USCB FINANCIAL HOLDINGS, INC. - (USCB)
10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy Overview
Customers depend on the Company to properly protect nonpublic personal information gathered and stored in
connection with the services we provide. The Company realizes that cyber incidents can have financial, reputational, legal,
and operational impacts that can significantly adversely affect our customers, capital, and earnings. Therefore, we integrate
cybersecurity processes throughout the Company as part of our enterprise-wide governance process. Regulatory agencies
are charged with ensuring the Company’s cybersecurity controls and procedures are compliant with the intent of the
cybersecurity expectations set forth by the Federal Financial Institutions Examination Council (“FFIEC”). The FFIEC
framework offers a set of guidelines and best practices to help financial institutions manage and mitigate cybersecurity risks
effectively. It focuses on ensuring the confidentiality, integrity, and availability of sensitive information and systems.
The Information Security Officer (“ISO”) is an integral member of the Risk Management and Compliance Department
(“RMCD”) of the Bank and who provides expert counsel on matters of cybersecurity and presents periodic reports to the
Risk Committee of our Board of Directors.
As part of the program, periodic risk assessments are performed to determine the Company’s inherent and residual
cybersecurity risk, the maturity level of the program, the risk of cyber threats, and the effectiveness of controls currently in
practice. The Company utilizes the National Institute of Standards and Technology (“NIST”) Framework and the FFIEC’s
Cybersecurity Assessment Tool to help management identify its risks and determine the Company’s cybersecurity posture.
Through the implementation of rigorous procedures and controls, augmented by ongoing training initiatives for both
management and staff, the institution cultivates a safe cybersecurity environment. This approach encompasses diverse
methodologies including defense-in-depth and proactive security awareness training aimed at fortifying the institutions
cybersecurity controls and fostering a resilient operational framework.
Assessment and Response to Cybersecurity Threats
It is the policy of the Company and its technology service providers (“TSPs”) to ensure they can identify, mitigate, and
respond to cyber-attacks involving destructive malware and invasive attacks such as phishing, ransomware, malware, DDoS
attacks, etc. This commitment aligns with the Company’s risk appetite, Incident Response Policy, and Business Continuity
Plan, which incorporates business continuity planning and testing activities to enhance response and recovery capabilities.
The Company realizes that it faces a variety of risks from cyber-attacks involving destructive malware, including liquidity,
capital, operational, and reputation risks, due to events such as fraud, data loss, and disruption of customer service. As
such, it is the policy of the Company to ensure that its risk management processes, and business continuity planning address
these risks by:
●
oversee the information/cybersecurity programs to ensure adherence to regulatory guidance and industry best
practices.
●
logical network segmentation, hard backups, maintaining an inventory of authorized devices and software, and
physical segmentation of critical systems. Consistency in system configuration fosters a secure network
environment by removing or disabling unused applications, functions, or components.
●
and segregation of duties. Limits on sign-on attempts for critical systems are enforced, with accounts being locked
upon threshold exceedance. Alert systems notify of baseline control changes on critical systems, with the
effectiveness and adequacy of controls periodically tested and the results reported to Senior Management and, if
applicable, the Risk Committee, along with recommended risk mitigation strategies and progress to remediate
findings.
●
and detection systems. This includes maintaining up-to-date intrusion detection systems, antivirus protection, and
properly configured firewall rules. Systems are monitored to identify, prevent, and contain attack attempts from all
sources.
45 USCB Financial Holdings, Inc. 2023 10-K
●
cyber-attack incidents involving destructive malware. These processes encompass data and business operations
recovery, network capability rebuilding, and data protection for offline backups in the event of cyber-attacks
impacting the Company or its critical service providers.
●
and loan accounts. This involves identifying, prioritizing, and assessing risks to critical systems, including threats to
applications controlling various system parameters and implementing necessary security prevention measures.
●
Testing encompasses both in-house and third-party processor scenarios to validate employee understanding of
responsibilities and adherence to Company protocols.
Executive Oversight and Roles
The responsibility for adopting and maintaining an effective cybersecurity program is assigned to the RMCD, who
collaborates with functional area management, departmental level managers, and other relevant staff. Management
Committees and the Board of Directors review reports submitted by the RMCD detailing the Company’s inherent and
residual cybersecurity risk, program sophistication level, and high-risk threats identified in the cybersecurity risk assessment.
The Board oversees the development and maintenance of the information security program, holding management
accountable. Management committees ensure program integration and effectiveness, with the RMCD responsible for
cybersecurity controls and procedures. The Board receives regular reports on cybersecurity risk assessment and program
updates, providing expectations and requirements to management and holding them accountable for oversight and
coordination, assignment of responsibility, and the effectiveness of the information and cybersecurity security program.
Annually, or as required, the RMCD provides a comprehensive report to the Board or a designated committee regarding
the status of the cybersecurity program. This report encompasses internal assessments, utilization of the FFIEC
Cybersecurity Assessment Tool, discussion of significant program matters such as the annual risk assessment, risk
management decisions, monitoring of service provider compliance, results of key controls testing, security breaches or
violations, management's responses, and recommendat ions for program enhancements.
Engagement with Third Party Vendors
"Private information," which is part of the "Internet Security and Privacy Act" and considered "Highly Sensitive
Information" under the Company’s definition, must not be released as storable data to third-party consultants without security
procedures that demonstrate compliance with the Company's third-party diligence in protecting the data and ensuring its
proper distribution when no longer needed. "Private or highly sensitive information" refers to personal information (e.g.,
information concerning an individual which, because of name, number, symbol, mark, or other identifier, can be used to
identify an individual) in combination with any one or more of the following data elements: (1) social security number; (2)
driver’s license number or non-driver identification card number; (3) account number, credit or debit card number, in
combination with any required security code, access code, or password which would permit access to an individual’s
financial account(s) at the Company including but not limited to an individual’s deposit and loan accounts. It does not include
publicly available information that is lawfully made available to the public from federal, state, or local government records
unless attached in any way to the previously mentioned documentation.
Compliance with Regulatory Standards
Annual testing or more frequently if deemed necessary of cybersecurity controls and procedures will be conducted to
ensure compliance. In instances of identified deficiencies or vulnerabilities, remedial action plans will be implemented to
rectify issues or establish mitigating controls. Any exceptions deemed significant will be promptly reported, with remediation
efforts prioritized.
Annually, or as required, the RMCD will provide a comprehensive report to the Board or a designated committee
regarding the status of the cybersecurity Program. This report will encompass internal assessments, utilization of the FFIEC
cybersecurity Assessment Tool, and discussion of other significant program matters.
As of the reporting period, there is no knowledge or indication that customer sensitive information was compromised as
a result of third-parties’ system vulnerabilities. Management continues to monitor developments and vendor
communications.