Bank First Corp - (BFC)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

Assessing, identifying and managing material risks from cybersecurity threats is critical for maintaining the security of the Company’s data and information systems, and is integrated into our enterprise risk management systems and processes. The Bank’s approach to cybersecurity risk management and strategy is based on the FFIEC Cybersecurity Assessment Tool (“CAT”), which provides a repeatable and measurable process for evaluating cybersecurity preparedness and assessing, identifying, and managing material risks from cybersecurity threats. The CAT incorporates cybersecurity-related principles from the FFIEC Information Technology Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework.

The CAT consists of two parts: Cybersecurity Inherent Risk Profile and Cybersecurity Maturity. Completion of both parts of the CAT allow management and the Board to evaluate whether the Company’s cybersecurity risk and preparedness are aligned. The Cybersecurity Inherent Risk Profile is the level of risk posed to the Company by technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics and external threats. Cybersecurity Maturity is designed to help management measure the Company’s level of risk and corresponding controls under the following five domains: (i) Cyber Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience.

The Information Security Officer (“ISO”) and the Company’s Information Technology Committee conduct and review the CAT annually to identify changes to the Company’s inherent risk profile; when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management can determine whether additional risk management practices or controls are needed to maintain or augment the Company’s cybersecurity maturity.

In an effort to continually share threat intelligence and increase awareness of cybersecurity trends, the Company has also implemented a Cybersecurity Education and Awareness Program. This program includes the following components:

Mandatory annual cybersecurity employee training;
Training specifically targeted to Senior Management and Information Technology staff;
Bimonthly review of emerging security trends by the Information Technology Committee;
Mandatory annual cybersecurity Board training;
Periodic communication to employees highlighting internal control requirements and information about common threats or fraud schemes; and
Periodic communication to the Bank’s customers highlighting emerging threats and good cybersecurity hygiene.

To date, we have not experienced a cybersecurity incident that has materially impacted our business strategy, results of operations, or financial condition. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. Please see Part I, Item 1A. Risk Factors for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure.

Board and Management Governance

The Company’s Board of Directors recognizes the importance of maintaining the trust and confidence of our customers, employees, and shareholders. The Board of Directors’ responsibilities for cybersecurity risk management and strategy include the following:

38

Engaging management in establishing the Bank’s vision, risk appetite, and overall strategic direction;
Approving plans to ensure the use of the CAT;
Reviewing management’s analysis of the CAT results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results;
Reviewing management’s determination of whether the Bank’s cybersecurity preparedness is aligned with its risks;
Reviewing and approving plans to address any risk management or control weaknesses; and
Reviewing the results of management’s ongoing monitoring of the Bank’s exposure to and preparedness for cyber threats.

The Company has also appointed an ISO, who reports directly to the Audit Committee and shares a co-sourced relationship with an outside consulting firm. The ISO has been with Bank First for over 10 years in various operational and administrative roles. For the past four years, he has served as the Bank’s Enterprise Risk Manager, and as ISO for the past two years. In 2022, he earned the Certified Banking Security Manager certification from SBS Cybersecurity. The ISO works closely with the head of Information Technology to ensure that the Bank’s cybersecurity controls are in line with established internal culture, Board expectations and risk appetite, and all regulatory requirements. The ISO’s responsibilities include the following:

Developing a plan to conduct and complete the CAT;
Working with the VP-Director of Technology to evaluate the results of the CAT;
Leading employee efforts during the CAT to facilitate timely responses from across the Bank;
Setting the target state of cybersecurity preparedness that best aligns to the Board of Directors’ approved risk appetite;
Reviewing, approving, and supporting plans to address risk management and control weaknesses;
Analyzing and presenting the results of the CAT to the Board of Directors;
Providing periodic cybersecurity updates to the Board of Directors;
Overseeing the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk; and
Overseeing the Bank’s cybersecurity preparedness.
Finally, the Company has established an Information Technology Committee to support the ISO in implementing the CAT, document formal action plans to be presented to the Board of Directors, enforce and implement the controls established by the CAT, and ensure employee compliance with internal controls

39