BLUE RIDGE BANKSHARES, INC. - (BRBS)
10-K Filing Date: March 15, 2024
Cybersecurity threats present a significant risk to the Company. The Company is committed to protecting its assets and the personally identifiable information and other data of its customers and employees. Further, the Company understands that a cybersecurity event might have a material adverse effect on its business, financial condition, results of operations, reputation, and future success in the marketplace. The materiality of any such adverse effect would be determined by the facts and circumstances of the specific incident and may include consideration of nonfinancial factors and follow on impacts. Although the Company has not experienced a material cybersecurity incident, it periodically experiences threats or is tested by bad actors, including phishing, smishing, and vishing.
The Company believes it maintains a robust cybersecurity program designed to assess and manage risks from cyber threats. This cybersecurity program, which is directed by the Chief Information Security Officer (“CISO”), is integrated with the Company’s enterprise risk and compliance programs and business continuity management program (“BCMP”). The Company's cybersecurity program leverages industry standards, such as the FFIEC Cybersecurity Assessment Tool, and is routinely evaluated for improvement, particularly due to evolving risks in this area.
Under the leadership of the CISO, the information security department is responsible for evaluating and developing the processes for monitoring, identifying, containing, and remediating the impact of cybersecurity risks, vulnerabilities, and threats. The CISO also directs technology efforts, both internally and through third-party service providers, to strengthen controls throughout the organization. Due to reliance upon third-party service providers, the Company uses a variety of
28
methods and tools to assess providers’ system and organizational controls related to cybersecurity threats, which includes but is not limited to proof of the provider’s independent testing of data protection controls, imposition of contractual obligations, review of vulnerability and penetration testing, and review of data protection controls such as backups, encryption standards, and disaster recovery.
The Company’s BCMP provides a structured framework for responding to actual or potential cybersecurity incidents, including escalation to the appropriate stakeholders. The BCMP is coordinated by the Business Continuity Manager, who reports to the Chief Information Officer (“CIO”), and key members of management who are embedded into the BCMP by its design. The BCMP is evaluated and tested at least annually.
The Company's cybersecurity program is subject to multiple audits throughout the year primarily using third-party audit firms that possess particular expertise, under the leadership of the Company's internal audit function.
Cybersecurity issues are brought before the Information Technology (“IT”) Steering Committee, which meets quarterly or as needed. This committee, chaired by the CIO, is composed of the CISO, Chief Operations and Technology Officer, Chief Risk Officer, Business Continuity Manager, Director of Information Technology, and Director of Internal Audit. At these meetings, committee members discuss relevant cybersecurity issues, which may include new threats, incidents, and information.
No less than quarterly, the chair of the Information Technology Steering Committee presents a summary of the Company’s cybersecurity landscape to the Company’s Enterprise Risk Management Committee of the board of directors. Additionally, the CIO presents an IT program update to the Company's board of directors, which includes cybersecurity topics.
The CIO and the CISO each have over 20 years of experience leading cybersecurity oversight, and others under their leadership have cybersecurity experience and certifications. However, the Company considers cybersecurity to be a shared responsibility and conducts periodic simulations and training for all employees. In 2024, the Company is scheduling two table-top scenario training exercises for all personnel.
For more information about cybersecurity threats that could have a material impact on the Company's business, see the discussion in "The Company's operations may adversely be affected by cybersecurity risks" in Item 1A, Risk Factors, of this Form 10-K.