BANC OF CALIFORNIA, INC. - (BANC)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Our enterprise risk management program is designed to identify, measure, monitor and control all significant risks across various aspects of our company. Cybersecurity risk management processes are integrated into this program, given the increasing reliance on technology and potential of cyber threats. Our Chief Information Security Officer (“CISO”) is primarily responsible for our cybersecurity program and is a key member of the risk management function, reporting directly to the Chief Risk Officer (“CRO”) and to the Enterprise Risk Committee of our Board of Directors.
Our objective for managing cybersecurity risk is to maintain appropriate layers of safeguards to protect information systems from possible threats and to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. Our information security program is designed in accordance with industry frameworks, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, and is periodically reviewed and updated at least annually and upon significant changes to our operating environment. Our program includes the following key elements:
Systems Safeguards. We adopt the “trust by design” framework when designing new products, services and technology. We employ a variety of preventative and detective tools designed to monitor, detect, block, and provide alerts regarding suspicious and unauthorized activity and to report on suspected advanced persistent threats.
Incident Response. We maintain an Incident Response Plan (“IRP”) that provides a documented framework for responding to actual or potential cybersecurity incidents. The IRP is coordinated through the CISO and key members of management and addresses roles, responsibilities, and communication and contract strategies in the event of a compromise, including analysis of reportable events in accordance with applicable legal and compliance requirements.
Collaboration. We engage cybersecurity experts and third-party specialists to perform regular assessments of our infrastructure, software systems and network architecture. We also leverage internal and external auditors and independent external partners to periodically review our processes, systems and controls, including with respect to our information security program, to assess their design and operating effectiveness.
Education and Training. We have regular and ongoing security education and training for employees, practical exercises that simulate actual cyber attacks, and recovery and resilience tests.
Third-Party Risk Management. We maintain a third-party risk management program designed to identify, assess and manage cybersecurity risks associated with external service providers, contractors and vendors.
To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations, or financial conditions. Our internal systems, processes, and controls are designed to mitigate and minimize potential losses resulting from cyber attacks, however, there can be no assurance that our cybersecurity risk management program will be fully effective in protecting the confidentiality, integrity and availability of our information systems and our solutions. For further discussion of risks from cybersecurity threats, see Item 1A. Risk Factors in the section titled “We are subject to certain risks in connection with our use of technology.
50


Governance
Our Board of Directors considers cybersecurity risk as part of its risk management function and has delegated to the Enterprise Risk Committee oversight and governance of the technology program and the information security program, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. The Enterprise Risk Committee reviews our cybersecurity risk profile on a quarterly basis. Additionally, our CISO and our Chief Information Officer provide quarterly reports to the Enterprise Risk Committee regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes.
The Information Technology and Information Security sub-committee is a working group of the management level Enterprise Risk Management Committee and represented by managers within various departments and includes the CISO and Chief Information Officer as well as their direct reports and other key departmental managers from throughout the entire company. This sub-committee meets quarterly to provide oversight of the technology management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. Meetings with key team leaders occur as required and in accordance with the IRP in order to facilitate timely informing and monitoring efforts. The Company's Executive Leadership Team meets monthly with the CISO and Deputy CISO and reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at various meetings and responses to any actions taken to/from the Enterprise Risk Committee on a quarterly basis or more frequently as may be required by the IRP.
Our CISO has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management and is accountable for managing our enterprise information security department and developing and implementing our information security program. The responsibilities of this department include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, client, vendor and employee education and awareness, and business continuity and disaster recovery. The department, as a whole, consists of information security professionals with varying degrees of professional education, certifications and experience.