PCB BANCORP - (PCB)
10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
As a financial institution, the Company’s business depends on the continuous operation of its information and data processing systems and the security of information received from customers, employees and others. The Company has developed and implemented a cybersecurity program intended to protect the reliability of its critical systems and the confidentiality of nonpublic information.
The Company has designed and assess its cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) and the guidance of banking and other regulatory agencies. The Company’s information security team has primary responsibility for overall cybersecurity risk management program. The Company’s cybersecurity professionals are led by the Information Security Officer, who has over 23 years of experience in the information technology field, including over 3 years of experience focusing solely on the cybersecurity space. The Information Security Officer has Security+ and Network+ certifications and is currently working on obtaining CISSP. The Company’s cybersecurity risk management is integrated as part of its overall risk management program, and the Company’s Chief Risk Officer, Information Security Officer in conjunction with Chief Information Officer work together to develop and maintain the cybersecurity program.
In addition to its own employees, the Company engages third party service providers to provide security products and services as needed, using their expertise to evaluate and enhance its cybersecurity program and to inform employees regarding evolving threats, risks and defensive measures. Generally, these third party service providers are managed by the Information Security Officer and Chief Information Officer.
Features of the cybersecurity risk management program include:
•Technology solutions designed to prevent, detect and mitigate cybersecurity incidents.
•Review, testing and assessments of the Company’s cybersecurity systems, both internal and using third party service providers with cybersecurity expertise.
•Required cybersecurity training for employees to learn about data security, how to identify and mitigate potential cybersecurity risks and how to protect our resources and information.
•Specialized security training for members of the risk management, cybersecurity and technology teams that includes information about evolving cybersecurity threats and new risk mitigation and detection technologies.
•Processes to assess, identify and manage the material risks from cybersecurity threats include the risks arising from threats associated with third-party service providers, including technology providers and cloud-based platforms.
•A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents and facilitates coordination and communication across multiple parts of the Company.
•On-going assessment of the adequacy of the cybersecurity program.
Like many financial institutions, the Company has experienced cyber-based attacks and other attempts to compromise its information systems and expects that it will continue to experience these attacks and attempts in the future. In 2021, the Bank was the target of a ransomware attack in which an external actor illegally accessed and/or acquired certain data on its network. As a result, the Bank was sued in a purported class action lawsuit. The lawsuit is currently in process of settlement, subject to final court approval. See “Item 3. Legal Proceedings,” above. While the Company has not identified other known risks from previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, like all financial institutions, the Company faces ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect its business, results of operations, or financial condition. See Item 1A – Risk Factors – “Risk Related to our Business -- System failure or breaches of our network security could subject us to increased operating costs as well as litigation and other liabilities.,” above.
Cybersecurity Governance
The Company’s Board of Directors and its Risk and Compliance Committee are responsible for overseeing the Company’s cybersecurity program and polices. The Company’s management, led by the Chief Risk Officer and Information Security Officer in conjunction with Chief Information Officer, is responsible for designing and implementing the program. The Chief Risk Officer and Information Security Officer regularly report to the Risk and Compliance Committee regarding management’s implementation of the cybersecurity program, cybersecurity risks and threat, assessments of the Company’s cybersecurity systems and the planning and status project to strength the Company’s information security. The Company’s cybersecurity incident response plan requires that management promptly advise of the Risk and Compliance Committee of any material cybersecurity incident. The Chair of the Risk and Compliance Committee regularly reports to the Board on cybersecurity risks and other matters reviewed by the Committee. Board members may attend Risk and Compliance Committee meetings where cybersecurity issues are discussed and have access to the materials for each Risk and Compliance Committee meeting.
34