WEST BANCORPORATION INC - (WTBA)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
We rely extensively on various information systems and other electronic resources to operate our business. In addition, nearly all of our customers, service providers and other business partners on whom we depend, including the providers of our online banking, mobile banking and accounting systems, use their own electronic information systems. Any of these systems can be compromised, including by employees, customers and other individuals who are authorized to use them, and bad actors using sophisticated and a constantly evolving set of software, tools and strategies to do so. The nature of our business, as a financial-services provider, and our relative size, make us and our business partners high-value targets for these bad actors to pursue. See “Risks Related to Information Security and Business Interruption” section of the Risk Factors included in Item 1A of this Form 10-K for additional information.
Accordingly, we have devoted significant resources to assessing, identifying and managing risks associated with cybersecurity threats, including:
•Implementing an Information Security Program that establishes policies and procedures for security operations and governance;
•Establishing an Information Security Committee that is responsible for security administration, including conducting regular assessments of our information systems, existing controls, vulnerabilities and potential improvements;
•Implementing layers of controls and not allowing excessive reliance on any single control;
•Employing a variety of preventative and detective tools designed to monitor, block and provide alerts regarding suspicious activity;
•Continuously evaluating tools that can detect and help respond to cybersecurity threats in real-time;
•Leveraging people, processes and technology to manage and maintain cybersecurity controls;
•Maintaining a third party risk management program designed to identify, assess and manage risks associated with external service providers;
•Performing due diligence with respect to our third-party service providers, including their cybersecurity practices;
•Engaging third-party cybersecurity consultants, who conduct periodic penetration testing, vulnerability assessments and other procedures to identify potential weaknesses in our systems and processes; and
•Conducting periodic cybersecurity training for our employees and the Company’s Board.
The Information Security Program is a key part of our overall risk management system, which is administered by our Information Security Committee. The program includes administrative, technical and physical safeguards to help protect the security and confidentiality of customer records and information.
From time-to-time, we have identified cybersecurity threats that require us to make changes to our processes and to implement additional safeguards. While none of these identified threats or incidents have materially affected us, it is possible that threats and incidents we identify in the future could have a material adverse effect on our business strategy, results of operations and financial condition.
The Company’s management team is responsible for the day-to-day management of cybersecurity risks we face and oversees the Information Security Committee. The Information Security Committee manages the oversight of the information security assessment, development of policies, standards and procedures, testing, training and security report processes for West Bank. The Information Security Committee is comprised of officers with the appropriate expertise and authority to oversee the Information Security Program.
In addition, the Company’s Board, both as a whole and through its Risk and Information Technology Committee (Risk Committee) is responsible for the oversight of risk management, including cybersecurity risks. In that role, the Company’s Board and the Risk Committee, with support from the Company’s management and third party cybersecurity advisors, are responsible for ensuring that the risk management processes designed and implemented by management are adequate and functioning as designed. The Board reviews and approves an information security program, vendor management policy (including third-party service providers), acceptable use policy, incident response policy and business continuity planning policy on an annual basis. All the aforementioned policies are developed and implemented by management of the Company. To carry out their duties, the Board receives updates from the Risk Committee regarding cybersecurity risks and the Company’s efforts to prevent, detect, mitigate and remediate any cybersecurity incidents on at least a quarterly basis.
29
West Bancorporation, Inc. and Subsidiary