Page last updated on April 11, 2024
First Foundation Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:59:58 EST.
Filings
10-K filed on 2024-02-28
First Foundation Inc. filed an 10-K at 2024-02-28 16:59:58 EST
Accession Number: 0001558370-24-002026
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. Cybersecurity Risk Management We recognize the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving our enterprise value. We maintain a comprehensive process for identifying, assessing, and managing material risks from cybersecurity threats as part of our broader risk management system and processes. The Company s Information Security Officer is primarily responsible for developing, monitoring, and implementing our cybersecurity program, which establishes policies and procedures for the measurement of the effectiveness and efficiency of information security controls related to both design and operations. The Chief Technology Officer is responsible for implementing the appropriate controls and monitoring them towards adherence with the established standards. As a regulated financial institution, we have designed our cybersecurity program based on the requirements of the Gramm-Leach Bliley Act of 1999 and Federal Financial Institutions Examination Council ( FFIEC ) Cybersecurity Assessment Tool. Our processes for identifying, assessing and managing material risks from cybersecurity threats rely on the FFIEC Cybersecurity Assessment Tool as well as recurring audits and assessments of our cybersecurity program and controls. As part of our cybersecurity program, we have developed an incident response plan based on industry-standard cybersecurity frameworks, with procedures for responding to and remediating a cyber-incident. We also review and test our incident response plan through simulations and assessments. Further, we employ recurring security awareness training for employees and produce recurring security awareness material for our customers. We engage third-party services to conduct penetration testing as well as other regular evaluations of our security protocols and processes. Additionally, we assess and monitor the cybersecurity controls of third party service providers and partners. Ongoing and regular monitoring of our third parties is also managed through our Information Security Program team s protocols in partnership with the vendor management, enterprise risk management, and internal audit departments. Our business, financial condition and results of operations have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K. Cybersecurity Governance The Board of Directors, through the Audit Committee and Directors Risk Committee, provides direction and oversight of the Company s risk management system. Our Chief Technology Officer is responsible for managing our information security team, while our Information Security Officer is responsible for maintaining and continuing to develop and implement our cybersecurity program enterprise-wide and assessing and managing risks from cybersecurity threats. Both the Information Security Officer and Chief Technology Officer have extensive experience in the banking industry and in information technology and information security. The Information Security Officer has served in information security roles for twenty-five years and in banking for thirty-five years. The Chief Technology Officer has been with the Company since 2010 and has over twenty years of experience in information technology and cybersecurity within the banking industry. We have processes to inform the Directors Risk Committee, Audit Committee and the Board about risks from cybersecurity threats. Our management team reports its findings using the FFIEC Cybersecurity Assessment Tool and our information security team s determination as to whether our security controls, at a minimum, are in place and effective. 34 Table of Contents The Information Security Officer and Chief Technology Officer regularly report to the Director Risk Committee, Audit Committee and the Board regarding cybersecurity and related threats and trends, changes, control effectiveness and residual risk, the areas where our cybersecurity program may be improved and improvements made to address and remediate issues.
Company Information
| Name | First Foundation Inc. |
| CIK | 0001413837 |
| SIC Description | State Commercial Banks |
| Ticker | FFWM - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |