BM Technologies, Inc. - (BMTX)

10-K Filing Date: April 05, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our internal and customer facing information technology systems and confidential information. As part of this program, we prioritize maintaining the highest cybersecurity standards to safeguard information stored within our information technology systems. Our cybersecurity framework and controls are designed to align with key aspects of recognized best practices and standards for cybersecurity and information technology including industry standards based upon guidelines from the Center for Information Security (“CIS”) and the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”). Additionally, we incorporate guidance from the Federal Financial Institutions Examination Council (“FFIEC”) to ensure we meet the expectations of our partners and any applicable regulatory requirements.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. As part of our enterprise risk assessment function, we have implemented processes to assess, identify, and manage the material risks facing the Company, including from cyber threats. Key elements of our cybersecurity risk management program include, but are not limited to the following:

risk assessments designed to help identify material cybersecurity risks to our information technology systems and confidential information;
products and services built with security tools;
cybersecurity awareness training, including internal phishing tests of our employees, contractors, consultants, or any third-parties who will have access to our information technology systems and environment;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
a third-party risk management process for key service providers, suppliers, and vendors based on their criticality and risk profile; and
a level of cybersecurity insurance that we believe is appropriate, taking into consideration the material risks from cybersecurity threats.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us. For more information on our cybersecurity-related risks, see Item 1A - “Risk Factors.”

Cybersecurity Governance

The Company’s information technology team is responsible for assessing and managing cybersecurity risks and has a depth of experience focused on increasing the Company’s resilience to security threats and stays current on new developments through monitoring of the cybersecurity landscape. The Company’s information technology environment is actively monitored for potential security threats, and security events are investigated and acted on to minimize potential risk to the environment.

Our Board of Directors considers cybersecurity risk as part of its risk oversight function and oversees management’s implementation of our cybersecurity risk management program. The Board of Directors receives periodic reports from management on our cybersecurity risks and program. In addition, management updates the Board of Directors, as necessary, regarding any significant cybersecurity incidents.