FIVE STAR BANCORP - (FSBC)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
We recognize the crucial importance of identifying, assessing, and managing material risks from cybersecurity threats. We are committed to implementing and maintaining a comprehensive information security program to manage such risks and safeguard our systems and data, including the data of our customers.
Information Security Policies and Procedures
We manage our cybersecurity risk in accordance with our Information Security Program (the “Information Security Program”), which is applicable to all users of our information technology assets, information assets, and facilities, including our employees, contractors, vendors, volunteers, and agents. The Information Security Program includes an Information Security Incident Response Policy (the “Incident Response Policy”), which sets forth the rules and requirements for identifying, investigating, validating, prioritizing, and responding to information security incidents, and addresses the response portion of security monitoring. The Information Security Program also includes: (i) an Information Security Incident Response Procedure (the “Incident Response Procedure”), which delineates the processes for reporting, classifying, investigating, planning, containing, eradicating, recovering, documenting, and communicating information security incidents, as well as post-incident activities, and (ii) a Security Monitoring Policy, which establishes the rules and requirements for enabling, logging, alerting, and monitoring real time security alerts and security logs (automated or manual), as well as various condition monitoring tests and reviews, and documentation requirements in connection with security incident identification.
Potential information security incidents are identified in a number of ways, including, but not limited to: users reporting security violations, system weaknesses, violations of our Information Security Acceptable Use Policy, which addresses the boundaries of acceptable use of our information technology assets, automated system alerts, and monitoring of both system generated and manually generated logs. Our Information Security Program mandates that any potential information security incident response begin at the initial internal communication and investigation stage, during which such events undergo initial investigation for validation, including related to the scope and depth of such incident and to ensure that it
40
has not resulted from a false positive. Internal communications regarding the potential incident occur with the relevant security coordinator according to our Incident Response Procedures.
Following this initial stage, we gather and update impact information and related documentation for such incident. We use an incident classification matrix to determine the initial classification of a potential information security incident, which considers users, customers, and systems affected, the sensitivity of data at risk, and the potential business impacts to the Company including financial, legal, regulatory, operational, and reputation. The resulting classification of “Red,” “Yellow,” or “Green” identifies next steps for escalation and communication following initial investigation of the potential incident. Upon escalation of an incident, a member of management who is identified as an Incident Response Contact per our Information Security Program reviews and validates the initial determination of the priority of the incident prior to entering into the subsequent stage, during which a response to the incident is determined and notifications or communications are made to either additional personnel or any external entities. Depending on the specific details of any such incident, we may notify additional members of our management team, our board of directors, the Audit Committee, state and federal regulators, technology service providers, and/or the SEC. The timing of such communications varies based on the details of a particular incident and applicable regulations governing such disclosure. Following this classification and communication stage, we enter the recovery stage to determine containment and a response to the incident, assign technical staff to address such incident, implement containment, eradicate the incident source, and recover from such incident. Following any such incident, we engage in follow-up to communicate with law enforcement and notify impacted third parties and customers, as appropriate, in addition to further investigating the cause of the incident, documenting takeaways, and engaging in remediation.
Our Chief Information Security Officer (“CISO”) coordinates with other members of our executive management team identified in our Information Security Program to document, validate, respond, and manage actual or potential security incidents according to their threat classifications as described above, and report to our board of directors and/or the Audit Committee on an ad hoc basis. The CISO also provides quarterly reports on the status of our Information Security Program and its compliance with regulatory requirements to our board of directors in connection with our board's general risk management oversight role, as described in further detail below. The CISO and the Chief Information Officer (“CIO”) have shared responsibility for overseeing day-to-day operations of the Information Security Program, coordinating or contributing to reviews, audits, risk assessments, and other risk management material, development of departmental policies and procedures for board approval, and periodic updates to our information technology steering committee and/or the full board of directors. The CIO reports to President and Chief Executive Officer, while the CISO reports to the Chief Regulatory Officer and reports regularly to the Audit Committee.
The CIO has 20 years of industry experience including management of technology, security, data analytics, and vendor relationships. The CISO has over 10 years of industry experience including management of security and vendor relationships as well as possesses several industry certifications, including certification as a Certified Information Systems Security Professional from the International Information System Security Certification Consortium and as a Certified Information Security Manager from the Information Systems Audit and Control Association.
With the approval of Audit Committee, we also engage third party assessors, consultants, and auditors in connection with the Company’s Information Security Program and in accordance with our Audit Program, including to conduct external and internal penetration testing, independent audits, and risk assessments. We may also utilize third party service providers in the ordinary course of business, including to assist us in performing information security assessments for third party service providers that store or process our confidential data. These information security assessments, whether performed by a third party or internally, include a review of any systems and organization control reports, and proof of the vendor’s independent testing of their data protection controls, as well as a review of any exceptions noted and assessment of management responses, results of vulnerability and penetration testing, incident response processes, and third party data protection controls (which can include, but are not limited to: access reviews and controls, backups, monitoring, encryption standards, and disaster recovery). The review of these areas is taken into account in order to provide an overall information security conclusion and risk rating for the vendor.
In addition, we use a combination of technology, policies, procedures, training, and monitoring to promote security awareness and prevent security incidents.
Cybersecurity Risk Oversight
Our executive management team is responsible for the development of our policies and procedures and for managing any exception to the same. In particular, our CISO oversees information security compliance, as described above. The board of directors of the Company has ultimate oversight of cybersecurity-related risk and activities, including the review and
41
approval of our policies and procedures related to cybersecurity. The Information Security Program is approved on an annual basis. Cybersecurity risk management is also incorporated into our overall enterprise risk management model, which is updated on a quarterly basis and subject to oversight by our board of directors.
In the ordinary course of business, our board of directors receives quarterly updates from the CISO regarding the Information Security Program and compliance with relevant regulations, as described above. Members of the Audit Committee of our board of directors also attend the meetings of our information technology steering committee on a quarterly basis. Our information technology steering committee consists of members of our board of directors who have relevant experience from their audit and management experience as well as training provided by our management. If an incident occurs, depending on its priority as identified through the procedures described above, management may inform our board of directors and/or Audit Committee sooner than its next quarterly update. See the section entitled “Part I, Item 1. Business—Risk Management” for additional information on the role of our board of directors and its committees in overseeing risk management.
Relevant Regulations
As a regulated financial institution, the Bank is also subject to financial privacy laws, and our cybersecurity practices are subject to oversight by the federal banking agencies. In addition, the SEC recently enacted rules, effective as of December 18, 2023, requiring public companies to disclose material cybersecurity incidents that they experience on Form 8-K within four business days of determining that a material cybersecurity incident has occurred and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. For additional information, see the section entitled “Part I, Item 1. Business—Supervision and Regulation—Supervision and Regulation of the Bank—Cybersecurity.”
Prior Incidents
Although we have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected our business strategy, results of operations, or financial condition, there can be no guarantee that we will not experience such an incident in the future. For additional information regarding the risk we face from cybersecurity threats, see the risk factor entitled “System failure or cybersecurity breaches of our network security could subject us to increased operating costs as well as litigation, damage to our reputation, and other potential losses.” included in Part I, Item 1A. Risk Factors in this Annual Report on Form 10-K.