Oak Valley Bancorp - (OVLY)
10-K Filing Date: April 01, 2024
Cybersecurity risk management and strategy
Cybersecurity and risks associated with information security are operational risks included in the Company’s Enterprise Risk Management (“ERM”) Framework. Under the ERM Framework, the Company’s Information Technology department and all employees are the first line of defense (“First Line”). Those in the First Line are each responsible for identifying and managing the information security risk associated with their activities. The Company’s IT Steering Committee is part of the independent risk oversight of information security risk along with the Company’s Compliance and ERM Committees, both of which are management risk oversight committees.
The BOD and IT Steering committee are primarily responsible for monitoring management’s implementation of operations and technology risk controls, including those relating to cyber security and information security. The Company maintains a data protection and information security program designed to ensure adequate governance and oversight is in place while evolving to meet changes in applicable laws and regulations, and best practices. The Company’s information security controls and programs are designed to align with the National Institute of Standards and Technology (“NIST”) standards for cybersecurity and the Federal Financial Institutions Examination Council (“FFIEC”) examination guidelines, along with applicable privacy laws.
Information Security is the responsibility of the officers, employees, and agents of the Company with oversight by the Board of Directors (“BOD”). Our investment in people is critical to maintaining an effective cyber defense, which begins by developing and maintaining a robust Information Security function within the First Line. The Company’s Chief Information Officer (“CIO") has over 25 years of network architecture, information technology and cybersecurity experience. Collectively, the Company’s senior leadership in this area have nearly 80 years of experience. Each Company employee is responsible for an effective cybersecurity defense which is enforced with mandatory interactive cyber awareness training, periodic newsletters, executive security briefs and updates. Additionally, the BOD is informed about cybersecurity and the relevant risks posed to the Company via regular updates from the Company’s CIO. The BOD is regularly informed and actively oversees the data security and privacy program and its policies. The BOD also receives regular education on innovative technology, cybersecurity, information systems/data management, fintech and privacy.
Cybersecurity assessments
The Company engages external third parties to perform assessments on our adherence to the FFIEC’s recommendations on cyber preparedness and NIST Cybersecurity Framework, as well as to review for best practices for the use of cloud services and FedLine requirements. To validate the effectiveness of the Company’s overall information security controls, external third parties also perform full-scope external and internal penetration testing designed to mimic the tactics used by individual hackers or criminal hacking organizations. The Company also engages external third parties to perform ongoing adversarial simulation.
The Company conducts regular internal cybersecurity assessments intended to measure inherent risk and drive the adjustment of our security posture according to the latest threats. These assessments include alignment with the FFIEC’s recommendations on cyber preparedness and GLBA Safeguards Rule to protect user data. The Company performs continuous internal and external vulnerability scanning to measure and react to new vulnerabilities and seeks conformance to industry best practices for both cloud-based and on-premises technology. The Company reviews vendor and partner security practices to ensure they maintain proper information security safeguards.
Cybersecurity operational measures
Led by our CIO, the Company's data protection, information, cyber and technology services team collaborates with subject-matter experts throughout the business to identify, monitor and mitigate material risks, as well as to monitor compliance with the Company’s security polices, applicable laws and regulations. The Company’s security monitoring team manages the security of our systems through the ingestion of multiple external threat feeds and systems logs. Through the collection and integration of security-related IT infrastructure information, external threat intelligence and the expertise of trained security analysts, the Company works to identify and address potential indicators of compromise. Potential security events are identified and addressed through defined IT incident response activities and with support of the Company’s Incident Response Plan. The Incident Response Plan is in place and updated regularly with the intent to reduce impacts to clients and the Company caused by a declared cyber incident, such as an event involving malicious code, unauthorized disclosure, loss of information or unauthorized use of information or systems. The Incident Response Plan organizes resources to manage and resolve events that harm or threaten the security of information assets. The Incident Response Plan includes involvement of the Company’s Executive Leadership Team and BOD based on the severity of a cyber event, including the analysis of reporting requirements. The Incident Response Plan is tested annually and includes technical and executive management in simulated crisis management cybersecurity tabletop exercises.
As of the date of this report, other than the risks discussed in “Risk Factors,” the Company knows of no risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.