Bancorp, Inc. - (TBBK)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We recognize the increasing significance of cybersecurity in the financial industry and the potential risks associated with cyber threats. Our processes to identify, assess and monitor material risks from cybersecurity threats are part of our overall enterprise risk management program and are integrated into our operating procedures, internal controls and information systems. Our risk management program and processes are intended to maintain an effective and comprehensive Cybersecurity Program under the direction of a dedicated Chief Information Security Officer (“CISO”). Our established Cybersecurity Program is mapped to the NIST Cybersecurity framework (“NIST CSF”), Payment Card Industry Data Security Standards (“PCI DSS”), the Center for Internet Security (“CIS”) Critical Security Controls, the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool, and relevant International Organization for Standardization (“ISO”) standards to maintain the confidentiality, integrity, and availability of our information systems, networks, and corporate and customer data. Highlights of the program include the following processes:

A security testing schedule, which includes internal/external penetration testing;

Regular vulnerability assessments;

Detailed vulnerability management;

24/7 Security Operations Center

Monitoring and reporting of systems and critical applications;

Data loss prevention controls;

File access and integrity monitoring and reporting;

Threat intelligence;

A training and compliance program for staff, including a detailed policy; and

Third-party vendor management.

The Company’s Security Operations Center (“SOC”) functions as the central point for all cybersecurity events that occur on our information systems. The SOC provides end-to-end operations to monitor, detect, alert and respond to any unusual, suspicious or malicious activities. In 2023, we expanded the SOC’s operational hours to 24 hours a day, 7 days a week, utilizing both internal and third party resources for that full coverage. We conduct risk assessments and compliance audits against the above-referenced standards and regularly benchmark and evaluate program maturity with industry leaders. We also engage both internal and external auditors and third party information security experts to examine our cybersecurity processes. Additionally, the Company undergoes the PCI certification process and obtains the related certification on an annual basis.

Recognizing the interconnected nature of the financial industry, we evaluate and monitor the cybersecurity practices of our third party service providers and partners using a risk-based approach. Our Third Party Oversight Department evaluates new and existing relationships based upon due diligence requirements defined by our Cybersecurity Department to understand and mitigate material risks associated with third party service providers and partners. Risk assessments and audit results in connection with our Cybersecurity Program are reported to senior management and the Board of Directors. Risk owners from our Cybersecurity Program develop risk mitigation plans to resolve any cybersecurity risks identified in risk assessments or audits.

We recognize that a successful cybersecurity incident could lead to disruptions in operations, financial loss, reputational damage, and potential legal and regulatory consequences. The Company has a fully implemented incident response program, and internal forensics capabilities with third party forensic experts on retainer. We also maintain business continuity and disaster recovery plans so the Company can more effectively respond to cybersecurity incidents. It is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only partially mitigate and not fully eliminate risks. Events, when detected by security tools or third parties, may not always be immediately understood or acted upon.

Although we believe risks from cybersecurity threats have not materially affected our business strategy, results of operations, or financial condition during the fiscal year ended December 31, 2023, they may in the future, and we continue to closely monitor risks from cybersecurity threats. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents that have materially affected the Company, including our business strategy, results of operations, or financial condition, in the prior fiscal period. For additional information on the impact of cybersecurity matters on us, see Item 1A, “Risk Factors—We face cybersecurity risks, which could result in a loss of customers, cause disclosure of confidential information, adversely affect our operations, cause reputational damage and create significant legal and financial exposure.”

39


Governance

Management regularly evaluates and enhances its cybersecurity measures to mitigate cybersecurity risks. The Company’s CISO is responsible for all aspects of the Cybersecurity Program, including managing cybersecurity functions, ensuring that cybersecurity staff are adequately skilled and trained in the activities required for their respective job functions, and overseeing corporate cybersecurity initiatives. Under the direction of the CISO, the Cybersecurity Department regularly monitors for enterprise-wide compliance with Cybersecurity Program procedures and regulatory requirements. Our CISO, in collaboration with our Chief Information Officer (“CIO”), Chief Risk Officer (“CRO”), and senior management, drives awareness, ownership and alignment of cybersecurity protocol for effective cybersecurity risk management across all lines of business and corporate functions. The CISO and CIO are responsible for leading enterprise-wide cybersecurity strategy, policy, standards and processes to effectively prevent, detect, mitigate and remediate cybersecurity threats. Our CISO has expertise in cybersecurity, information security risk management, identity and access management, security architecture, application security, vulnerability management, threat intelligence, security operations and incident management and response through prior roles leading information security functions at financial institutions. The CISO holds multiple professional certifications, including Certified Chief Information Security Officer through the International Council of Electronic Commerce Consultants, also known as the EC-Council.

The CISO reports to management’s Enterprise Risk Management Committee and quarterly to the Board’s Risk Committee regarding the Company’s cyber risks and threats, the status of efforts to strengthen information security systems, assessments of the Company’s Cybersecurity Program, and the emerging threat landscape. In these meetings and on an ad hoc basis senior management receives periodic reporting from the Cybersecurity Department, Operations Department and Information Technology Department on operational risks and the steps taken to monitor and control cybersecurity exposure.

The Board of Directors recognizes the importance of cybersecurity to safeguard confidential information and sensitive data and receives periodic training on cybersecurity risk and best practices for related oversight. To aid the Board with its cybersecurity and data privacy oversight responsibilities, the Board periodically hosts experts for presentations on these topics. For example, in 2023, the Board hosted an expert to discuss developments in the cybersecurity threat landscape and evaluate the Company’s cybersecurity program in the context of the global risk environment. 

The Board has delegated responsibility for more detailed oversight of the Company’s cybersecurity and information security framework to the Risk Committee of the Board. The CISO and CIO provide updates on the cybersecurity threat environment and the Company’s programs to address and mitigate the risks associated with the evolving cybersecurity threat environment to the Risk Committee quarterly and to the full Board at least annually and on an ad hoc basis. Additionally, the Risk Committee also reviews and approves the Cyber Risk Management Program Policy and Information Security Program Policy at least annually. Elevation to a full Board communication and/or interaction would occur upon the initiation of a cyber incident response, or a material compromise of business functionality, customer data or network integrity.

40