Tectonic Financial, Inc. - (TECTP)
10-K Filing Date: April 01, 2024
Cybersecurity Risk Management
Cybersecurity is critical to supporting our business and protecting our customers in an increasingly complex environment. We face a variety of cybersecurity threats including attacks that are common to most industries, such as ransomware and denial-of-service, as well as attacks from advanced and highly organized adversaries targeting financial services companies. Our information systems have from time to time experienced such attacks despite our best efforts to prevent them. Our customers, suppliers, and other third parties also face similar cybersecurity threats, and a cybersecurity incident impacting any party could have a material impact on our operations, performance, or operating results. None of these threats or incidents have to date materially affected our business strategy, results of operations, or financial condition. However, we cannot assure that any future security breaches will not occur or that any such events that have occurred or may occur in the future will not result in material harm to our business, operations, reputation or profitability. These threats and related risks highlight the importance of allocating resources to protect the Company and our customers. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A, Risk Factors, of this Form 10-K.
The Company maintains a formal Information Security Program that includes risk assessments regularly conducted by internal resources as well as third-party experts. These assessments are used to evaluate potential security threats that may have a negative impact on the organization, detect potential vulnerabilities and mitigate any identified security risks. Our program leverages industry standards and frameworks and is designed to protect the confidentiality, integrity, and availability of our information assets and systems.
The Information Security Program is led by the Chief Information Security Officer ("CISO"), who reports to the Chief Executive Officer. The CISO has oversight of the Company’s risk management framework, which includes the Information Security Program. The CISO provides program oversight and direction, including adjustments in response to changes in technology, threats, business processes, and regulatory or statutory requirements. The CISO works collaboratively with information technology staff, operational management, counterparts at third-party vendors and functional stakeholders to implement a program designed to protect our information systems from cybersecurity threats and promptly respond to potential cybersecurity incidents. The CISO has over 20 years of experience in the fields of information technology and cybersecurity and maintains multiple professional cybersecurity certifications.
Our Information Security Program consists of several elements including:
● | Incident Monitoring and Response. We have 24x7 security cybersecurity monitoring, which utilizes both third-party cybersecurity experts and leading tools to monitor activity in our information systems. We also maintain an incident response plan and playbooks that define our response to a cybersecurity incident, including a cross-functional incident response process that includes key stakeholders such as senior leaders and legal, and leverages our technological resources and third-party service providers. Through ongoing communication with these teams, the CISO monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents in real time, and reports such incidents to leadership when appropriate pursuant to internal guidelines governing the reporting of such events. |
● | Threat and Vulnerability Management. We maintain a threat and vulnerability management program that leverages multiple data sources to proactively identify, assess, and mitigate changing cybersecurity risks. This program incorporates vulnerability scanning and threat intelligence capabilities, which are in place to help safeguard information assets. We also share and receive threat intelligence with government agencies, the Financial Services Information Sharing and Analysis Center ("FS-ISAC") and cybersecurity vendors and leaders in the cybersecurity industry. |
● | Infrastructure and Data Protection. We have technical and organizational safeguards that are designed to protect our networks, systems, and data from cybersecurity threats, including: firewalls, intrusion prevention and detection systems, network and endpoint anti-malware protections, and access controls such as privileged access management. Our information security and information technology teams collaborate regularly to assess the security of current and future infrastructure changes. |
● | Third-Party Risk Management. We run a third-party risk management program designed to identify and manage risks, including cybersecurity risks, involving our third-party providers. This includes performing due diligence and assessment of each provider’s cybersecurity posture as well as periodic re-assessments. |
● | Security Training and Awareness. We provide ongoing education and training to employees regarding cybersecurity threats and the role they play in helping prevent and detect these threats. This includes regular phishing simulations, with training provided for any failures, as well as periodic communications via the internal company portal concerning threats, best practices, and technology changes to improve security. We also work with the Company marketing department to periodically publish articles on our website to raise security awareness with our customers. |
While we maintain teams that specialize in cybersecurity and information technology, we also leverage third-party experts to provide objective feedback on our program and posture. These are accomplished via penetration tests, security posture assessments, and technology consulting. These independent evaluations help validate existing controls, identify potential focus areas, and aid in securely deploying technology in an increasingly complex environment.
Our Information Security Program is evaluated regularly by both the internal audit function as well as third-party audit firms. These audits help ensure our program is appropriate to address the changing threat landscape and aligns to industry standards such as the National Institute of Standards and Technology Cybersecurity Framework, as well as other legal and regulatory guidance including the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool, the Bankers Electronic Crimes Taskforce Ransomware Self-Assessment Tool, and the Gramm-Leach-Bliley Act. Controls are reviewed for adequacy and design at least annually, and both internal and third-party audits aid in identifying areas for continued focus, providing assurance that controls are appropriately designed and operating effectively. Additionally, we meet regularly with examiners from the Office of the Comptroller of the Currency to review our cybersecurity program and discuss the changing threat landscape.
Our cybersecurity personnel maintain current knowledge through training, obtaining professional certifications, and participation in industry groups such as FS-ISAC, American Bankers Association, and the Texas Bankers Association. Company cybersecurity personnel expand and test their knowledge of cyber threats and countermeasures through additional on-the-job training and periodic simulated exercises to practice their response to real-life threats. We maintain a training budget, and personnel are encouraged to obtain formal training and industry-approved certifications as appropriate for their roles and responsibilities.
The Technology Committee of our board of directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Chief Information Security Officer provides quarterly reports to the Technology Committee of our board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The Technology Committee of our board of directors reviews and approves our information security and technology budgets and strategies at least annually. Additionally, the Technology Committee of our board of directors reviews our cyber security risk profile on at least an annual basis.
|