SOUTHERN FIRST BANCSHARES INC 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

SOUTHERN FIRST BANCSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 16:29:13 EST.

Filings

10-K filed on 2024-03-05

SOUTHERN FIRST BANCSHARES INC filed an 10-K at 2024-03-05 16:29:13 EST
Accession Number: 0001206774-24-000233

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We depend heavily on various information systems and electronic resources to conduct our business operations. Additionally, a majority of our clients, service providers, and other business partners on whom we rely, including providers of our online banking, mobile banking, and accounting systems, utilize their own electronic information systems. Any of these systems are susceptible to compromise, whether by employees, clients, or other authorized individuals, as well as 43 Table of Contents by malicious actors employing sophisticated and continuously evolving software, tools, and strategies. Given our status as a financial services provider and our relative size, we and our business partners are considered high-value targets for such malicious actors. For further details, please refer to the Risks Related to Information Security and Business Interruption section of the Risk Factors outlined in Item 1A of this Form 10-K. As a result, we have devoted significant resources to assessing, identifying, and managing cybersecurity risks and threats, including: Maintaining policies and procedures regarding security operations and governance through the implementation of an Information Security Program; Establishing a committee responsible for security administration, including regular assessments of our systems, existing controls, vulnerabilities, and potential improvements; Implementing multi-layered controls to avoid reliance on single controls; Utilizing both preventative and detective tools to monitor and block suspicious activity and to alert of potential threats; Keeping abreast of new technology and evaluating tools to help respond to threats to cybersecurity in real time; Managing and maintaining cybersecurity controls utilizing available people, processes and technology; Utilizing a third-party risk management program for purposes of identifying, assessing and managing risks involved with external service providers; Conducting thorough due diligence concerning our third-party service providers, including evaluating their cybersecurity practices; Collaborating with third-party cybersecurity consultants, who perform regular penetration testing, vulnerability assessments, and other procedures to identify potential weaknesses in our systems and processes; Providing regular cybersecurity training for both our employees and Board of Directors. The Information Security Program, overseen by our Executive Project and Technology Risk Committee ( EPTRC ), plays a vital role in our overall risk management system. It encompasses administrative, technical, and physical measures aimed at safeguarding the security and confidentiality of client records and information. We also have an Incident Response Plan which is continually updated in response to an ever-changing threat landscape to provide long-term strategies for remediation, prevention of future incidents and resiliency to all types of threats. The incident response team (i) includes subject matter experts to address cyber threats and (ii) includes members of management responsible to monitor threat escalation and identify events that may warrant Board notification and a Form 8-K cybersecurity notice. Occasionally, we have encountered cybersecurity threats necessitating adjustments to our procedures and the integration of extra safeguards. Although these specific threats or incidents haven t significantly impacted us thus far, it is possible that future threats and incidents we detect could potentially have a material adverse effect on our business strategy, results of operations, and financial condition. Our management team is tasked with the daily management of the cybersecurity risks we encounter and supervises the EPTRC. Our EPTRC, in turn, oversees the assessment of information security, the creation of policies, standards, and procedures, as well as testing, training, and security reporting processes for our Company. The EPTRC is comprised of management with the appropriate expertise and authority to ensure effective oversight of the Information Security Program. Furthermore, our Board of Directors, both collectively and through its Risk Committee, holds responsibility for overseeing risk management, including cybersecurity risks. In this capacity, the Board and the Risk Committee, supported by management and third-party cybersecurity advisors, ensure that the risk management processes devised and executed by management are adequate and operational as intended. Annually, the Board reviews and approves our information security program, vendor management policy (including third-party service providers), acceptable use policy, incident response policy, and business continuity planning policy. These policies are developed and implemented by our management team. To fulfill their duties, the Board receives regular updates from the Risk Committee regarding cybersecurity risks and management s endeavors to prevent, detect, mitigate, and address any cybersecurity incidents, at least quarterly.

Company Information