CENTRAL VALLEY COMMUNITY BANCORP - (CVCY)
10-K Filing Date: March 15, 2024
ITEM 1C - CYBERSECURITY
We recognize the crucial importance of identifying, assessing, and managing material risks from cybersecurity threats. We are committed to implementing and maintaining a comprehensive information security program to manage such risks and safeguard our systems and data, including the data of our customers.
Information Security Risk Management and Strategy
We manage our cybersecurity risk in accordance with our Information Security Program, which is applicable to all users of our information technology assets, information assets, and facilities, including our directors, officers, employees, temporary workers, business partners, contractors, vendors, service providers, and individuals affiliated with third parties. The Information Security Program includes a dedicated Cybersecurity Incident Response Plan (the “CIRP”), which sets forth the rules and requirements for detecting, investigating, containing, eradicating, and resolving information security incidents, and addresses the response portion of security monitoring. The Information Security Program also includes: (i) a collection of Security Incident Forms, which delineate the processes for reporting, classifying, investigating, documenting, and communicating information security incidents and (ii) Security Guidelines and Baseline Protections, that establish the rules and requirements for enabling, logging, alerting, and monitoring real time security alerts and security logs (automated or manual) in connection with security incidents.
Potential information security incidents are identified in a number of ways, including, but not limited to: users reporting security violations, system weaknesses, violations of our Acceptable Use Policy which addresses the boundaries of acceptable use of our information technology assets, automated system alerts, and monitoring of both system generated and manually generated logs. Our Information Security Program mandates that any potential information security incident be reported to a member’s direct supervisor, IT Management, and / or the Information Security Officer, to initiate the internal communication and investigation stage, during which such events undergo initial investigation for validation, including related to the scope and
33
depth of such incident and to ensure that it has not resulted from a false positive. Internal communications regarding the potential incident are led by the Information Security Officer and the Incident Response Team (“IRT”) in accordance with the CIRP.
Following this initial stage, we gather and update impact information and related documentation for such incidents. We use an incident classification matrix to determine the initial classification of a potential information security incident, which considers users, customers, and systems affected, the sensitivity of data at risk, and the potential business impacts to the Company including financial, legal, regulatory, operational, and reputation. The resulting classification of severity level “One,” “Two,” or “Three” identifies next steps for escalation and communication following the initial investigation of the potential incident. Upon escalation of an incident, per our Information Security Program, the IRT and ISO review and validate the initial determination of the priority of the incident prior to entering into subsequent investigative and response stages. Upon validation, the IRT and ISO will engage the Company’s technology service provider to respond to the incident and notifications or communications are made to either additional personnel or any external entities. Depending on the specific details of any such incident, we may notify additional members of our management team, our board of directors, the Audit Committee, state and federal regulators, technology service providers, and/or the SEC. The timing of such communications varies based on the details of a particular incident and applicable regulations governing such disclosure. Following this classification and communication stage, we enter the recovery stage to determine containment and a response to the incident, the Company’s technology service provider assigns technical staff to address such incident, implement containment, eradicate the incident source, and recover from such incident. Following any such incident and as determined by the Security Incident Forms, we engage in predefined follow-up activities to communicate with law enforcement and notify impacted third parties and customers, as appropriate, in addition to further investigating the cause of the incident, documenting takeaways, and engaging in remediation.
Our Information Security Officer (“ISO”) coordinates with other members of our Incident Response Team identified in our Information Security Program to document, validate, respond, and manage actual or potential security incidents according to their threat classifications as described above, and report to our board of directors and/or the Audit Committee on an ad hoc basis. The ISO also provides annual reports on the status of our Information Security Program and its compliance with regulatory requirements to our board of directors in connection with our board's general risk management oversight role, as described in further detail below. The ISO is responsible for overseeing day-to-day operations of the Information Security Program, coordinating or contributing to reviews, audits, risk assessments, and other risk management material, development of departmental policies and procedures for board approval, and periodic updates to our Information Technology Steering Committee and/or the Board of Directors Technology Committee. The ISO reports to the Senior Risk Officer.
The ISO has over 15 years of industry experience including management of cybersecurity, enterprise telecommunications infrastructure, and vendor relationships as well as possessing both undergraduate and graduate level degrees, including a Bachelor of Science Information Security and Assurance and Master of Science Information Security and Assurance. Additionally, the ISO was previously certified in 18 industry niches to foster in-depth understanding of technology and its associated risks, including certification as a Certified Ethical Hacker, Certified Computer Hacking Forensics Investigator, Database Design, Web Design, CCNA Routing, Switching, and Security, and is currently enrolled in the International Information System Security Certification Consortium’s official Certified Information Systems Security Professional curriculum. Furthermore, the ISO must effectively collaborate with business leaders, executives, and stakeholders. To bolster the collaboration, communication, and business skills necessary to effectively analyze risk holistically, the ISO has undertaken additional graduate level curriculum, including a Master of Business Administration degree program, while maintaining active membership in the National Society of Leadership and Success Honors Society.
With the approval of Audit Committee, we also engage third party assessors, consultants, and auditors in connection with the Company’s Information Security Program and in accordance with our Audit Program, including to conduct external and internal penetration testing, independent audits, and risk assessments. The ISO performs information security assessments for third party service providers that store or process our confidential data. These information security assessments, include a review of any service organization controls (“SOC”) reports, and proof of the vendor’s independent testing of their data protection controls, as well as a review of any exceptions noted and assessment of management responses, results of vulnerability and penetration testing, incident response processes, and third party data protection controls (which can include, but are not limited to: access reviews and controls, backups, monitoring, encryption standards, and disaster recovery). The review of these areas is taken into account in order to provide an overall information security conclusion and risk rating for the vendor. In addition, we use a combination of technology, policies, procedures, training, and monitoring to promote security awareness and prevent security incidents.
Cybersecurity Risk Oversight
Our executive management team is responsible for the development of our policies and procedures and for managing any exception to the same. In particular, our ISO, nonmember of the executive management team, oversees information security compliance, as described above. The board of directors of the Company has ultimate oversight of cybersecurity-related risk and activities, including the review and approval of our policies and procedures related to cybersecurity. The Information Security Program is approved on an annual basis. Cybersecurity risk management is also incorporated into our overall enterprise risk management model, which is updated on a annual basis and subject to oversight by our board of directors.
34
In the ordinary course of business, our board of directors receives annual updates from the ISO regarding the Information Security Program and compliance with relevant regulations, as described above. Our Information Technology Steering Committee consists of members of the Executive Management Team and department heads with relevant technology experience, and meets on a bimonthly cadence with minutes, reports, and presentations flowing up to the Board of Directors Technology Committee which also meets on a bimonthly cadence. If an incident occurs, depending on its priority as identified through the procedures described above, management may inform our board of directors via the Directors Technology subcommittee and/or Audit Committee sooner than its next bimonthly update.
Relevant Regulations
As a regulated financial institution, the Bank is also subject to financial privacy laws, and our cybersecurity practices are subject to oversight by the federal banking agencies. In addition, the SEC recently enacted rules, effective as of December 18, 2023, requiring public companies to disclose material cybersecurity incidents that they experience on Form 8-K within four business days of determining that a material cybersecurity incident has occurred and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.