HANMI FINANCIAL CORP - (HAFC)
10-K Filing Date: February 29, 2024
Cybersecurity Risk, Management, and Strategy
Cybersecurity is a significant and integrated component of the Company’s risk management strategy, designed to protect the confidentiality, integrity, and availability of sensitive information contained within the Company’s information systems. The Information Security Officer is primarily responsible for administering, updating and enforcing the cybersecurity components of the risk management strategy and reports to the Chief Risk Officer. The Information Security Officer periodically collaborates with third-party service providers and industry groups to discuss cybersecurity trends and best practices. The Information Security Officer is supported by the Chief Technology Officer, who reports directly to the Chief Financial Officer. The Chief Technology Officer oversees our Information Technology department, comprising our first line of defense.
As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident disrupting business operations and compromising sensitive data. To manage cybersecurity risk, the Company has implemented a multi-layered “defense-in-depth” cybersecurity strategy, integrating people, technology, and processes. The cybersecurity strategy is memorialized within the Company’s information security program. The program incorporates regulatory guidance and industry standards while leveraging industry associations, third-party benchmarking, audits, threat
25
intelligence and peer industry groups. The information security program is reviewed by the Chief Risk Officer and presented to the Risk, Compliance and Planning Committee to periodically account for the changes in the cyber threat landscape. It is also periodically assessed by the Internal Audit department.
The Company has deployed an in-depth cybersecurity strategy to protect its assets, which includes a diverse preventive and detective tool set to stop, monitor, and alert management of suspicious activities and potential advanced persistent threats. We have implemented other preventive technologies and mitigating processes to include on-going education and training for employees, periodic tabletop exercises and recovery tests, and regular infrastructure penetration tests conducted by cybersecurity professionals and third-party specialists. Our internal and external auditors, along with independent external partners, periodically assess our processes, systems and controls for design and operating effectiveness, and provide recommendations to bolster our cybersecurity program. In addition, employees are subjected to regular simulated phishing assessments designed to sharpen threat detection and reporting capabilities. We also monitor our email gateways for malicious phishing emails and monitor remote connections through a secure virtual private network. Like many companies, we rely on third-party vendor solutions to support our operations. Notable services include 24/7 security monitoring and response, continuous vulnerability scanning, third-party monitoring, and threat intelligence. We have a vendor management program in place to assess and manage risks associated with third-party service providers.
To prepare to respond to incidents, the Enterprise Risk Management Committee periodically reviews and updates our cyber Incident Response Plan (“IRP”). The IRP provides a framework to address potential and actual cybersecurity incidents to include assessment to recovery by our Incident Response Team and notification to the appropriate management and board committees and regulatory agencies. The Incident Response Team is comprised of representatives from various departments including Information Security, Risk Management, Legal, Operations, Marketing and Accounting. Our Information Security Officer manages the Incident Response Plan and coordinates with senior level management and multiple areas of the company in execution of the plan. While we have experienced cybersecurity incidents, we have not, to our knowledge, experienced an incident materially affecting, or reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.
Cybersecurity Governance
Our Information Security Officer is accountable for managing the information security department and executing the information security program. The information security department is responsible for cybersecurity risk assessments, alert monitoring, incident response, vulnerability assessment, threat intelligence, identity access governance, and third-party information security risk management. The department consists of information security professionals with varying levels of education, experience and certifications. Our information security department is further supported by our first line of defense, the Information Technology department and a third-party managed service security provider.
The Risk, Compliance and Planning Committee of our Board of Directors provides oversight of the information security program including cybersecurity and is chaired by an independent director. Cybersecurity metrics are reported to the committee quarterly. Additionally, management has established an Information Technology Executive Steering Committee focused on, technology impact, and an Enterprise Risk Management Committee focused on business and risk impact, both consisting of executives and department leaders across multiple domains. These committees generally meet quarterly and more frequently when warranted. The information security department holds a monthly security meeting with the managers from the information technology department to discuss significant security incidents and status of the threat landscape. The Information Security Officer reports significant cybersecurity or privacy incidents and the state of the information security program to the Risk, Compliance and Planning Committee of the board on a quarterly basis. The Risk, Compliance and Planning Committee of the Board of Directors provide a report of activities to the full board at each quarterly board meeting.
26