HOPE BANCORP INC - (HOPE)

10-K Filing Date: February 28, 2024
Item 1C. CYBERSECURITY
General
As a financial institution, cybersecurity is a high priority for us as we receive and maintain the business and personal information of our customers on a daily basis. In addition, our business operations rely extensively on the continuous operation of our information and data processing systems and related back-up systems. Accordingly, we have developed and maintain a cybersecurity program that is focused on the goals of preparing for, preventing, detecting, mitigating, responding to and recovering from cyber threats and incidents, maintaining the privacy and protection of our customers’ data, and the continuity of our information and data processing systems.
Cybersecurity Risk Management
We believe that we have a robust cybersecurity program that is aligned to industry-standard cybersecurity frameworks. To identify and assess material risks from cybersecurity threats, our corporate risk management team considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment and management process. To implement and maintain our cybersecurity program, we have a dedicated information security team that is managed by our Chief Information Security Officer. We believe our information security team is well positioned to identify risks from cybersecurity threats based on numerous job qualifications and on-going training.
24



As a regulated financial institution, we have designed our cybersecurity program based on the requirements of the Gramm-Leach Bliley Act of 1999 (“GLBA”) and the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool. Our processes for identifying, assessing and managing material risks from cybersecurity threats includes reliance on the FFIEC Cybersecurity Assessment Tool as well as recurring audits and assessments of our cybersecurity program and controls.
In addition to the above, we periodically (and at least annually) conduct an overall inherent cybersecurity risk assessment based on threats, the likelihood of the threats, and the potential impact of these threats to the Company. We conduct this assessment by reviewing industry-recognized breach reports, identifying the top threats, calculating the likelihood and impact of these threats, and thereby determining our overall inherent risk. We then use the Cybersecurity Assessment Tool to establish a risk profile. Based on the risk profile, the FFIEC Cybersecurity Assessment Tool recommends a program maturity level, which we use to determine whether we have the requisite minimum security controls in place that are effective. This control evaluation then helps us to determine our cybersecurity residual risk and whether we need to implement any additional controls.
In addition to using FFIEC Cybersecurity Assessment Tool, we evaluate the robustness and effectiveness of our cybersecurity program both internally and externally with periodic internal risk assessments, and internal and third-party audits. We also use third party assessments to simulate threat actors to test and evaluate our cybersecurity controls and the effectiveness of our overall program. As part of our cybersecurity program, we have developed an incident response plan based on industry-standard cybersecurity frameworks, with procedures for responding to and remediating a cyber-incident, which also includes a process to activate our business continuity plan, if necessary. We also review and test our incident response plan through simulations and assessments.
Furthermore, we employ recurring security awareness training for employees and produce recurring security awareness material for our customers.
The secure maintenance and transmission of confidential information, as well as execution of transactions over the systems of our third-party service providers, is essential to protect us and our customers against fraud and security breaches and to maintain customer confidence. Information security and risk management are an integral part of our new product and service implementation and vendor relationship management to confirm that they all meet the minimum standards and policies established and approved by our Board. We have developed processes to identify and oversee risks from cybersecurity threats associated with our third-party service providers, which includes the information security team assisting with and assessing cybersecurity robustness during vendor selection and onboarding as well as risk-based monitoring of vendors on an ongoing basis.
In the ordinary course of our business, we have experienced and expect to continue to experience cyber-based attacks and other attempts to compromise our information systems, although none, to our knowledge, has had a material adverse effect on our business, financial condition or results of operations. With regards to risks from cybersecurity threats, including as a result of previous cybersecurity incidents, we have conducted assessments and have determined that we do not believe any of the identified risks have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. While we do not believe cybersecurity threats are reasonably likely to affect us, our business strategy, our results of operations or our financial conditions, like all financial institutions, we face a risks of such threats, the consequences of which could be material. See Item 1A “Risk Factors – We are subject to operational risks relating to our technology and information systems,” above. In addition, given the constant and evolving threat of cyber-based attacks, we incur significant costs in an effort to detect and prevent security breaches and incidents, and these costs may increase in the future.
Cybersecurity Governance
Our Board oversees an enterprise-wide approach to risk management, designed to support the achievement of organizational objectives in the areas of strategy, operations, reporting, and compliance without exposing the organization to undue risk. While our Board has the ultimate oversight responsibility for the risk management process, the Board Risk Committee also has responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. Additionally, as part of our cybersecurity governance, we annually purchase cybersecurity insurance customary for companies in our industry. While our Board and the Board Risk Committee oversee our cybersecurity program, management is responsible for implementing the program.
25



Our Chief Information Security Officer, who reports to our Chief Risk Officer, is responsible for managing our information security team, maintaining and continuing to develop and implement our cybersecurity program enterprise-wide and assessing and managing risks from cybersecurity threats, subject to oversight by and reporting to the Board Risk Committee, which in turn reports directly to the Board. In addition to the Board Risk Committee, two of our management committees are also involved in overseeing risks from cybersecurity threats: our Enterprise Risk Management Committee and our Information Security Sub-Committee. These two management committees report to the Board Risk Committee, which in turn reports directly to the Board.
We have processes to inform the Board Risk Committee and the Board about risks from cybersecurity threats. Our management team reports its findings using the FFIEC Cybersecurity Assessment Tool and our information security team’s determination as to whether our security controls, at a minimum, are in place and effective. The Chief Information Security Officer and the information security team regularly report to the Board Risk Committee and the Board regarding cybersecurity and related threats and trends, changes, control effectiveness and residual risk, the areas where our cybersecurity program may be improved and improvements made to address and remediate issues.