Bankwell Financial Group, Inc. - (BWFG)
10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
The Company’s risk management program for cybersecurity is integrated into our risk management and general compliance programs and processes. Our cybersecurity program utilizes a layered, defense-in-depth strategy to identify and mitigate cybersecurity threats. Our Information Security Officer ("ISO") is responsible for the day-to-day management of the Company’s global information security program, which includes defining policies and procedures to safeguard our information systems and data, conducting vulnerability, threat and third-party information security assessments, information security event management (i.e., responding to ransomware and other cyber-attacks, business continuity and recovery), evaluating external cyber intelligence, supporting industry cybersecurity efforts and working with governmental agencies. The information security team also develops training for employees to support adherence to the Company’s policies and procedures, along with increasing awareness of cyber-related risk. The personnel training includes, but is not limited to, mandatory onboarding training, phishing simulations with automated remediation training, table-top incident response exercises, and educational intranet posting and email campaigns.
The Company leverages the U.S. Department of Commerce’s National Institute of Standards and Technology Cybersecurity Framework ("the NIST Framework") as the foundation of its global information security program. The NIST Framework provides standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk and is designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders. The Company’s ISO works with independent, third-party consultants to assess the maturity of the Company’s cybersecurity program within the NIST Framework and to develop strategic areas of focus for the Company’s program commensurate with the Company’s business objectives.
As part of the Company’s information security program, we leverage both internal and external assessments and partnerships with industry leaders to help approach information security company-wide. Additionally, we maintain a comprehensive program that defines standards for the planning, sourcing, management, and oversight of third-party relationships and third-party access to our system, facilities, and/or confidential or proprietary data.
Cybersecurity incidents may create risk to the Company that may impact its reputation, financial performance, ability to operate safely or at all, and the value of its intellectual property. Like most corporations, the Company is the target of industrial espionage, including cyberattacks, from time to time. The Company has determined that these incidents have resulted, and could result in the future, in unauthorized parties gaining access to certain confidential business information. However, to date, the Company has not experienced any known cybersecurity incidents that have materially affected the Company, including the Company's results of operations and financial condition, changes in the competitive environment, business operations and strategy. Although management does not believe that the Company has experienced any material losses to date related to cybersecurity incidents, there can be no assurance that the Company will not suffer such losses in the future. For more information on potential risk related to cybersecurity incidents, including intellectual property theft and operational disruption, please see “Item 1A – Risk Factors” of this report.
Cybersecurity Governance
The Audit Committee and Technology Committee of the Board of Directors provide oversight of Company cybersecurity risks. The Technology Committee conducts a minimum of one cybersecurity program update per year, including a review of capital spend, budget, and staffing, as well as periodic reports on cybersecurity threats, awareness training, and key risk indicators related to the Company’s progress on risk mitigation activities. Annually, the Audit Committee reviews and recommends to the Board approval of management's recommendations on cybersecurity insurance. The Technology Committee reviews the Company’s oversight related to cybersecurity risks, to ensure that Board oversight of such risks remains appropriate and that risks are appropriately managed.
The Company’s Chief Information Officer ("CIO") oversees the Company’s information technology programs and investments. The Company’s CIO has over 20 years of information technology experience, including nine years in various information technology leadership roles. Our CIO holds a Bachelor of Science in Information Technology. The Company’s ISO reports to the Chief Risk and Operations Officer and oversees the Company’s information security programs. The Company’s ISO possesses over 20 years of Information Security and Technology experience. The ISO holds a Bachelor of Science in Computer Systems Engineering, an MBA, and a Master of Science in Information Security and Assurance, as well as multiple industry certifications including CISSP, CISM, CISA, CRISC, CDPSE, PMP, among others.
Our Risk Management Steering Committee, which includes the Company’s Chief Risk and Operations Officer (Chair), CIO and ISO, assesses and monitors the effectiveness of the Company’s cybersecurity risk management program. The
28
Company’s internal audit function also performs independent reviews and validation of the program, including policies and procedures as determined by their annual risk assessment.
Both the CIO and ISO regularly report to the Technology Committee on the Company’s identification, prevention, detection, mitigation and remediation of cybersecurity risks and incidents. In 2023, the Board reviewed the Company’s cybersecurity program and maturity assessment, while the Technology Committee and Audit Committee provided regular oversight of cybersecurity risks, with cybersecurity discussions and dashboard reviews of key performance indicators and risks during the course of the year. With respect to specific incidents, the Company leverages an incident response framework to elevate and evaluate specific incidents to the CIO and ISO, along with the Company’s senior leadership, including the finance, compliance, and legal functions. In the event of a potentially material cybersecurity incident, the Technology Committee and Audit Committee would be immediately notified and briefed.