Binah Capital Group, Inc. - (BCG)

10-K Filing Date: April 16, 2024

ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management

We maintain written policies and procedures that outline the Company’s comprehensive information security program (CISP). The Chief Information Security Officer (CISO) has the responsibility for implementation and maintenance of the CISP. In addition to SEC and FINRA regulatory requirements, we leverage established security frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework, as guides to continually improve our policies and procedures. In addition, our employees are required to complete a cybersecurity training program each year, which is supplemented with additional awareness efforts, including phishing campaigns and informational notifications.

We employ a variety of security tools and components to monitor, identify and block cybersecurity threats. In the event of a cybersecurity incident, the Company has an incident response team (IRT) whose role is to respond quickly and effectively. The IRT utilizes an incident response plan for the implementation of the [its] incident response capabilities that provides (i) a definition of “reportable incidents/events”, and (ii) “metrics” for evaluating the IRT’s response capabilities and effectiveness. The checklist is periodically reviewed by the IT Department for lessons learned from both mock and actual incidents, and to assure compliance with most current industry best practices and latest regulatory developments. The incident response plan includes processes through which cybersecurity

21


incidents are escalated to the Company’s executive officers. To improve preparedness for a cybersecurity incident, we conduct tabletop exercises at least annually. These exercises are conducted by internal personnel.

Cybersecurity Committee

The mission of the Cyber Security Committee is to be responsible for the cultivation of a corporate culture that recognizes risk awareness and the development of the Company’s cyber security solutions, utilizing thought leadership, technology and systems, and development of applicable policies and procedures. Through its cyber security policy and procedures, the Committee will ensure effective collaboration and coordination between affected departments and staff in identifying and responding to both privacy and cyber security risks and events. The Committee will oversee the development and implementation of an enterprise-wide strategic framework related to the identification and prevention of cyber security threats as an integral part of the Firm’s risk management process, otherwise known as CISP. The Firm’s cyber security framework is intended to be “evolutionary”, requiring (i) periodic reviews, and (ii) testing of systems, that result in changes to Company policy and procedures, as cyber security issues and developments require. The Committee shall be composed of specified members of senior management, department heads and staff, who have been selected based upon their backgrounds and experience involving IT, Risk Management, Operations, Compliance, and Legal. The Committee shall have the discretion to engage and utilize the services of independent vendors, computer service providers (eSP’s) and consultants having expertise in the area of cyber security and IT. The Committee shall determine its meeting agendas and frequency of meetings which shall be reported through minutes prepared by the designated secretary.

Engagement of Third Parties

We engage third-party subject matter experts and consultants to conduct evaluations of our security controls, including, but not limited to, penetration testing, auditing of our CISP or consulting on our response to cyber security threats and breaches. Results of these evaluations are used to help determine priorities and initiatives to improve the overall CISP. As necessary, we also engage third-party experts and consultants to assist with the incident response process to augment our internal security operation center team.

The Company will conduct initial and ongoing due diligence of each current or prospective third-party service provider to evaluate whether the third-party service provider will have access, maintain, or store any client private information. Vendor cybersecurity controls are then assessed to determine if the vendor’s control environment meets the Company’s standards. Vendors are also assessed on a periodic ongoing basis according to their risk classification.

We have not identified any cybersecurity incidents that individually, or in the aggregate, have materially affected or are reasonably likely to materially affect the Company. Regardless, we recognize cybersecurity threats are ongoing and evolving, and there can be no guarantee that we will not be subject to a cybersecurity incident that has a material effect on our business.