First Western Financial Inc - (MYFW)
10-K Filing Date: March 15, 2024
ITEM 1C: CYBERSECURITY
Cybersecurity Risk Management and Strategy
The Company maintains an information security program (the “Program”) to identify, assess, and manage material risks to its business, operations, and assets related to cybersecurity threats. The Company leverages recognized security frameworks and guidelines, such as the National Institute of Standards and Technology Framework Cybersecurity Framework and Federal Financial Institution Examination Counsel ("FFIEC") guidelines, to organize, assess, and improve our Program. Key components of the Program include, among other things:
•Risk-based cybersecurity controls: As part of the Program, the Company maintains numerous administrative, technical, and physical controls that are calibrated based on risk and designed to protect the confidentiality, integrity, and availability of our information systems and data stored thereon.
•Cybersecurity incident response plan and testing: The Company has incident response plans that establish a structured approach for the Company’s response to cybersecurity incidents. To improve preparedness for a cybersecurity incident, we conduct tabletop exercises at least annually. These exercises are conducted by internal team members and in some instances with assistance from third-party experts.
•Training and education: We include cybersecurity training as part of our annual employee training program. Additional cybersecurity and privacy education and awareness are periodically provided to employees utilizing various delivery methods such as phishing campaigns, training sessions, and informational articles.
•Third-party service provider risk management: The Company’s third-party risk management program applies a risk-based approach to the assessment, onboarding, and ongoing due diligence of key third-party service providers, including the assessment and mitigation of cybersecurity-related risks.
•Engagement of third-party assessors and consultants: We periodically engage third-party experts and consultants to conduct assessments and tests of our security controls, such as penetration tests and framework assessments. The Company also engages a third-party managed detection and response service provider to monitor Company systems for cybersecurity threats.
We also consider cybersecurity-related risks, along with other top risks for the Company, as part of our overall enterprise risk management (“ERM”) process. Cybersecurity risks are included in the risk universe that the ERM function evaluates, with input from information security subject matter experts at the Company, to assess top risks to the enterprise. The ERM process provides input into our strategic planning process, such as development of action plans to address and mitigate identified risks. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of previously identified cybersecurity incidents, that have materially affected the Company, including our operations, or financial condition, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material cybersecurity incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors.
Governance
The Company’s information security officer ("ISO") leads the Company’s overall cybersecurity function and currently reports to our Chief Operations Officer. The Company's current ISO has formal education in information technology and extensive work experience gained from over 10+ years in various technology leadership roles. Our executive leadership team is actively engaged in the oversight and strategic direction of our Program and meets with the ISO to review and discuss the Company’s Program, including emerging cybersecurity risks, threats, and industry trends.
Our Board of Directors (the “Board”) considers cybersecurity risk as part of its risk management oversight function and has delegated to the Audit Committee oversight of cybersecurity risks. The Audit Committee receives updates from the ISO and other Company management on cybersecurity matters at least annually. The Audit Committee reports findings and recommendations, as appropriate, to the full Board of Directors for consideration. The Audit Committee also receives information about cybersecurity risks as part of the Company’s ERM program and reporting. In addition, any cybersecurity incident assessed as being, or potentially becoming, material is escalated for further assessment and then reported to designated members of our senior management and, if necessary, the Audit Committee.
54