FIRST US BANCSHARES, INC. - (FUSB)
10-K Filing Date: March 14, 2024
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational disruption; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.
To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, providing multiple layers of security, to inform our professionals’ risk identification and assessment.
We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our processes to standards set by the Federal Financial Institutions Examination Council's (“FFIEC”), the National Institute of Standards and Technology (“NIST”), and other agencies providing guidance in this area, as well as by engaging experts to attempt to infiltrate our information systems, as such term is defined in Item 106(a) of Regulation S-K.
Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from cybersecurity incidents (as such term is defined in Item 106(a) of Regulation S-K), and to provide for the availability of critical data and systems and to maintain regulatory compliance. These controls include the following activities:
24
We perform periodic internal and third-party assessments to test our cybersecurity controls and regularly evaluate our policies and procedures surrounding our handling and control of personal data and the systems we have in place to help protect us from cybersecurity or personal data breaches, and we perform periodic internal and third-party assessments to test our controls and to help us identify areas for continued focus, improvement, and/or compliance.
We have established a cybersecurity risk management process that includes internal reporting of significant cybersecurity risk to our Information Technology Steering Committee of the Board of Directors of the Bank at least quarterly. In addition, our incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and monitor cybersecurity threat risks identified through such diligence.
As a regulated financial institution, the Company is also subject to financial privacy laws and its cybersecurity practices are subject to oversight by the federal banking agencies. For additional information, see “Supervision and Regulation – Privacy of Customer Information and “– Cybersecurity” included in Part I. Item 1 – Business of this report.
Although the Company has not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected its business strategy, results of operations or financial condition, there can be no guarantee that the Company will not experience such an incident in the future. For additional information regarding the risk the Company faces from cybersecurity threats, please see the risk factors titled “We use information technology in our operations and offer online banking services to our customers, and unauthorized access to our customers’ confidential or proprietary information as a result of a cyber-attack or otherwise could expose us to reputational harm and litigation and adversely affect our ability to attract and retain customers” and “We depend on outside third parties for the processing and handling of our records and data, which exposes us to additional risk for cybersecurity breaches and regulatory action.” included in Part I. Item 1A. – Risk Factors of this report.
25
Cybersecurity Governance
Cybersecurity is an important part of our enterprise risk management program and an area of increasing focus for our Board and management. Our Information Technology Steering Committee of the Board of Directors of the Bank, which then reports to the entire Board, is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the Information Technology Steering Committee receives an overview from management of our cybersecurity threat risk management process and strategy covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Information Technology Steering Committee generally receives materials, including materials indicating current and emerging material cybersecurity threat risks and describing the Company’s ability to mitigate those risks, and discusses such matters with our Chief Information Officer, Information Security Officer, and other staff as needed.
Members of the Information Technology Steering Committee, and other members of the Board, are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management process. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
Our cybersecurity risk management process, which is discussed in greater detail above, is led by our Chief Information Officer, Information Security Officer, Chief Risk Officer, and other staff as needed. Such individuals have collectively over 90 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and safeguarding corporate and customer information.
These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management process described above, including the operation of our incident response plan. As discussed above, these members of management report to the Information Technology Steering Committee about cybersecurity threat risks, among other cybersecurity related matters, at least quarterly. A summary report is provided to the full Board of Directors at least annually.