BankFinancial CORP 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

BankFinancial CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 15:26:56 EST.

Filings

10-K filed on 2024-03-01

BankFinancial CORP filed an 10-K at 2024-03-01 15:26:56 EST
Accession Number: 0001437749-24-006272

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company conducts no business activities other than activities relating to capital management, stockholder relations, and acting as a source of financial strength for its subsidiary, the Bank. Cyber/information security is a significant and integrated component of the Company s risk management strategy. As an insured depository institution, threats to information security are present and growing, and the potential exists for a cybersecurity incident to occur, which could disrupt business operations or compromise sensitive data. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company. The Bank maintains comprehensive policies, procedures, internal controls and practices with respect to cyber/information security, including: Information Security Policy and Risk Management: The Bank maintains an Information Security Policy reviewed and updated as needed, and at least annually by its Board of Directors. The Boards of Directors of the Company and the Bank review a formal Information Security Report at least annually and also receive periodic reports on cyber/information security topics and matters. As required by federal banking laws and regulations, the Bank s cyber/information security risk management practices include risk assessments, controls and practices specifically for cybersecurity, information technology deployment and third-party information technology vendor risk management. The Bank conducts an extensive training program, from entry-level to executive-level, focused on information security and customer data privacy. As part of its Enterprise Risk Management protocols, the Company and the Bank maintain insurance policies appropriate for the scope of its operations, including coverage for risks related to cyber/information security and customer data privacy. Information Technology & Information Security Audits. The Bank conducts independent external and internal audits of internal controls relating to information technology and information security in accordance with standards established by the Federal Financial Institutions Examination Council (FFIEC). Pursuant to their respective Charters, the Audit Committees of the Company and the Bank review and monitor the effectiveness of the Bank s internal controls, including those controls related to information security, based on independent external audit and internal audit reports. The Chief Audit Officer, who is also a Certified Information Systems Auditor, coordinates the external and internal audit plan and reporting functions for the Bank. Information Security Management. To prepare and respond to incidents, the Bank maintains implemented multi-layered cybersecurity protocols, integrating people, technology, and processes as part of the Bank s Information Security Program. The Information Security Program is governed by various information security and cybersecurity, systems development, change control, disaster recovery/business continuity, third-party vendor management and physical asset classification and control policies. The Information Security Program identifies data sources, threats and vulnerabilities, deploys current information security technologies and ensures awareness, accountability, and oversight for data protection throughout the Bank and with trusted third parties to ensure that data is protected and able to be recovered in the event of a breach or failure (technical or other disaster). The Company engages qualified third-party vendors, consultants and independent auditors to, among other things, conduct network penetration tests and perform cyber/information security audits. 16 Table of Contents The Information Services Division of the Bank is primarily responsible for identifying, assessing and managing material risks from cyber/information security threats. Information security management is conducted by the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) of the Bank. The CIO has ten years experience with the Bank, including information security technology deployment and previous information technology audit experience. The CISO has more than 15 years of experience with the Bank, with expertise in large-scale systems information security and customer data privacy management. The CIO monitors, evaluates and adjusts the Bank s Information Security Program, considering any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and changing business arrangements, such as mergers and acquisitions, technology development initiatives, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. The Management Audit/Compliance Committee reviews and coordinates the status and results of information security controls, network penetration, business continuity/disaster recovery testing, and incident response plan testing. The CIO is a member of various management committees, chairs the Technology Coordinating Committee of the Bank, and presents cyber/information security updates on a periodic basis to the Chief Executive Officer and the Bank s Board of Directors. Our employees are the first line of defense with respect to cyber/information security protection. Each employee is responsible for protecting Bank and customer information. Employees are provided training at initial onboarding and thereafter regarding information security and cybersecurity-related policies and procedures applicable to their respective roles within the organization. In addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities. In addition to training, employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from cyber/information security threats and activities intended to compromise cyber/information security. Customer Data Privacy. The Bank maintains and publishes its Customer Data Privacy Principles on its official website. The Principles include disclosures of the use and sharing of certain customer information, as well as the significant restrictions the Bank places on such activities. In addition, the Bank maintains policies restricting the knowing use or collection of information about children under age 13 by the Bank, other than to provide parental notice or consent. The Bank also maintains policies and controls over the use of electronic mail solicitations, including a customer s ability to opt-out of electronic solicitations at any time. The Bank maintains policies, controls and training programs concerning customer information security, including transaction processing. The Bank deploys universal conditional access policies, requires multi-factor authentication for external network access and on-line banking access by Bank customers, and maintains additional access controls for network security and transaction processing. The Bank also has policies and controls to identify, classify and limit access to non-public customer information, including a comprehensive third-party vendor management cyber/information security risk management program. Customer Data Privacy Reviews. The Bank conducts independent external and internal reviews of internal controls relating to customer data privacy and data security in accordance with the requirements of the Gramm-Leach-Bliley Act, the Right to Financial Privacy Act, and standards established by the FFIEC. Pursuant to their respective Charters, the Audit Committees of the Company and the Bank review the effectiveness of the Bank s internal controls, including those controls related to customer data privacy based on independent external audit and internal audit reports. Information Security Incident Responses. The Bank maintains information security incident response plans for various information security/data breach scenarios. The Bank tests its incident response plans at least annually. Pursuant to applicable federal and state laws, regulations and FFIEC standards, the Bank maintains incident response notification procedures for affected customers, including notification of federal regulatory authorities and law enforcement. For the preservation of all possible avenues for law enforcement, the Bank does not disclose information security incidents to the general public unless required by law or as directed by applicable lawful authority. 17 Table of Contents

Company Information