Southern California Bancorp \ CA - (BCAL)
10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company implements a comprehensive Information Security Program ("Program") to safeguard data confidentiality, integrity, and availability. The Program leverages recognized frameworks like National Institute of Standards and Technology (or NIST) and Federal Financial Institutions Examinations Council (“FFEIC”) to identify, prevent, and mitigate cybersecurity threats. Regular assessments and updates ensure the Program's effectiveness in managing and reducing risk.
The Program integrates seamlessly with the company's enterprise risk management program. Continuous threat and vulnerability assessments inform system and control updates, effectively mitigating risks. Layered security controls work together to protect customer information and transactions. Additionally, third-party experts conduct periodic program evaluations through penetration testing, audits, and best practice consultations, with results driving program improvement initiatives. As a regulated entity, Bank of Southern California undergoes regular bank regulatory examinations evaluating the information security program and its compliance with federal regulations.
The Company's third-party risk management program oversees and identifies cybersecurity threats associated with service providers. While visibility into third-party operations is limited, risk-based evaluations are conducted. These evaluations involve reviewing security assessment questionnaires, testing summaries, audit reports, and information security policies.
Recognizing the importance of continuous security awareness, the Company provides comprehensive employee training. This includes mandatory cybersecurity and fraud training at onboarding, monthly email phishing tests, and annual computer-based training.
In addition, the Company has an incident response plan (“IRP”) that is in effect if an event is identified by information technology or information security team or one of our third party vendors. The Company’s Information Security Officer (“ISO”) would activate the IRP and communicate with the team members in accordance with the IRP. If the incident is material, the Chief Risk Officer would disclose the incident to the management Disclosure Control Committee.
47
While no material cybersecurity incidents have been identified during the reported fiscal year, the Company acknowledges the ongoing and evolving nature of cyber threats and remains vigilant in its efforts.
Governance
The Company's internal controls incorporate a protocol for reporting and escalating information security matters to management and the Board of Directors for resolution and, if necessary, disclosure of any material incidents. The Board oversees continuous efforts to strengthen operational resilience and receives ongoing education to enhance their oversight capabilities in the face of evolving threats. The ISO, who reports directly to the Chief Risk Officer, periodically updates the Company’s Information Technology Committee, the Company’s Audit and Risk Committee (“ARC Committee”) and the Board of Directors on information and cybersecurity risks, threats, exposures, and mitigation measures. The Company's IRP is regularly tested, incorporating cybersecurity scenarios.
The ISO leads program development, implementation, and reporting to the Board. The ISO possesses extensive experience with over 25 years securing information systems and data holding many industry certifications including Microsoft Certified Software Engineer + Security, Exchange Security, Comptia Security+, Pentest+, Cyber Security Analyst(CYSA+), Cisco Certified Network Admin + Security enhancement, Cisco Certified Design architect and Certified Ethical Hacker. Recognizing cybersecurity as a shared responsibility, the Company conducts periodic management-level simulations and tabletop exercises with external resources and advisors as needed.
The Board of Directors provides ultimate oversight and monitoring of the Program and its policies. The ARC Committee oversee areas like information technology activities, cybersecurity-related risks, and disaster recovery processes. Additionally, management-level technology and security personnel oversee program management and related assessments, while operational committees manage specific cybersecurity-related risks.
While not currently experiencing material impacts, the Company acknowledges the existence of cybersecurity risks.