California BanCorp - (CALB)

10-K Filing Date: March 21, 2024

Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

As a financial institution, our business depends on the continuous operation of its information and data processing systems and the security of information received from customers, employees and others. We have developed and implemented a cybersecurity program intended to protect the reliability of our critical systems and the confidentiality of nonpublic information.

Our cybersecurity program is designed to assess, identify and manage the material risks from cybersecurity threats, including threats associated with third-party service providers, such as technology providers and cloud-based platforms. Our program is based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) and the guidance of banking and other regulatory agencies. As part of the program, we have adopted a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents and facilitates coordination and communication across multiple parts of our organization.

Our cybersecurity risk management process is integrated as part of our overall risk management program. Our information security professionals have primary responsibility for overall cybersecurity risk management. Our cybersecurity professionals are led by our Chief Technology Officer, who has over 30 years of experience in the information technology field, including over 20 years of experience focusing solely in the cybersecurity space. Our Chief Technology Officer, works in conjunction with the Compliance Manager, Information Security Manager/Information Security Officer and Enterprise Risk Manager to develop and maintain the cybersecurity program. In addition to our own employees, we engage third parties to provide security products and services as needed, using their technology and expertise to evaluate and enhance its cybersecurity program and to inform employees regarding evolving threats, risks and defensive measures. Generally, these third-party service providers are managed by the Information Security Manager/Officer.

We periodically review, test and assess our cybersecurity systems, using both internal resources and third-party service providers with cybersecurity expertise. We periodically (at least once per year) review and test our incident response plan through simulations and assessments.

We require periodic cybersecurity training for our employees to learn about data security, how to identify and mitigate potential cybersecurity risks and how to protect our resources and information. Members of the risk management, cybersecurity and technology teams receive specialized training about evolving cybersecurity threats and new risk mitigation and detection technologies.

We have developed processes to identify and oversee risks from cybersecurity threats associated with third-party service providers, which includes the Information Security Manager/Officer assisting with and evaluating cybersecurity readiness during vendor selection and onboarding as well as risk-based monitoring of vendors on an ongoing basis.

Cybersecurity Governance

Our Board of Directors and its Audit Committee are responsible for overseeing the cybersecurity program and policies. The Company’s management, led by the Chief Technology Officer, is responsible for designing and implementing the program. The Information Security Manager/Officer and Chief Technology Officer regularly report to the Audit Committee regarding management’s implementation of the cybersecurity program, cybersecurity risks and threats, assessments of our cybersecurity systems and the planning and status project to strength our information security. Our cybersecurity incident response plan requires that management promptly

 

-36-


advise the Audit Committee of any material cybersecurity incident. The Chair of the Audit Committee regularly reports to the Board on cybersecurity risks and other matters reviewed by the Committee. Board members may attend Audit Committee meetings where cybersecurity issues are discussed and have access to the materials for management’s Risk and Technology and Enterprise Risk Management Committee meetings.

Cybersecurity Incidents

Like many financial institutions, we have experienced cyber-based attacks and other attempts to compromise our information systems and we expect that we will continue to experience these attacks and attempts in the future. While we have not identified cybersecurity threats that have materially affected or are reasonably likely to materially affect us, like all financial institutions, we face ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect our business, results of operations, or financial condition. See Item 1A – Risk Factors – “Risks Related to Technology—System failure or breaches of our network security, including as a result of cyber-attacks or data security breaches, could subject us to increased operating costs as well as litigation and other liabilities.”