Bridgewater Bancshares Inc 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Bridgewater Bancshares Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 07:01:01 EST.

Filings

10-K filed on 2024-03-07

Bridgewater Bancshares Inc filed an 10-K at 2024-03-07 07:01:01 EST
Accession Number: 0001558370-24-002663

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. C YBERSECURITY Cybersecurity risk management is an important and continuously evolving focus for the Company. Resources are devoted to protecting and enhancing the security of computer systems, software, networks, storage devices, and other technology assets. The Company s security efforts are designed and tested to protect against, among other things, cybersecurity attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt, or degrade service, sabotage systems or cause other damage. The Company has implemented precautionary measures and controls reasonably designed to address this increased risk, such as enhanced threat monitoring. The Company continues to make investments and partner with qualified third parties to enhance its cyber defense capabilities to monitor the evolving spectrum of cybersecurity risks in the operating environment, enhance defenses and improve resiliency against cybersecurity threats. The Company actively participates in discussions and simulations of cybersecurity risks and has engaged in efforts to educate all employees on the topic of cybersecurity risks. The Company acknowledges that third parties and clients may also be sources of cybersecurity risk for the Company. As a result, the Company engages in regular and ongoing reviews and discussions with vendors and clients regarding cybersecurity risks and opportunities to improve the Company s cybersecurity posture. The Company maintains a vendor risk management program to identify and help manage any third party cybersecurity risks. Additionally, the Company maintains an Information Security Program designed to prevent, detect, and respond to cyberattacks, and maintains a cybersecurity incident response plan designed to enable the Company to respond to cybersecurity incidents, coordinate such responses with law enforcement and other government agencies, and notify clients and customers, as applicable. The Company s risk and technology teams, led by the Company s CRO and CTO, respectively, are responsible for leading the incident response team, identifying technology and cybersecurity risks, utilizing management s expertise in assessing the materiality of cybersecurity events, and are responsible for the controls to manage threats. The Company s risk team in conjunction with the broader incident response team conduct periodic tabletop exercises and business continuity simulations to train and align on best practices and assessment of potential cyber events. Management utilizes the incident response plan and incident response team to assesses materiality of any cyber event through a qualitative and quantitative assessment. The information security program and overall cybersecurity risk management processes are aligned and integrated into the Company s overall risk profile and appetite through the Company s Enterprise Risk Management Committee. The Company s governance structure is designed to identify, escalate, and mitigate information security risks. Management utilizes its Enterprise Risk Management Committee and IT Steering Committee, comprised of senior leaders including the Company s CRO, CTO, CFO, and other leaders with cybersecurity expertise, to disseminate information and monitor information security efforts throughout the Company. Each committee s charter, in addition to the Information Security Policy, establishes roles and responsibilities related the Company s cybersecurity governance and program. The risk team provides oversight of the Company s activities designed to identify, assess, measure, and mitigate cybersecurity risk. The Company s Information Security Program includes training that reinforces the Company’s Information Security Program policies, standards, and practices, as well as the expectation employees comply with these policies. The technology team engages employees through training on how to identify potential cybersecurity risks and protect the Company s resources and information. This training is mandatory for all employees, and is supplemented by various testing initiatives, including social engineering testing. Finally, the Company provides specialized security training for certain employee roles such as system administrators and all information security training is monitored and reported on by the risk team as well as the Company s learning and development function. The Company s management team is responsible for the day-to-day management of cybersecurity risks faced by the Company. In addition, our Board, as a whole and through its Audit Committee, is responsible for the oversight of cybersecurity risks. In that role, the Board and Audit Committee are responsible for ensuring that the risk management processes designed and implemented by management are adequate and functioning as designed. To carry out those duties, Board and Audit Committee receive periodic updates on the Company s Information Security Program, 45 Table of Contents cybersecurity policies and practices, ongoing efforts to improve security, as well as the Company s efforts to prevent, detect, mitigate, and remediate significant cybersecurity incidents. Risks from cybersecurity threats, including any previous cybersecurity events, have not materially affected the Company or its business strategy, results of operations or financial condition. Notwithstanding the comprehensive approach that the Company takes to address cybersecurity risk, the Company may not be successful in preventing or mitigating a future cybersecurity incident that could have a material adverse effect on the Company or its business strategy, results of operations or financial condition.

Company Information