OP Bancorp - (OPBK)

10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We believe that our cybersecurity program provides effective protection of client information and of our operating systems from known and reasonably expected risks, while also promoting the timely detection of, and defense against, cyberattacks and other unauthorized access to our information technology (“IT”) systems. In order to accomplish these goals, we maintain up-to-date information security and monitoring controls, which we believe mitigates cybersecurity risks and threats while optimizing the utility of our systems. At the same time, cyberattacks are increasingly common, sophisticated and destructive, and several large, highly sophisticated financial institutions have been successfully targeted in recent years, leading to significant losses of client data, denials and loss of online banking and other data services, and other critical functions that have become essential to modern banking. These events also have carried significant reputational risk for the successfully targeted institutions. In order to mitigate these risks, our Information Security Officer ("ISO") is responsible for our cybersecurity programs and for the detection of and response to any identified threats and incidents. That individual also reports regularly to our Board of Directors, oversees certain policies and procedures that are intended to guard against, detect, and respond to potential breaches of our IT systems. Although the SEC’s new cybersecurity reporting requirements do not require us to file a Form 8-K announcing the occurrence of material cybersecurity incidents, that obligation will apply to the Company with respect to material incidents discovered after June 15, 2024, and we are adapting our disclosure procedures to assure the timely compliance with the Company’s obligations under Item 1.05 of Form 8-K once that requirement becomes applicable to the Company. In the meantime, we continue to evaluate and monitor cybersecurity risks to assess whether any detected incident would be material to investors and, in such an event, we would make a timely report of a material incident under Item 7.01 or Item 8.01 of Form 8-K.
50



Managing Material Risks & Integrated Overall Risk Management

We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. Our procedures and security program are the guiding policies over our cybersecurity risk management. Additionally, our IT team uses the best currently available tools to help protect against cybercriminals. We leverage the latest encryption practices and cyber technologies on our systems, devices, and third-party connections and further review vendor encryption to ensure proper information security safeguards are maintained. Our employees are responsible for complying with our cybersecurity standards and complete training to understand the behaviors and technical requirements necessary to keep information secure.

Engaging Third Parties for Risk Management

We recognize the complexity and evolving nature of cybersecurity threats, which is why we engage a range of external experts, including cybersecurity consultants, in evaluating and testing our risk management systems. Our IT security team partners with third-parties to perform annual penetration testing, vulnerability scanning, and monitoring of any potentially suspicious activity across the Company.

Oversight of Third-party Risk

We also maintain a third party risk management program that applies to all third-party vendor relationships. Our Board of Directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable. The Board provides clear guidance to regarding strategic goals and acceptable risk appetite with respect to third-party relationships. The Board reviews this policy on at least an annual basis to assure that we implement procedures and practices have been established by management. Our chief risk officer is responsible for development and implementation of third-party risk management policies, procedures, and practices, commensurate with the Company’s strategic goals, risk appetite and the level of risk and complexity of its third-party relationships. This individual regularly reports to the Board of Directors regarding third-party risk management activities. The Company’s internal audit staff also determines the frequency and scope of audits to examine the effectiveness of our third party risk management program.

The Company recognizes that not all third-party relationships present the same level of risk, and therefore not all third-party relationships require the same level, degree or type of oversight or risk management. As part of its risk management program, management analyzes the specific risks associated with each third-party relationship, including but not limited to, cybersecurity and information security related risks.

Risks from Cybersecurity Threats

We have not encountered cybersecurity risks or threats that have materially impaired our business strategy, results of operations, or financial condition.

Governance

The Board recognizes the importance of managing risks associated with cybersecurity threats. The Board has established robust oversight procedures to promote effective governance in managing cybersecurity risks because of the significance of these threats to our operational integrity and shareholder confidence.

Board of Directors Oversight

The Board Risk and Compliance Committee ("BRCC") is central to the Board’s oversight of cybersecurity risks. The BRCC currently oversees various risk areas such as regulatory compliance, CRA, BSA/AMLA, enterprise risk management, cybersecurity, technology, and third-party risk management. The committee ensures that the Board maintains appropriate expertise to assure the appropriate management of cybersecurity risk. The BRCC reports periodically to the Board on the effectiveness of cybersecurity risk management processes and cybersecurity risk trends. The Board also receives specific reports from senior management with oversight responsibility for cybersecurity risks within the Company. These reports include risk assessments of cybersecurity and related risks, as well as the company’s vulnerability to those risks. The BRCC reviews an annual evaluation of the company’s cybersecurity posture and the effectiveness of its risk management strategies, identifying areas for improvement and ensuring the cybersecurity efforts are integrated with the overall risk management framework.
51



Management’s Role in Managing Risk

The ISO plays a pivotal role in informing the BRCC on cybersecurity risks. Jointly with the Chief Risk Officer, the ISO reports quarterly to the BRCC on a range of topics, including:

Current cybersecurity landscape and risks;
Status of ongoing cybersecurity incidents, threats and strategies;
Internal and external test result and remediation efforts;
Enforcement of ongoing awareness training on information security;
Cybersecurity incident reporting and post-incident reviews; and
Compliance with regulatory requirements and evolving industry trends.

The ISO reports to the BRCC on the status and impact of any information security related developments and strategic initiatives, and depending on the severity of the situation, directly to the Board of Directors. In addition to regular meetings, the BRCC, the ISO, Chief Risk Officer, Chief Information Officer, and Chief Executive Officer maintain an ongoing dialogue regarding emerging or potential cybersecurity risks that we face, particularly as a financial institution. The Company’s Management Risk and Compliance Committee also reports directly to the BRCC regarding our risk management initiatives. The BRCC also receives quarterly reports from the Executive IT Committee and IT department in order to say informed on all aspects of cybersecurity risk affecting the Company.

Risk Management Personnel

Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the ISO, who has extensive cybersecurity program management experience working in various information security roles, including teaching as an information security instructor at a University. The ISO holds various information security qualifications, such as a doctoral degree in information technology and cyber security and holds the Certified Information Systems Security Professional ("CISSP") certification. The ISO and Chief Risk Officer are responsible for managing the disclosure and communications related to cybersecurity incidents. Our Chief Risk Officer chairs the Management Compliance and Risk Committee independently and has more than 20 years of experience in compliance and risk management.

Monitoring Cybersecurity Incidents

The company utilizes various industry-leading systems to provide 24/7 threat detection and response capability, many of which provide proactive measures to shut threats down before they can harm the organization. Additionally, the company’s incident response team periodically performs proactive measures, searching for potential indicators of threats, compromise, and bad actors on our network. Endpoint and network detection tools alert IT staff of security events that warrant further analysis. The ISO is kept abreast of all active investigations. If an incident is identified, we attempt to contain the threat is immediately, such as if systems could be taken offline to stop the spread of an attack. Eradication of an attacker’s artifacts, such as user accounts and malicious code, would then be performed. The Company maintains Business Continuity and Disaster Recovery plans, processes, and technology to restore systems affected by a cybersecurity incident. The ISO may determine that an incident has the potential to be materially relevant and would escalate that determination to the executive management, including Chief Executive Officer, Chief Risk Officer, Chief Information Officer, Chief Financial Officer, and other leaders and advisors of the Company. In addition, we maintain insurance that we believe is customary against certain insurable cybersecurity risks. However, certain aspects of cybersecurity risks are not insurable, and the availability, extent, and cost of coverage may limit our recourse to these sources of risk mitigation.

Reporting to Board of Directors

The ISO, in his capacity as such, regularly reports to management and the BRCC on all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept informed of our cybersecurity and the potential risks we face. In the event of certain cybersecurity matters which present increasing concern, our policies require escalating these cybersecurity and risk management decisions to the full Board.
52