Bancorp 34, Inc. - (BCTF)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity

Overview

 

The cybersecurity threat environment is volatile and dynamic, requiring a robust and dynamic framework to reduce and mitigate cybersecurity risk. Cybersecurity risk includes exposure to failures or interruptions of service or security breaches resulting from malicious technological attacks that impact the confidentiality, integrity, or availability of our or third parties’ operations, systems, or data. We seek to mitigate cybersecurity risk and associated reputational and compliance risk by, among other things:

 

·maintaining privacy policies, management oversight, accountability structures, and technology design processes to protect private and personal data;
·actively monitoring and mitigating cybersecurity threats and risks with a defense structure to provide oversight, governance, challenge, and testing;
·using a third-party cybersecurity oversight program to effectively discover, analyze and understand cyber threats;
·maintaining oversight of our information security program by senior management, our board-level Information Security Committee, and our Board of Directors;
·establishing and maintaining a comprehensive program to oversee and manager external connections and third-party relationships with access to the institution’s technology assets and information; and
·maintaining an incident response program intended to enable us to mitigate the impact of, and recover from, any cyberattacks, and facilitate communication to internal and external stakeholders, as needed.

 

We experienced a single cybersecurity event in June of 2023 in which an unauthorized third party gained access to the email accounts of two of our employees. We notified the affected customers of the incident in early September 2023, and have taken steps to mitigate our and our customers’ exposure to unauthorized activity. To date, we have incurred expenses of approximately $25,000 related to the cybersecurity incident.

 

Risk Management and Strategy

 

Our cybersecurity risk management strategy uses a combination of management expertise and Board oversight, as discussed below, as well as outside consultants to assist us in overseeing our cybersecurity risk management program. We deploy safeguards designed to protect customer information and our own corporate information and technology. We have programs, technology and processes in place designed to mitigate known attacks, and we use both internal and external resources to scan for vulnerabilities in our applications, systems, and platforms. We implement backup and recovery systems and require the same of our critical third-party service providers.

 

 48 

 

We use independent third-party service providers to perform penetration testing of our infrastructure to help us better understand the effectiveness of our controls, improve our defenses, and conduct assessments of our program for compliance with regulatory requirements and industry guidelines. We also engage with outside risk experts and industry groups, including other peer institutions, as needed, to help us evaluate potential future threats and trends, particularly with respect to emerging information security and fraud risks. In addition, we use a third-party to help mitigate risks with our third- and fourth-party providers; however, our ability to monitor our service providers’ cybersecurity practices is limited. We generally have agreements in place with our service providers that include requirements related to cybersecurity and data privacy. We cannot guarantee, however, that such agreements will prevent a cyber incident from impacting our systems or information. Additionally, we may not be able to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. Due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers in relation to any data that we share with them. To offset non reimbursement of a cyberthreat or liability expense of an incident we maintain cyber insurance.

 

Due to the nature of our business, we are under constant threat of an attack and could experience a significant cybersecurity event in the future. Potential risks we could face from a cybersecurity event are discussed in “Risk Factors” above.

 

Governance

 

Through established governance structures, including our problem and incident management process and incident response plan, we have processes and procedures to help facilitate appropriate and effective oversight of cybersecurity risk. These processes and procedures enable our lines of defense and management to review and manage cybersecurity risks, monitor threats, and provide for further escalation to executive management, our board-level Information Security Committee, or to the full Board, as appropriate.

 

Role of the Board of Directors

 

Our Board of Directors plays a critical role in the oversight of risk, including risks from cybersecurity threats, and has established a risk oversight structure that seeks to ensure that cybersecurity risks are identified, monitored, assessed, and mitigated appropriately. Our Board of Directors oversees our cybersecurity, risk assessment, vendor management and disaster recovery and business continuity risk management framework. The Board of Directors reviews and approves our cybersecurity, disaster recovery and business continuity risk management framework on an annual basis.

 

Our Board regularly receive reports on such matters from our Information Security committee. Our Board also meets with our internal and external auditors, and federal and state regulators to review and discuss reports on risk, examination, and regulatory compliance matters.

 

The Board has delegated the primary review of our cybersecurity, disaster recovery, risk assessment, vendor management, and business continuity risk management framework and related policies and procedures to the Information Security Committee, which consists of senior management members and one Board member. The committee is responsible for assisting the Board in its oversight of risk, including cybersecurity threats, and for overseeing our cybersecurity, disaster recovery, vendor management and business continuity risk management framework. The committee actively discusses major risk exposures, establishes risk management principles, and determines our risk appetite, and regularly reports on their activities, and makes recommendations to, the full Board. The Information Security Committee receives regular summary analysis reports of cybersecurity risks, threats, and incidents at their meetings. In addition, the committee is engaged, as needed, in accordance with our Incident Response Plan and Business Continuity Plan.

 

 49 

 

Role of Management

 

Senior management is responsible for establishing, implementing, maintaining, and testing our policies and procedures related to cybersecurity, disaster recovery and business continuity. Reports on these matters are provided to the Information Security Committee. The committee reports its activities to the full Board of Directors. Our cybersecurity risk management program is built on lines of defense designed to assess, identify, assess, and manage our material risks from cybersecurity threats. Our VP of IT Operations is responsible for coordinating the implementation of cybersecurity framework and reports directly to our Chief Financial Officer.

 

Our framework, implemented in conjunction with third party managed IT providers, manages preventative and detective controls to protect against cybersecurity risks and responds to cyber incidents and data breaches. At least annually, training on information security awareness is provided to employees. Training materials and topics include online training classes, mock phishing attacks, and information security awareness emails from the VP of IT Operations. Our cybersecurity risk management program is designed to maintain and challenge our information security defense system, as well as monitor, respond, evaluate, escalate and recover from cyber threats.

 

Our Information Security Committee governs our technology and operational risk tolerances, including cybersecurity and third- and fourth-party provider risks. The management members who serve as part of the committee include the VP of IT Operations (chair), Chief Operations Officer, Chief Financial Officer, and Chief Compliance Officer. The VP of IT Operations has relevant technical experience and certifications with over 20 years of respective experience. The remaining committee members each have more than 15 years of relevant banking experience. The Committee is responsible for escalating key risks members of Executive Management not serving on the committee as well the Board of Directors.

 

An annual audit over cybersecurity related activities is completed by an independent third party.