Sound Financial Bancorp, Inc. - (SFBC)
10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our enterprise risk management program is designed to identify, measure, monitor and control significant risks across various aspects of the Company. Cybersecurity risk management processes are integrated into this program, given the increasing reliance on technology and potential of cyber threats. The cybersecurity risk management program contains eleven key elements: Information Security Policies, Strategic Planning, Risk Assessment, Audit and Examination, Business Continuity Planning, Incident Response Planning, Third-Party Due Diligence, Cyber Insurance Coverage, Employee Training and Testing, Patch and Vulnerability Management, and the Federal Financial Institutions Examination Council (“FFIEC”) Cyber Assessment Tool (“CAT”).
The Company is committed to protecting the information of clients, employees, and stakeholders from both conventional and cyber threats. This commitment is upheld through the implementation of our comprehensive Information Security Program (“ISP”), designed to ensure the confidentiality, integrity, and availability of critical information technology (“IT”) systems and data.
The Information Security Governance Committee (“ISGC”), appointed by the Board, bears the responsibility for cybersecurity risk management and strategy. It aids the Board in fulfilling its oversight duties related to IT security, aligning with the Bank’s business strategy, and adhering to regulatory requirements. The Virtual Chief Information Security Officer (“vCISO”), who is also appointed by the Board, oversees the ISP and coordinates the ISGC.
The ISGC's responsibilities encompass:
•Review and approval of the ISP-related documents, including policies, strategies, plans and risk assessments;
•Monitoring of control statuses and program gaps, including findings from audit reports and assessments;
•Participation in program assessments, such as risk and business impact assessments;
•Providing input on mitigation of current issues and threats;
•Reporting, at least quarterly, to the Enterprise Risk Management Committee on ISGC activities and risk impacts on the Risk Appetite Statement.
•Reporting, at least annually, to the Board on the status of the ISP, covering compliance, risk management, vendor management, audit and testing results, breaches and incidents, and recommended updates to the ISP.
The Company’s approach to managing cybersecurity risks is shaped by insights from the FFIEC CAT, a tool designed for assessing and improving cybersecurity practices. This tool undergoes a thorough examination by an independent third-party on an annual basis to ensure an unbiased and comprehensive evaluation. In its most recent assessment in 2023, the FFIEC CAT identified that the Company is operating at an acceptable level of cyber maturity. This means the bank is effectively handling the inherent risks it faces in five critical areas: cyber risk management and oversight, collaboration on threat intelligence, implementation of cybersecurity controls, management of external dependencies, and resilience in handling cyber incidents.
To stay ahead of potential cybersecurity challenges, the Company has established a formal process. This process is activated whenever the FFIEC CAT or the ISGC identifies changes in inherent risks. In response, the Company proactively updates its cybersecurity objectives, policies, and tactical goals. This ensures that the Company’s cybersecurity strategy remains responsive, continuously adapting to emerging threats and evolving industry standards.
Acknowledging the crucial role of third-party service providers, the Board-approved Vendor Management Policy, coupled with the ISP, guides the identification and management of risks posed by critical vendors. A third-party risk assessment, based on due diligence criteria and identified controls, is conducted regularly to assess inherent and residual risks. Contractual requirements ensure that providers maintain information security controls, providing reasonable assurance of data confidentiality, integrity, and availability. Third-party access is inventoried and monitored, with management reporting to the Board annually on the status and overall effectiveness of the Vendor Management Program.
Further, to enhance cybersecurity awareness, reduce vulnerability, and foster consideration of cybersecurity threats, our employees and the Board of Directors attend annual trainings. Specific role-based trainings are mandatory for certain employees, tailored to their duties.
In the ordinary course of business, we rely heavily on electronic communications and information systems to conduct our operations and to store sensitive data. We employ a layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. A variety of preventive and detective tools are used to monitor, block, and alert us to suspicious activity, including potential advanced persistent threats. Despite our defenses, the severity and sophistication of cyber-attacks are on the rise. Attackers adapt quickly to changes in defense measures. While we have not identified significant compromises, substantial data losses, or major financial setbacks from cybersecurity attacks so far, our systems, along with those of our clients and service providers, face constant threats. There is no guarantee that our
47
cybersecurity risk management program will completely safeguard the confidentiality, integrity, and availability of our information systems and solutions. Cybersecurity risks are anticipated to stay elevated due to the evolving nature of threats and the increased use of online and mobile banking services. See “Risks Related to Cybersecurity, Data and Fraud” under “Item 1A. Risk Factors” in this Form 10-K for a further discussion of risks related to cybersecurity.
Governance
The Board of Directors is responsible for the development, implementation, and maintenance of the ISP. Specifically, the Board is oversees:
•Continuous administration of the ISP;
•Perform an annual review and approval of the ISP policies;
•Assignment of critical roles, including the vCISO; and
•Review of reports provided by the ISGC at least annually.
Adherence to the ISP is of utmost importance, and any exceptions to policy must be recommended by the ISGC, approved by the Enterprise Risk Management Committee, and reported to the Board at least annually.
As previously stated, the ISGC, appointed by the Board, bears the responsibility for cybersecurity risk management and strategy. The vCISO oversees the ISP and coordinate with the ISGC. The ISGC includes key personnel including the vCISO, Chief Operating Officer, Technology Services Director, Information Technology Manager, Internal Audit Manager, Compliance Manager, and Information Security Specialists.The ISGC members bring diverse qualifications, certifications, and extensive experience to the table. This collective expertise ensures a comprehensive and well-rounded approach to our information security initiatives.
Our vCISO has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management and is accountable for managing our enterprise information security department and developing and implementing our information security program. The responsibilities include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, client, vendor and employee education and awareness, and business continuity and disaster recovery. The ISGC, as a whole, consists of information security professionals with varying degrees of professional education, certifications and experience. This blend of diverse qualifications, certifications, and experience within the ISGC ensures a comprehensive and flexible approach to information security, positioning the Company to address emerging threats and maintain a robust defense against potential risks.