SB FINANCIAL GROUP, INC. - (SBFG)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity

 

The Company regularly assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities, and tests those systems pursuant to the Company’s cybersecurity policies, standards, processes, and practices, which are integrated into the Company’s overall risk management program. We have adopted aspects of the NIST cybersecurity framework, to which risk management in relation to our information systems is aligned. We categorize our information systems as either Tier 1 (critical) or Tier 2 or Tier 3 (essential), depending on business value and/or risk of financial or compliance impact of cybersecurity incidents. Our information security team uses a multifaceted approach to monitor, assess, identify, and manage material risks to the Company from cybersecurity threats, including testing of the effectiveness of our cybersecurity incident prevention and response systems; conducting routine vulnerability scanning of information systems assets; network/endpoint detection and response coupled with advanced identification-enhanced logging capabilities powered by artificial intelligence software; discovery through collaboration with the Company’s internal audit team; monitoring of threat intelligence feeds provided by industry associations/groups, service providers, and federal/state authorities; and professional service engagements, such as retaining the services of an external 24/7 security operations center and partnering with third parties in testing our information systems for vulnerabilities from external, internal, and social engineering perspectives and assessing the effectiveness of our cybersecurity controls.

 

27

 

 

The Company partners with third-party service providers and employs processes to assess, identify, and manage material risks from cybersecurity threats arising from the use of such third-party service providers. Our latest assessment attempted to identify vulnerabilities in our network and systems from external, internal, and social engineering perspectives. Our cybersecurity practices (including with respect to third-party service providers) have been assessed to represent a level of maturity consistent with industry best practices.

 

Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations, and financial condition. For more information about these and other risks, see ITEM 1A. RISK FACTORS.

 

Our board of directors oversees the Company’s risk management process, including cybersecurity risks, directly and through its committees. The Audit & Risk Management Committee and the Board provides structured oversight of the Company’s risk management program, which focuses on the most significant short, intermediate, and long-term risks the Company faces. The Company has an Information Security Council (the “Council”) that is responsible for overseeing the development and upkeep of written policies and procedures aimed at safeguarding the Company’s information systems and the nonpublic information stored within them. In addition, the Council plays a crucial role in the governance of the cybersecurity risk management process. This involves collaborating with third-party industry experts and the Company’s internal audit team to conduct risk assessments of the Company’s information security program (the “Program”). The assessments encompass an evaluation of the Company’s adherence to the Program, including the elements of the Program that are dictated by relevant laws, regulations, and the Company’s information security policy and procedures. Reports of the Council are shared regularly throughout the year with the board of directors. Furthermore, the Company conducts periodic cybersecurity assessments and preparedness analyses, supervised by our designated Chief Technology & Innovation Officer (“CTIO”).

 

The Company routinely engages third-party industry experts to perform risk assessments of the Program. At least annually, our internal audit team conducts a formal risk assessment and develops an audit plan that identifies, assesses, and prioritizes risks that include cybersecurity. The results of the risk assessment and the proposed audit plan are communicated to various leaders within the Company as well as the Audit & Risk Management Committee for input. The audit plan is reassessed throughout the year, and the plan is subject to modification by our internal audit team, e.g., based on such considerations as changes to resources, business operations, or internal or external risk factors.