BayCom Corp - (BCML)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Cybersecurity is one of the cornerstones of our strategic business plan and the driving force behind our digital transformation journey. As a financial institution, we confront a spectrum of cyber threats, ranging from common attacks like ransomware to sophisticated, organized assaults by nation-state actors. These risks extend to our customers, shareholders, suppliers, and partners, emphasizing the critical need for a robust cybersecurity stance. In light of these challenges, maintaining resilience in our cybersecurity posture is not just a priority but a fundamental necessity to safeguard our operations, performance, and maintaining customer confidence in our banking services.

The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk appetite with our strategic objectives. Our enterprise risk management program is designed to identify, measure, monitor and control all significant risks across various aspects of the Company. Cybersecurity risk management processes are integrated into this program, given the increasing reliance on technology and potential of cyber threats. Our Director of Information Technology leads our cybersecurity program, reporting directly to the Chief Operating Officer (“COO”) and provides reports and updates to the Audit Committee, the Enterprise Risk Committee and the Chief Risk Officer (“CRO”) quarterly or more frequently as required.

Our objective for managing cybersecurity risk is to maintain appropriate layers of safeguards to protect information systems from possible threats and to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. Our Information Security Program aligns with industry frameworks, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbooks, and the FFIEC Cybersecurity Assessment Tool, and is periodically reviewed and updated at least annually or more frequently upon significant changes to our operating environment. Our Information Security Program is led by our Information Security Officer in conjunction with our Director of Information Technology.

We maintain an Incident Response Plan (“IRP”) that provides a documented framework for responding to actual or potential cybersecurity incidents. The IRP is coordinated through the Director of Information Technology, COO, CRO, and key members of management and addresses roles, responsibilities, and communication and contract strategies in the event of a compromise, including analysis of reportable events in accordance with applicable legal and compliance requirements.

We rely on a series of processes to identify threats, hazards, and other risks to our information assets. We employ a variety of preventative and detective tools from our Managed Security Services provider designed to monitor, detect, block, and provide alerts regarding suspicious and unauthorized activity and to report on suspected advanced persistent threats. In addition to regular risk assessments, we rely on independent assessments, audits, and cybersecurity feeds from vendors, including directly into patch and vulnerability management tools. We engage cybersecurity experts and third-party specialists to perform regular assessments of our infrastructure, software systems and network architecture. We also leverage internal and external auditors and independent external partners to periodically review our processes,

45

systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness. We have regular and ongoing security education and training for employees and recovery and resilience tests. The Bank also retains third-party experts to conduct intrusion and penetration testing on an annual basis. All risk and security assessments results are shared with the Board of Directors.

Our assets are classified and protected based on the results of our risk assessment practices, which assess a variety of critical factors, including the type of data stored, system availability needs, confidentiality requirements, recovery time objectives, transactional processing, the number of users, and the volume and magnitude of transactions. Our Information Technology teams meet to ensure that risks are timely identified, patch and vulnerability requirements are monitored, and the necessary changes are implemented.

Our Information Technology Governance ensures alignment between the Bank's technological strategy and business goals. We strive for efficient utilization of IT resources while effectively managing IT risks within the Bank's risk appetite. Additionally, our robust Vendor Management Program ensures proper oversight during the onboarding of new products, projects, and third-party vendors.

Identified Cybersecurity Risks

 

Federal regulators have issued multiple statements and guidance regarding cybersecurity and that financial institutions need to design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised client credentials, including security measures to reliably authenticate clients accessing internet-based services of the financial institution. In addition, a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the timely recovery, resumption and maintenance of the institution’s operations in the event of a cyber-attack. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to a cyber-attack. If a financial institution fails to observe the regulatory guidance, they could be subject to various regulatory sanctions, including financial penalties.

State regulators have also been increasingly active in implementing cybersecurity standards and regulations. Recently, several states have adopted laws and/or regulations requiring certain financial institutions to implement cybersecurity programs and providing detailed requirements with respect to these programs, including data encryption requirements. Many such states have also recently implemented or modified their data breach notification and data privacy requirements. We expect this trend of state-level activity in those areas to continue, and we continue to monitor relevant legislative and regulatory developments.

In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations to store and transmit sensitive data. We employ a layered, defensive approach that leverages people, processes, and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding the strength of our defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date we have not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, our systems and those of our clients and third-party service providers are under constant threat and there can be no assurance that our cybersecurity risk management program will be fully effective in protecting the confidentiality, integrity and availability of our information systems and our solutions. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our clients. See Item 1A. Risk Factors for a further discussion of risks related to cybersecurity. See “Risks Related to Cybersecurity, Third Parties and Technology” under “Item 1A. Risk Factors” in this Form 10-K for a further discussion of risks related to cybersecurity.

Management and Board Oversight of Cybersecurity Risks

 

Our Cybersecurity Program is managed by the Director of Information Technology who leads our Information Technology team responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and

46

processes. The Director of Information Technology provides periodic reports to the executive risk management committee and the board-level risk committees of the Company and the Bank and the Chief Executive Officer and other members of our senior management, as well as the cross-functional management team that oversees the information security and information technology programs. These reports address key cybersecurity topics, including the implementation and operation of preventative controls and the detection, mitigation, and remediation of cybersecurity incidents. The Chief Operating Officer, Chief Risk Officer, and board-level risk committees of the Bank provide comprehensive reports to the full Board of Directors regarding pertinent cybersecurity risk management topics.

Our Director of Information Technology has more than 20 years’ experience in financial services, substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management and is accountable for managing our enterprise information technology department and developing and implementing our cybersecurity and information security programs. These qualifications, certifications, and experience include a degree from the University of California, Santa Barbara with focus on Business Administration coursework, Certified Information Systems Security Professional from ISC2 Organization.