Live Oak Bancshares, Inc. - (LOB)
10-K Filing Date: February 22, 2024
Item 1C.CYBERSECURITY
Risk Management and Strategy
The Company maintains a cybersecurity risk management program that is designed to enable us to assess, identify, and manage risk associated with cybersecurity threats (the “Cybersecurity Program”). Our Cybersecurity Program is based on the Cybersecurity Framework promulgated by the National Institute of Standards and Technology and other applicable industry standards. It includes the following elements:
•Identification and assessment of cybersecurity threats based on periodic internal and external assessments and monitoring, information from internal stakeholders, and external publications and resources.
•Technical and organizational safeguards designed to protect against identified threats, including documented policies and procedures, employee training and awareness, and technical controls.
•Processes to detect the occurrence of cybersecurity events and incidents, maintenance, and periodic testing of incident response and recovery and business continuity plans and processes.
•A third-party risk management program to manage cybersecurity risks associated with our service providers, suppliers, and vendors using a risk-based approach that focuses on cybersecurity risks associated with critical service providers, suppliers, and vendors.
Further, the Company’s internal controls, various threat landscapes, internal events and incidents, and emerging risks are periodically reviewed to make adjustments to the Cybersecurity Program as needed. Additionally, annual risk assessments and penetration tests are performed.
35
Management of Material Risks & Integrated Overall Risk Management
Assessing, identifying, and managing cybersecurity risks is integrated into our overall risk management framework. The Cybersecurity Program is integrated into the Company’s Enterprise Risk Management (“ERM”) program and framework. Together, these programs are designed to foster a company-wide culture of cybersecurity risk management. Our Information Security team works closely with stakeholders across technology, legal, risk, and business units to implement and monitor controls. See “Governance” below for additional information on processes used by management to monitor cybersecurity incidents.
Engagement of Third Parties in Connection With Risk Management
The Company leverages various third parties to conduct evaluations of our Cybersecurity Program, including security controls. The Company engages a third party to audit its information technology function, which includes an assessment of the Company’s cybersecurity efforts. The Company also maintains cybersecurity insurance; however, the costs related to cybersecurity threats or disruptions may not be fully insured. Additionally, the Company engages third parties to perform penetration tests on an annual basis. The Company also periodically engages third parties for assessments of specific products, services, or applications. The Company leverages various software and service providers as part of its Cybersecurity Program, including a managed security service provider and a service provider that helps monitor third-party suppliers. The Company also receives periodic threat intelligence reports from vendors, peers, and industry information sharing and analysis centers. The Company maintains a relationship with a leading incident response firm to assist the Company in responding to cybersecurity incidents, if appropriate.
Oversight of Third-party Risks
Our third-party service providers, suppliers, vendors, and partners face cybersecurity risks that could impact us. Therefore, the Company has developed and implemented processes to oversee and manage these risks. These processes include performing third-party onboarding due diligence such as risk assessments and information security reviews for critical service providers, suppliers, and vendors, seeking to have third-parties agree to contractual requirements designed to ensure cybersecurity and related matters are addressed, and conducting ongoing monitoring and due diligence in accordance with our vendor management and information security policies and standards. As noted above, we use a third-party to aid us in monitoring third-parties’ cybersecurity risk.
Risks from Cybersecurity Threats
As of the date of this report, we have not encountered any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.
Governance
Managing cybersecurity risk is a key focus for the Board of Directors. The Company seeks to ensure effective governance in managing risks associated with cybersecurity threats, as more thoroughly described below.
Board of Directors Oversight
The Risk Committee of the Board of Directors is responsible for the oversight of risks from cybersecurity threats. As described below, where appropriate, strategic risk management decisions are escalated to the Risk Committee, and the Risk Committee receives periodic reports on cybersecurity matters from management.
Management’s Role in Cybersecurity Risk Management
The Chief Information Security Officer (“CISO”) of the Bank and a standing management Information Security Committee monitor, measure, and report key indicators, risk assessments, and security measures to the management Corporate Risk Committee. The CISO, in conjunction with the Corporate Risk Committee, makes quarterly reports to, the Risk Committee of the Board of Directors. Such quarterly reporting may include, but is not limited to, key metrics and risk indicators, penetration test results, risk assessment results, status of ongoing initiatives, incident and notable event reports, compliance with regulatory standards, and operational issues.
36
In addition to quarterly reporting to the Board’s Risk Committee, the Company’s incident response processes include escalation to management when an incident is suspected.
Risk Management Personnel
Primary responsibility for assessing, monitoring, and managing our Cybersecurity Program rests with the CISO, Mr. Richard Friedberg. With over 25 years of experience in the field of cybersecurity, his background includes extensive experience across the financial sector, technology sector, and U.S. government. Mr. Friedberg is also an adjunct faculty member at Carnegie Mellon University, teaching risk and cyber practices. Mr. Friedberg holds a Bachelor of Science from Carnegie Mellon University, a Master of Business Administration from George Washington University, and maintains certification as a Certified Information Systems Security Professional and Certified Information Security Manager.
Monitoring Cybersecurity Incidents
The CISO is continually informed of and monitors cybersecurity risks and incidents through real-time updates, including a partnership with a managed security service provider. Periodic Information Security Committee meetings cover key metrics and risk indicators, penetration test results, risk assessment results, status of ongoing initiatives, incident and notable event reports, compliance with regulatory standards, and operational issues. In the event of a cybersecurity incident, we have an established incident response plan that requires prompt notification of the CISO or the CISO’s designee, who in turn engages with the corporate Incident Response Team (IRT) to respond to the incident. The CISO is also responsible for informing the Information Security Committee of cybersecurity incidents, which in turn reviews the impact of incidents and monitors the Company’s mitigation and remediation efforts. Depending on the nature of the incident, this process also provides for escalating notice to the Risk Committee of the Board of Directors. These processes assist management and the Risk Committee in staying informed of and monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents.
Reporting to Board of Directors
The CISO, in his capacity, periodically informs the Information Security Committee, Corporate Risk Committee and Board’s Risk Committee of cybersecurity risks and incidents. This enables the highest levels of management to be kept abreast of the Company’s cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters and strategic risk management decisions are escalated to the Risk Committee of the Board of Directors, where appropriate.
37