WESTAMERICA BANCORPORATION 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

WESTAMERICA BANCORPORATION reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 19:16:59 EST.

Filings

10-K filed on 2024-02-28

WESTAMERICA BANCORPORATION filed an 10-K at 2024-02-28 19:16:59 EST
Accession Number: 0001171843-24-001054

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company has developed and implemented an Information Security Program based on the Cybersecurity Framework (CSF) best practices and recommendations from the National Institute of Standards and Technology (NIST), applicable regulatory guidance, and other industry standards. Components of the program include a risk assessment program to identify, assess, and mitigate cybersecurity risk; a vendor management program to address third-party cybersecurity risk; and an incident response program documenting cybersecurity incident response and notification procedures. The Company’s Information Security Officer (ISO) oversees the programs and reports on their statuses to management committees including the Information Security Review Committee (ISRC) and the Information Systems Steering Committee (ISSC). The ISO has several years of professional experience in cybersecurity and vendor management, and holds multiple relevant professional certifications. The ISO provides an update to the Board of Directors on a quarterly basis. The Information Security Program is approved by the Board annually. The ISO maintains risk assessments for key IT systems. A third party cybersecurity risk assessment tool, as well as the FFIEC’s Cybersecurity Assessment Tool (CAT) are also used annually to assess cybersecurity risk. -16- Third parties are assessed and categorized according to service type, compliance risk, financial risk, operational risk, and security risk. The level of due diligence and ongoing monitoring that is performed is based on inherent risk as well as specifics such as if the vendor hosts data in the cloud or has access to consumer information. The Company uses a training system to educate new and existing employees on cybersecurity risks. In addition to this training program, simulated phishing attempts are sent to employees on a regular basis to evaluate their understanding of these risks. The Company uses data loss prevention and web filtering software to ensure malicious data does not enter the Company’s network, and sensitive information does not leave the network unless properly secured. Penetration tests and vulnerability scanning are performed on a regular basis. All Company networks are secured behind firewalls. Additionally, Security Information and Event Management (SIEM) technology, an Intrusion Detection System (IDS), and an Intrusion Prevention System (IPS) are used. Access to data on the Company’s networks is granted only if needed for job functions. Data Security Analysts review changes to access to ensure they are authorized and appropriate. An Incident Response Committee that includes representatives from key areas of the Company meets in the event of cybersecurity incidents. The Committee ensures the proper notifications are made in order to comply with all relevant laws, rules and regulations. During the year ended December 31, 2023, there were no cybersecurity incidents that materially affected or are reasonably likely to materially affect the Company. For discussion of the risks from cybersecurity threats, including potential impact to the Company s business strategy, results of operations, and financial condition, refer to Item 1A Risk Factors The Company s information systems may experience an interruption or breach in security in this Report, which is incorporated by reference in this paragraph.

Company Information