USCB FINANCIAL HOLDINGS, INC. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

USCB FINANCIAL HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 15:09:17 EDT.

Filings

10-K filed on 2024-03-22

USCB FINANCIAL HOLDINGS, INC. filed an 10-K at 2024-03-22 15:09:17 EDT
Accession Number: 0001562762-24-000061

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Overview Customers depend on the Company to properly protect nonpublic personal information gathered and stored in connection with the services we provide. The Company realizes that cyber incidents can have financial, reputational, legal, and operational impacts that can significantly adversely affect our customers, capital, and earnings. Therefore, we integrate cybersecurity processes throughout the Company as part of our enterprise-wide governance process. Regulatory agencies are charged with ensuring the Company s cybersecurity controls and procedures are compliant with the intent of the cybersecurity expectations set forth by the Federal Financial Institutions Examination Council ( FFIEC ). The FFIEC framework offers a set of guidelines and best practices to help financial institutions manage and mitigate cybersecurity risks effectively. It focuses on ensuring the confidentiality, integrity, and availability of sensitive information and systems. The Information Security Officer ( ISO ) is an integral member of the Risk Management and Compliance Department ( RMCD ) of the Bank and who provides expert counsel on matters of cybersecurity and presents periodic reports to the Risk Committee of our Board of Directors. As part of the program, periodic risk assessments are performed to determine the Company s inherent and residual cybersecurity risk, the maturity level of the program, the risk of cyber threats, and the effectiveness of controls currently in practice. The Company utilizes the National Institute of Standards and Technology ( NIST ) Framework and the FFIEC s Cybersecurity Assessment Tool to help management identify its risks and determine the Company s cybersecurity posture. Through the implementation of rigorous procedures and controls, augmented by ongoing training initiatives for both management and staff, the institution cultivates a safe cybersecurity environment. This approach encompasses diverse methodologies including defense-in-depth and proactive security awareness training aimed at fortifying the institutions cybersecurity controls and fostering a resilient operational framework. Assessment and Response to Cybersecurity Threats It is the policy of the Company and its technology service providers ( TSPs ) to ensure they can identify, mitigate, and respond to cyber-attacks involving destructive malware and invasive attacks such as phishing, ransomware, malware, DDoS attacks, etc. This commitment aligns with the Company s risk appetite, Incident Response Policy, and Business Continuity Plan, which incorporates business continuity planning and testing activities to enhance response and recovery capabilities. The Company realizes that it faces a variety of risks from cyber-attacks involving destructive malware, including liquidity, capital, operational, and reputation risks, due to events such as fraud, data loss, and disruption of customer service. As such, it is the policy of the Company to ensure that its risk management processes, and business continuity planning address these risks by: Establishing a comprehensive governance program encompassing policies and procedures to administer and oversee the information/cybersecurity programs to ensure adherence to regulatory guidance and industry best practices. Securely configuring systems and services to mitigate the impact of cyberattacks. This includes measures such as logical network segmentation, hard backups, maintaining an inventory of authorized devices and software, and physical segmentation of critical systems. Consistency in system configuration fosters a secure network environment by removing or disabling unused applications, functions, or components. Implementing and testing controls around critical systems on a regular basis to ensure appropriate access control and segregation of duties. Limits on sign-on attempts for critical systems are enforced, with accounts being locked upon threshold exceedance. Alert systems notify of baseline control changes on critical systems, with the effectiveness and adequacy of controls periodically tested and the results reported to Senior Management and, if applicable, the Risk Committee, along with recommended risk mitigation strategies and progress to remediate findings. Performing security monitoring, prevention, and risk mitigation activities to ensure the effectiveness of protection and detection systems. This includes maintaining up-to-date intrusion detection systems, antivirus protection, and properly configured firewall rules. Systems are monitored to identify, prevent, and contain attack attempts from all sources. Table of Contents 45 USCB Financial Holdings, Inc. 2023 10-K Maintaining robust business continuity planning processes to swiftly recover, resume, and maintain operations post- cyber-attack incidents involving destructive malware. These processes encompass data and business operations recovery, network capability rebuilding, and data protection for offline backups in the event of cyber-attacks impacting the Company or its critical service providers. Conducting ongoing information security risk assessments to address new and evolving threats to online deposit and loan accounts. This involves identifying, prioritizing, and assessing risks to critical systems, including threats to applications controlling various system parameters and implementing necessary security prevention measures. Reviewing, updating, and testing incident response and business continuity plans annually to ensure effectiveness. Testing encompasses both in-house and third-party processor scenarios to validate employee understanding of responsibilities and adherence to Company protocols. Executive Oversight and Roles The responsibility for adopting and maintaining an effective cybersecurity program is assigned to the RMCD, who collaborates with functional area management, departmental level managers, and other relevant staff. Management Committees and the Board of Directors review reports submitted by the RMCD detailing the Company s inherent and residual cybersecurity risk, program sophistication level, and high-risk threats identified in the cybersecurity risk assessment. The Board oversees the development and maintenance of the information security program, holding management accountable. Management committees ensure program integration and effectiveness, with the RMCD responsible for cybersecurity controls and procedures. The Board receives regular reports on cybersecurity risk assessment and program updates, providing expectations and requirements to management and holding them accountable for oversight and coordination, assignment of responsibility, and the effectiveness of the information and cybersecurity security program. Annually, or as required, the RMCD provides a comprehensive report to the Board or a designated committee regarding the status of the cybersecurity program. This report encompasses internal assessments, utilization of the FFIEC Cybersecurity Assessment Tool, discussion of significant program matters such as the annual risk assessment, risk management decisions, monitoring of service provider compliance, results of key controls testing, security breaches or violations, management’s responses, and recommendat ions for program enhancements. Engagement with Third Party Vendors “Private information,” which is part of the “Internet Security and Privacy Act” and considered “Highly Sensitive Information” under the Company s definition, must not be released as storable data to third-party consultants without security procedures that demonstrate compliance with the Company’s third-party diligence in protecting the data and ensuring its proper distribution when no longer needed. “Private or highly sensitive information” refers to personal information (e.g., information concerning an individual which, because of name, number, symbol, mark, or other identifier, can be used to identify an individual) in combination with any one or more of the following data elements: (1) social security number (2) driver s license number or non-driver identification card number (3) account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual s financial account(s) at the Company including but not limited to an individual s deposit and loan accounts. It does not include publicly available information that is lawfully made available to the public from federal, state, or local government records unless attached in any way to the previously mentioned documentation. Compliance with Regulatory Standards Annual testing or more frequently if deemed necessary of cybersecurity controls and procedures will be conducted to ensure compliance. In instances of identified deficiencies or vulnerabilities, remedial action plans will be implemented to rectify issues or establish mitigating controls. Any exceptions deemed significant will be promptly reported, with remediation efforts prioritized. Annually, or as required, the RMCD will provide a comprehensive report to the Board or a designated committee regarding the status of the cybersecurity Program. This report will encompass internal assessments, utilization of the FFIEC cybersecurity Assessment Tool, and discussion of other significant program matters. As of the reporting period, there is no knowledge or indication that customer sensitive information was compromised as a result of third-parties system vulnerabilities. Management continues to monitor developments and vendor communications. Table of Contents 46 USCB Financial Holdings, Inc. 2023 10-K

Company Information