OptimumBank Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

OptimumBank Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 13:41:41 EST.

Filings

10-K filed on 2024-03-08

OptimumBank Holdings, Inc. filed an 10-K at 2024-03-08 13:41:41 EST
Accession Number: 0001493152-24-009360

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy OptimumBank believes that risk management is a component of our overall governance, and that Information Technology Risk Management (ITRM) is a component of overall risk management. Our institution recognizes that IT (Information Technology) supports most aspects of our business; therefore, effective ITRM is not just limited to technology. Our IT systems connect with affiliates, customers, internal lines of business, third parties (e.g., third-party providers), and the public. IT also creates interdependencies among infrastructure, application, and web content. These independencies affect the decision-making process necessary to support existing products and services and provide for the delivery of new products and services. For all these reasons, IT management is critical to the performance and success of our Institution. Furthermore, ITRM involves more than containing costs and controlling operational risks and does not work in isolation. A financial institution capable of aligning its IT infrastructure to support its business strategy adds value to the institution and positions itself for sustained success. The Institution also recognizes its many strategic challenges in today s marketplace, including cybersecurity threats, further increasing the need for effective ITRM. The Institution s Information Security Program addresses how we assess and manage risk to all information including Non-Public Information (NPI) and other confidential information in every form (written, paper, or digital). We adhere to standards outlined in the Gramm Leach Bliley Act (GLBA) and Federal Financial Institutions Examination Council (FFIEC) Information Security Booklet(s) for the origination, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information. Information security promotes the commonly accepted objectives of confidentiality, integrity, and availability (CIA Triad) of information and is essential to the overall safety and soundness of our institution. Information security exists to provide protection from malicious and non-malicious action that increase the risk of adverse effects on earnings, capital, and enterprise value. Our Information Security Program represents the standards, policies, procedures, and guidelines defining our intuition s security requirements and related activities. information. Threat monitoring procedures provide for continual and ad hoc monitoring of threat intelligence communication and systems, effective incident detection and response, and the use of monitoring tools and reports in any subsequent forensic or legal procedures. Management reviews and approves the tools used and the conditions for use, whether developed internally, or outsourced. The Institution actively monitors company networks and systems to detect suspicious or malicious events, including through penetration testing and routine vulnerability scans. Management has developed procedures for obtaining, monitoring, assessing, and responding to evolving threat and vulnerability information. The identification of threats involves the understanding of the sources of threats, their capabilities, and their objectives. Knowledge of threat sources is especially important to help identify vulnerabilities. Vulnerabilities can occur in many areas, such as the system design, the system operation, security procedures, business line controls, and the implementation of the system and controls. 12 We maintain policies and procedures for the safe storage, handling and secure disposal of customer information. Each employee is expected to be responsible for the security and confidentiality of customer information, and we communicate this responsibility to employees upon hiring and regularly throughout their employment. We provide employees with mandatory security awareness training. The curriculum includes the recognition and appropriate handling of potential phishing emails, which could, ultimately, place sensitive consumer/customer, proprietary, and/or employee information at risk. The Company employs a number of technical controls to mitigate the risk of phishing emails targeting employees. We test employees monthly to determine their susceptibility to phishing test emails, and we require susceptible employees to take additional training. Through the IT Steering Committee, management is provided regular reporting for oversight. As part of our information security program, we have adopted an Incident Response Plan ( Incident Response Plan ) which is administered by our Information Security Officer who works in consultation with an Incident Response Team . The Incident Response Plan describes the Institution s processes, procedures, and responsibilities for responding to incidents, including cybersecurity, and identifies team members responsible for assessing potential security incidents, declaring an incident, and initiating a response. The Incident Response Plan outlines action steps for investigating, containing, controlling, responding to, and remediating a cybersecurity incident. Our Plan includes notification procedures for reporting incidents to appropriate stakeholders, including the Company s Executive Management Team and the Board of Directors. Annually, our Incident Response Team performs a tabletop exercise to simulate the Institution s responses to events, including cybersecurity. Each exercise results in lessons learned and subsequent improvement to the Incident Response Plan, as warranted. The Institution s third-party risk management program is appropriate to the nature, size, complexity, and scope of our third-party relationships and provides the internal control framework for management to identify, measure, mitigate, monitor, and report risks associated with the use of third-party providers. Third-party service providers are required to comply with the Company s policies regarding non-public personal information and information security. Third parties processing non-public personal information are contractually required to meet all legal and regulatory obligations to protect customer data against security threats or unauthorized access. While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive, and cybersecurity risk has increased in recent years. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. Cybersecurity Governance We recognize our overall security culture contributes to the effectiveness of our Information Security Program. The Board of Directors sets the tone and direction for our institution s use of technology. The Board will initially approve, and periodically review and re-approve, the IT Strategic Plan, Information Security Program, and other IT-related policies. While the Board may delegate the design, implementation, and monitoring or certain IT activities to the IT Steering Committee (ITSC), the Board remains response over overseeing the IT activities and is strongly encouraged to prove a credible challenge to management. To help carry out their responsibilities, the Board will be periodically trained to understand IT activities and risk, including cyber risks. Cybersecurity matters and assessments are regularly included in ITC meetings. The Board s oversight of cybersecurity risk is supported by our Information Security Officer ( ISO ). The ISO attends ITC meetings and provides cybersecurity updates to these Management committees. The ISO also provides annual risk assessments and reports regarding the information security program summary report to the full Board of Directors. The Company s ISO directs the company s Information Security Program and our information technology risk management. In this role, in addition to the responsibilities discussed above, the ISO manages the Company s information security and day-to-day cybersecurity operations and supports the information security risk oversight responsibilities of the Board and its committees. The ISO is also responsible for the Company s information technology governance, risk, and compliance program and ensures that high level risks receive appropriate attention. The Information Security team examines risks to the Company s information systems and assets, designs and implements security solutions, monitors the environment, and provides responses to threats.

Company Information