health report at each board meeting from our Senior Vice President/ Operations & IT Manager, which addresses our overall network risk including any relevant cybersecurity threats and incidents.