BYLINE BANCORP, INC. 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

BYLINE BANCORP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 17:26:39 EST.

Filings

10-K filed on 2024-03-04

BYLINE BANCORP, INC. filed an 10-K at 2024-03-04 17:26:39 EST
Accession Number: 0000950170-24-024969

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. Managing Material Risks and Integrated Overall Risk Management We have developed an Information Security Program (the Program ) as part of our overall risk assessment and Enterprise Risk Management (“ERM”) to address material risks from potential cybersecurity threats, as well as to facilitate the governance and oversight of cybersecurity risks. The Program, which is administered by our Chief Risk Officer, includes policies and procedures that identify how security measures and controls are developed, implemented, maintained and assessed. Governance As part of our ERM, our Board of Directors reviews and approves the Program on an annual basis. The Board oversees efforts to develop, implement, and maintain an effective Information Security Program, including reviewing management s reporting on Program effectiveness. In addition to a Privacy and Security Governance Committee, we also have Governance, Risk, Information Technology and Compliance functions that monitor and address enterprise risks, including cybersecurity risks. A risk assessment, based on a method and guidance from a recognized national standards organization, is conducted at least annually. The risk assessment, along with risk-based analysis and judgment, are used to select security controls to address and to seek to mitigate risks. Factors considered during this process include, but are not limited to, the likelihood and severity of the risk, the impact on the Company and others, such as our customers, if a risk materializes, the feasibility and cost of controls, and the impact of controls on our operations. Engaging Third Parties on Risk Management Specific controls that address cybersecurity risks include endpoint threat detection and response, identity and access management, logging and monitoring involving the use of security information and event management, multi-factor authentication, conditional access, firewalls and intrusion detection and prevention, and vulnerability and patch management. We engage third-party security firms in different capacities to provide or operate some of these controls, such as vulnerability assessments, penetration testing and other procedures to identify potential weaknesses in our systems and processes. In addition, as a financial institution, we conduct appropriate due diligence and monitoring procedures to address potential cybersecurity threats related to the use of third-party technology and outsourced services, including pre-acquisition due diligence, imposition of contractual obligations, and performance monitoring. Oversight of Third-party Risk We have processes in place to oversee and manage risks associated with third-party service providers, including risks related to data breaches or other security incidents. This includes conducting security due diligence reviews of critical third-party providers, subjecting third parties to periodic risk assessments and requiring third parties to sign standard contractual provisions before receiving sensitive information from the Company. Risk from Cybersecurity Treats We recognize that individual employees are frequent targets of threat actors. We regularly train employees on the importance of protecting our information, and communicate with our customers and employees on the importance to protect information and enhancing cybersecurity through security campaigns, newsletters, posters and ad-hoc communications. If specific threats are identified, management may communicate those threats directly to employees for heightened awareness. Our cybersecurity program requires employees to review and acknowledge information security and privacy policies annually, complete multiple cybersecurity training courses throughout the year, and participate in mock phishing campaigns regularly. We also have a written Incident Response Plan and conduct tabletop exercises to enhance incident response preparedness. Business Continuity and Disaster Recovery plans are used to prepare for the potential for a disruption in technology we rely on. Employees undergo security awareness training when hired and annually. While to-date we have not experienced a significant cybersecurity incident, significant data loss or any material financial losses related to cybersecurity attacks on our systems and those of our customers and third-party service providers are under constant threat, and it is possible that we could experience an incident in the future that could have a material adverse effect on our business strategy, results of operations and financial condition. See also Item 1A, Risk Factors Technology Risks. As a financial institution (or third parties it relies on) we may not be able to fully, continuously, and effectively, implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In 30 Table of Contents addition, security controls, no matter how well designed or implemented, may only mitigate, and not fully eliminate risks. And events, when detected by security tools or third parties, may not always be immediately understood or acted upon.

Company Information