RBB Bancorp - (RBB)

10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity.

 

Cybersecurity threats continue to evolve as the threat landscape evolves. The Bank continuously works to evolve its cybersecurity practices with the changing landscape. Significant resources are devoted to protecting and enhancing the security of networks, computer systems, data storage devices, and other systems and technology. The Bank’s security efforts and implemented controls are designed to protect against, among other things, cybersecurity attacks that can result in unauthorized access to confidential information, the destruction of data, disruptions to or degradations of service, the sabotaging of systems or other damage.

 

Third parties with which the Bank does business, that facilitate the Bank’s business activities, e.g., vendors, supply chain, exchanges, clearing houses, central depositories, and financial intermediaries are sources of cybersecurity risk to the Bank. Third-party incidents such as system breakdowns or failures, misconduct by the employees of such parties, or cyber-attacks, including ransomware and supply-chain compromises could have a material adverse effect on the Bank, including in circumstances in which an affected third party is unable to deliver a product or service to the Bank or results in lost or compromised information of the Bank or its clients or customers.

 

Bank customers are also sources of cybersecurity risk to the Bank and its information assets, particularly when their activities and systems are beyond the Bank’s own security and control systems. The Bank provides information to its customers and other external parties concerning cybersecurity risks including opportunities to reduce cybersecurity risk.

 

The security program is commensurate with the size and complexity of the Bank. Risks from cybersecurity threats, including any previous cybersecurity events, have not materially affected the Bank or its business strategy, results of operations or financial condition.

 

Cybersecurity Risk Management

 

The Bank maintains an Information Security and Cybersecurity Program to support the management of cybersecurity risk as a component of the Bank’s Enterprise Risk Management (“ERM”) framework. The information security and cybersecurity program is designed to assess, identify, and manage risks from cybersecurity threats and leverages controls, best practices recommendations, and standards from the Federal Financial Institutions Examination Council (“FFIEC”) and the National institute of Standards and Technology (“NIST”) Cybersecurity Framework, and standards set by relevant legal and regulatory authorities. Our policies and procedures concerning cybersecurity matters include processes to safeguard our information systems, monitor these systems, protect the confidentiality and integrity of our data, detect intrusions into our systems, and respond to cybersecurity incidents.

 

The Chief Information Security Officer (“CISO”) reports to the Chief Information Officer (“CIO”) and Chief Risk Officer (“CRO”). The CISO leads the Information Security team, which is responsible for identifying and assessing information security and cybersecurity risks, and for implementing and maintaining controls to manage information security and cybersecurity threats. The CISO is responsible for the Bank’s Information Security and Cybersecurity Program, which is designed to prevent, detect and respond to cybersecurity threats and incidents in order to help safeguard the confidentiality, integrity and availability of the Bank's information systems and information.

 

As part of the Information Security and Cybersecurity Program, the Bank conducts periodic employee training to educate employees on information and cybersecurity risks and to reinforce security management practices and compliance with the Bank's security policies and standards. The training is mandatory for all employees and is supplemented by testing initiatives, including periodic phishing tests.

 

Extensive technical controls are in place for identifying and managing cybersecurity risks and safeguarding our information systems and information. The Bank uses sophisticated industry-recognized monitoring and threat detection technologies that continuously monitor our information systems and provide threat detection alerts. The Bank’s strategy for assessing, identifying, and managing cybersecurity risks and for evaluating the effectiveness of its cybersecurity program includes periodic risk assessments and testing of our systems, processes and procedures through audits, penetration testing, vulnerability scans, tabletop exercises, and other related exercises.

 

The Bank has an incident response program designed to enable the Bank to respond to cybersecurity incidents, coordinate as appropriate with law enforcement and other government agencies, notify clients and customers, as applicable, and recover from such incidents. In addition, the Bank actively partners with appropriate government and law enforcement agencies and peer industry forums to participate in threat intelligence discussions and simulations to assist with understanding the full spectrum of cybersecurity risks and enhancing defenses and improving resiliency in the Bank’s operating environment.

 

The Bank engages third parties on a regular basis to assess, test, audit or assist with the implementation of our risk management strategies, policies, and procedures to enhance our detection and management of cybersecurity risks, including, but not limited to: consultants who assist with assessing risks, assess of our systems alignment with NIST Cybersecurity Framework, FFIEC, penetration testing, tabletop exercises and other regulatory agency requirements.

 

The Bank maintains a process to evaluate and manage risks associated with third-party service providers. We conduct a full vendor due diligence review before engagement, review specific security measures in our contracts, and maintain continued monitoring during the engagement including yearly due diligence reviews.

 

Governance

 

The IT Committee and Audit Committee are the principal board committees that oversees the Bank’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of the Bank’s Information Security and Cybersecurity Program. Both the IT and Audit Committees are comprised of professionals with risk management and information technology expertise to manage any material risk from a cybersecurity threat standpoint.

 

The membership of the IT Committee includes members of the executive management team as well as directors of the Bank. The CIO and CISO actively participate in all IT Committee meetings. The CIO has over 20 years of work experience in the development, operation and management of Information Technology at financial institutions. The CISO has over 10 years of work experience in building and overseeing cybersecurity programs at financial institutions. Both CIO and CISO have extensive experience and qualifications in various technology and information security disciplines, including relevant experience at the Bank. Additionally, the Audit Committee has oversight of the management of cybersecurity risk via validation and review of IT and cybersecurity risk assessments and audits. The CISO provides reporting metrics on cybersecurity risks to the IT Committee, which meets eight times a year. The IT and Audit Committees assist the Board of Directors in its oversight.

 

As part of its oversight of management’s implementation and maintenance of the Bank’s risk management framework, the Bank’s Board of Directors receives regular updates directly from both IT and Audit Committees concerning cybersecurity matters. These updates generally include information regarding cybersecurity and technology developments, the Bank’s Information Security Program and recommended changes to that program, cybersecurity policies and practices, and ongoing initiatives to improve information security, as well as any significant cybersecurity incidents and the Bank's efforts to address those incidents.

 

Notwithstanding our efforts at cybersecurity, the Bank cannot guarantee that those efforts will successfully prevent or mitigate a cybersecurity incident that could have a material adverse effect on it. To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Bank, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A, Risk Factors – Risks Related to Our Business.