FVCBankcorp, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

FVCBankcorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 11:46:27 EDT.

Filings

10-K filed on 2024-03-21

FVCBankcorp, Inc. filed an 10-K at 2024-03-21 11:46:27 EDT
Accession Number: 0001675644-24-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Information security, which includes cybersecurity, is a significant operational risk facing our business. Cybersecurity risks include intentional malicious attacks or unintentional acts that result in an impact to the confidentiality, integrity or availability of our or our clients or third parties’ operations, systems or data. Management assesses and manages material risks from cybersecurity threats through designated management positions and committees that are responsible for overseeing technology and information security. Our Information Security Officer is responsible for information security and cybersecurity risk management. He has over 40+ years of financial services related experience, including 10+ years of experience in cybersecurity program strategy, security architecture and security team leadership. Our Chief Technology Officer, who has over 25+ years of experience in financial services, including 15+ years in information technology, among other duties, is responsible for the security and integrity of systems, applications and databases and coordinates security implementations, monitoring and enforcement in conjunction with the Information Security Officer. We maintain a comprehensive information security policy that is intended to maintain the security and confidentiality of client information, protect against threats to the security or integrity of such information, and protect against unauthorized access to or use of such information. We have a written information security program that is aligned to our information security policy and designed to assess, identify and manage risks that result from cybersecurity threats. Our information security program is centered on preparing for, preventing, detecting, mitigating, responding to and recovering from cyber threats and cyber incidents while ensuring our processes continue to operate effectively. On an annual basis, the Board of Directors reviews and approves our information security program and information security policy. We use the Federal Financial Institutions Examination Council s Cybersecurity Assessment Tool to help us identify our cybersecurity risks and determine our cybersecurity preparedness. This assessment tool incorporates regulatory guidance as well as concepts from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework. The results of the assessment are used to determine risk management practices and controls in order to align our cybersecurity preparedness to address the identified risks within our risk appetite. We engage a third-party to provide an annual risk assessment of our compliance with interagency guidelines for safeguarding confidential customer information. This risk assessment focuses on our information security program and the controls in place to protect client information. The results of the risk assessment are analyzed and used to improve our information security program where needed. Internal audits, regulatory examinations and third-party assessments of our processes in information technology and information security also help us assess our cybersecurity preparedness and whether risk management practices and controls need adjustment. Risk issues are identified through assessments, audits, examinations and security testing. Findings are tracked and reported to the Bank s Technology Committee, and the Audit Committee of the Board of Directors. We have contracted with various service providers (vendors) who provide a broad range of services, including core banking, communications, collaboration and infrastructure services. We have established a vendor management policy to establish the principles, framework, and guidance for the effective review, engagement, monitoring, and oversight of vendors to ensure that we adequately manage operational, strategic, reputational, and other related risks inherent in outsourcing of services or operations. We manage the cybersecurity risks posed by our use of third-party service providers by conducting periodic risk assessments. We leverage multiple managed security service providers to monitor key system and network activity on a 24 hour basis to detect and alert the information technology team of cyber threats and potential cybersecurity events of concern. In addition to monitoring for security events, cyber threat intelligence sources are analyzed in order to understand potential cyber threats and techniques that may be used in cyberattacks against us and to monitor for such threats. Examples of cyber threat intelligence sources include the Financial Services Information Sharing and Analysis Center, trade organizations, the Cybersecurity and Infrastructure Security Agency, security service providers, vendor alerts, and open-source intelligence sources. The Bank utilizes two cybersecurity tools to detect and prevent successful phishing campaigns. All employees receive semi-annual training covering social engineering, phishing and current scam events, followed by periodic testing. Our cybersecurity risk management processes are integrated into our overall risk management system through our risk management committee structure. These committees have processes to help facilitate appropriate and effective oversight of cybersecurity risk, including tracking and reporting of cybersecurity risks and remediation plans. The Bank 32 Table of Contents maintains a chartered Technology Committee, which is responsible for the oversight of policies and practices relating to the identification, assessment, measurement, monitoring and management of our technology and information security risks. The Technology Committee is chaired by our Chief Technology Officer and members include two members from our Board of Directors, one independent Director and the President, the Information Security Officer, Chief Financial Officer, Chief Banking Officer, and officers of key business systems. The Information Security Officer reports the cyber security status of the Bank to our Board of Directors on a monthly basis. These reports include performance metrics, security events, penetration testing, training, audit results, new system and vulnerability assessments and the identification and remediation of cybersecurity risks. The Information Security Officer also provides information regarding the threat environment and our efforts to detect, prevent and respond to internal and external critical threats The Board of Directors, leveraging the efforts of the Technology Committee, oversees our continuing efforts to strengthen our information security infrastructure and staffing, adhere to regulatory guidelines and enhance our processes, technology controls and cybersecurity defenses. Our Information Security Officer regularly reports to the Board of Directors on security matters, our Risk Management Committee establishes and reviews key cyber risk indicators and performance metrics, and our Technology Committee assesses and disseminates periodic updates on information security risk, the maturity of our information security program, and related investments and results.

Company Information