BCB BANCORP INC - (BCBP)
10-K Filing Date: March 08, 2024
Cybersecurity Risk Management and Strategy
Cybersecurity risks are continually evolving, becoming increasingly complex and pervasive across all industries. To mitigate these cybersecurity risks and protect nonpublic, personally identifiable customer data, financial transactions and our classified information systems, the Bank has implemented a comprehensive information security program, which is a component of its overarching enterprise risk management program. Key components of the information security program include:
• A risk assessment process that identifies and prioritizes material cybersecurity risks; defines and evaluates the effectiveness of controls to mitigate the risks; and reports results to executive management and the Board of Directors.
• Annual security assessments that proactively identify potential vulnerabilities that are both externally facing and internal within the bank’s infrastructure; reports the results for all assessments to executive management and the Board of Directors with tracking and resolution to potential areas of risk.
• Vulnerability management program that patches known vulnerabilities across operating systems and software platforms.
• Strong controls around user access including creation, changes and termination of access, ongoing user access reviews, multifactor authentication and password policies.
• A technology team covering all critical cyber defense functions such as engineering, data protection, identity and access management, insider risk management, security operations, threat emulation and threat intelligence.
• A training program that educates employees about cybersecurity risks and how to protect themselves from cyberattacks.
• An awareness program that keeps employees informed about cybersecurity threats and how to stay safe online.
• An incident response plan that outlines the steps the Bank will take to respond to a cybersecurity incident, which is tested on a periodic basis.
• Adoption and implementation of a layered defense / defense in depth model n which security systems are linked or stacked so that the strengths of one security system compensate the weaknesses of the other system.
• Additional controls that include but not limited to data encryption; change management; end of life management; asset management; malware and antivirus detection, response and mitigation; physical security; business continuity and disaster recovery management.
The Bank engages reputable third-party assessors to conduct various independent audits on a regular basis, including but not limited to maturity assessments and various testing. Following a defense-in-depth strategy, the Bank leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks.
The Bank’s Third-Party / Vendor Risk Management program is designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements.
The Bank’s information security program and strategy are designed to ensure the Bank's information and information systems are resilient and appropriately protected from a variety of threats, both natural and man-made. Periodic audits and risk assessments are performed to validate control requirements and ensure that the Bank’s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls and policies are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of Bank information. These controls and policies include, but are not limited to access control, data encryption, data loss prevention, incident response, security monitoring, third party risk management, and vulnerability management.
The Bank's information security program and strategy are regularly reviewed and updated to ensure that they are aligned with the Bank's business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards.
Material Effects of Cybersecurity Threats
While cybersecurity risks have the potential to materially affect the Bank's business, financial condition, and results of operations, the Bank does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Bank, including its business strategy, results of operations or financial condition. Accordingly, no matter how well designed or implemented the Bank’s controls are, there is a risk that it may not be able to anticipate all zero-day cyber security exploits and vulnerabilities, and it may not be able to implement effective preventive measures against such exploits / vulnerabilities and potentially associated security breaches in a timely manner.
Governance
Board of Directors Oversight
The Bank’s Board of Directors is charged with overseeing the establishment and execution of the Bank’s security management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility the Board has delegated primary oversight responsibility over the Bank’s security management framework, including oversight of cybersecurity risk and cybersecurity risk management, to the Information Technology /Information Security Committee of the Board of Directors. The Information Technology /Information Security Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Information Technology Officer and provides periodic updates regarding cybersecurity risks and the cybersecurity program to the full Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Board on an annual basis.
Management's Role
The Information Technology department is responsible for implementing and maintaining the Bank’s cybersecurity risk management program. The Information Technology department consists of cybersecurity and information risk professionals who assess, identify, and manage cybersecurity risks. Information Security is led by Chief Information Technology Officer, who reports directly to the Chief Operating Officer and dotted lined to the Board of Directors. The Bank’s CITO has over 23 years of experience in technology and cybersecurity across the financial services industry. Prior to joining the Bank, the Bank’s CITO served as Chief Information Officer and Information Security Officer at First Choice Bank and the Director of Technology and IT Governance at OceanFirst Bank. The Information Technology department is responsible for ensuring the protection of electronic and physical information through the identification and management of risk activities. Information security risk is reported by the Information Technology Department through quarterly management reporting to achieve an appropriate flow of information risk reporting to the Board. The committees and working groups that monitor information security risks include the Cybersecurity Incident Response Team, and the Information Technology / Information Security Committee of the Board of Directors. These committees and working groups establish and oversee policies, programs, and other guidance to provide specific expectations for managing the cybersecurity risk.