FIRST COMMUNITY CORP /SC/ - (FCCO)

10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity

Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential for cyber threats. Our Information Security Officer has primary oversight of the cybersecurity component of the Bank’s risk management program, together with our Director of Information Technology Infrastructure. Both of these individuals are key members of senior management, reporting directly to the Chief Operations/Chief Risk Officer and as discussed below, periodically to the Audit & Compliance Committee of our board of directors.

 

Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Information Security Officer and Director of Information Technology Infrastructure and Chief Operations/Chief Risk Officer along with other key members of management regularly collaborate with expert resources, industry groups, and regulators to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed and reported upon to the Audit & Compliance Committee of the Board with the goal of addressing changing threats, risks, and conditions.

 

We employ an in-depth, layered, defensive strategy that embraces a “trust by design” philosophy when designing new products, services, and technology. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative, detective and corrective controls/tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and ongoing education and training, preparedness simulations, tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity measures and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. We actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.

 

We maintain an Incident Response Program that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate executive officers, Board-approved committees, regulators, law enforcement and the Audit & Compliance Committee of our board of directors. The Incident Response Plan is coordinated through the Information Security Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually.

 

Notwithstanding our defensive measures and processes, the threat posed by cyber attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber attacks. To date, cybersecurity threats have not materially affected our company, but we remain diligent, nonetheless. For further discussion of risks from cybersecurity threats, see the section captioned “Our Information Systems May Experience Failure, Interruption or Breach in Security” in Item 1A. Risk Factors.

46
 

Governance

 

Our Information Security Officer is accountable for oversight, risk assessment and reporting on our information security program, leveraging the Director of Information Technology Infrastructure and other resources as needed. Responsibilities include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, board training, employee training, and business resilience. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the Information Security Officer, provides guidance, oversight, monitoring and challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the board of directors with a functional reporting line to the Chief Operations/Risk Officer. Both the first line of defense and the second line of defense are subject to experience and professional education requirements. In particular, our Information Security Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management. Our board of directors has approved management committees including the Information Technology Steering Committee, which focuses on technology impact and business impact. This committee provides oversight and governance of the technology program and the information security program. This committee is chaired jointly by the Information Security Officer and Director of Information Technology Infrastructure and made up of key departmental managers from throughout the entire company. Two executive leadership team members oversee this committee.

 

The Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, to the Audit & Compliance Committee of our board of directors on a quarterly basis (or more frequently as may be required by the Incident Response Plan).The Audit & Compliance Committee of our board of directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Information Security Officer also provides quarterly reports to the Audit & Compliance Committee of our board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The executive leadership team and the board of directors review and approve our information security and technology budgets and strategies annually.

 

Additionally, the Audit & Compliance Committee of our board of directors reviews our cyber security risk profile on a quarterly basis and provides a report to the full board of directors at no later than the next board meeting after their meetings.