Business First Bancshares, Inc. 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

Business First Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 15:11:26 EST.

Filings

10-K filed on 2024-03-01

Business First Bancshares, Inc. filed an 10-K at 2024-03-01 15:11:26 EST
Accession Number: 0001437749-24-006270

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. Financial institutions have an obligation to customers, consumers and stakeholders to safeguard the confidentiality, integrity and availability of nonpublic, sensitive information and the information systems used to store, transmit or process such information. Consistent with industry guidelines, such as the National Institute of Standards and Technology Cybersecurity framework, and regulatory requirements, guidelines and standards, b1BANK s information security and cybersecurity programs (collectively, Program(s) ) have been adapted to fulfill this obligation by establishing and employing administrative, technical and physical safeguards to maintain a secure and dependable infrastructure and environment. These Programs focus on identifying and addressing threats to the company and its customers and contribute corporate decision-making guidance for information security, cybersecurity and risk management objectives. Defending against information security and cybersecurity (collectively, Security ) threats demands a concentrated, collaborative approach and, as such, supplementary programs and processes have been instituted into governing Security and risk management strategies. Global threat intelligence is monitored for potential Security risks or vulnerabilities. These threats are analyzed for potential impact to the bank and are addressed in accordance with Program requirements. b1BANK s Chief Information Security Officer ( CISO ) presents Security reports to the Operating Committee and Risk Committee of b1BANK s board of directors on a quarterly basis or as needed. These reports consist of significant Security events and issues, vulnerability metrics, and material risks. Additional reporting representing the overall state of the Program is presented on at least an annual basis to the full board of directors, which is responsible for overseeing Security functions and associated initiatives. Security is embedded into our culture, being promoted through security awareness materials, mandatory testing campaigns and the mandatory annual review and acknowledgement of corporate Security policies and standards. Business Continuity and Incident Response plans have been cohesively established and employed to provide frameworks for responding to and recovering from events such as natural disasters or security events. Our Director of Business Continuity and CISO, respectively, are responsible for the facilitation of these plans, as needed, and testing each on at least an annual basis. The owners of these plans are responsible for identifying an appropriate group of cross-enterprise subject matter experts and convening them to ensure a comprehensive response. These groups, under the leadership of our Chief Operations Officer ( COO ), provide appropriate internal notifications of material security events and response activities to our General Counsel, Chief Risk Officer, Chief Executive Officer, and board of directors or other appropriate corporate executives. 40 Table of Contents A Vendor Management program has been developed and employed to manage potential risks for third-party service providers, suppliers and external partners who have access to our confidential information. The effectiveness of these processes is verified by independent internal and external audit functions or organizations. Independent internal and external auditors are engaged to perform Security assessments to determine the appropriateness and effectiveness of the overall Program. Supplementary self-assessments are performed as needed or as required by regulatory guidelines. Assessment results are evaluated to determine the scope of risk on the security of the bank and are addressed in accordance with Program requirements. Our current CISO maintains appropriate security certifications and has over 20 years of experience in an information security role. The CISO manages a group dedicated to the security of the bank. This group is responsible for information technology monitoring and incident response activities, the latter covering the response coordination to cyber-attacks under the leadership and pursuant to the direction of the CISO. Our CISO reports directly to our COO and oversees, is assigned the responsibly of and is held accountable for the implementation and monitoring of the Program. Our COO serves on the Risk Committee of the Board, chaired by a board director. The Company engages in a continuous, focused risk monitoring process to identify the likelihood and impact of internal and external threats to our information security systems and data and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. The CISO and COO together lead efforts to design, implement and operate necessary controls commensurate with the materiality and criticality of identified risks and the sensitivity of the information assets and systems used throughout the bank. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect b1BANK.

Company Information