FIRST BUSINESS FINANCIAL SERVICES, INC. - (FBIZ)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Cybersecurity is an important component of our overall approach to Enterprise Risk Management (“ERM”). Our cybersecurity policies, standards, processes and practices are fully integrated in our ERM program which are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. We seek to address cybersecurity risks through a comprehensive approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Our cybersecurity program is focused on the following key areas:
Governance: The Board of Director’s (the “Board”) oversight of cybersecurity risk management is delegated to the Operational Risk Committee of the Board (the "ORC"), which regularly interacts with our ERM function, the Chief Information Officer ("CIO"), other members of management and relevant management committees. The ORC chair regularly reports material developments on cybersecurity to the Board.
Collaborative Approach: We have implemented a comprehensive approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of
29
certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: We deploy technical safeguards that are designed to continuously protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls. These safeguards are evaluated and improved through vulnerability assessments, penetration testing, and cybersecurity threat intelligence.
Incident Response and Recovery Planning: We have established and maintain a comprehensive incident response and recovery plan that fully addresses our response to a potential cybersecurity incident, and such plans are tested and evaluated on a regular basis.
Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and monitoring cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Our third-party risk management program includes robust upfront and ongoing risk assessments for all critical and high-risk vendors.
Education and Awareness: We provide regular, mandatory training for personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. The Board receives periodic education and on a regular basis is informed about industry trends and how the Bank is responding to evolving threats.
We engage an independent third party to conduct periodic testing and assessment of our policies, standards, processes, controls and practices that are designed to address cybersecurity threats and incidents. These efforts include audits, assessments, vulnerability and penetration testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures. We also engage independent third parties to complete periodic testing and assessments of our cybersecurity measures. The results of such assessments are reported to the ORC and the Board and we adjust our policies and practices as necessary based on the information provided by these assessments.
The Board and the ORC oversee our ERM process, including regular presentations and reports. The Board and the ORC also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds. The Board and the ORC coordinate the approach to cybersecurity management with the Chief Risk Officer and the Chief Information Officer, as well as our CFO and CEO.
Our Chief Risk and Chief Information Officers have 30 and 24 years of experience, respectively. Their background is summarized in Item 1, Executive Officers of the Registrant.
To date, we have not been materially affected by cybersecurity threats, including our business strategy, results of operations or financial condition. Please refer to Risk Factors in Item 1A for discussion of possible impacts from future cybersecurity events.