Catalyst Bancorp, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Catalyst Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 14:01:00 EDT.

Filings

10-K filed on 2024-03-28

Catalyst Bancorp, Inc. filed an 10-K at 2024-03-28 14:01:00 EDT
Accession Number: 0001558370-24-004220

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Bank, as part of its risk management process, has implemented an information security program that encompasses the Bank s cybersecurity efforts. The Bank s goals of confidentiality, availability and integrity of its information are key to this process and program. The Bank s goals of protecting confidential information and safeguarding our digital assets are foundational objectives of the program. The Boards of Directors of the Company and Bank and the Audit Committee of the Company are responsible for ultimate oversight of cybersecurity risks managed daily by management pursuant to the Bank s information security program. The Boards of Directors annually approve this information security program and regularly receive a report from the Bank s Information Security Officer that outlines the steps undertaken to protect the information and data assets of the Bank and Company. Additionally, the Information Security Officer updates the Boards of Directors through supplementary reports on issues related to Cybersecurity readiness. The Bank s information security program is developed and implemented by the Bank s Information Security Officer. Together with the Bank s Information Technology Committee, comprised of relevant information technology and business unit stakeholders within Bank management, the Information Security Officer of the Bank works to manage, control and mitigate cybersecurity risks. The Bank s employees are regularly trained on cybersecurity awareness, and testing is performed to monitor the success of the training. The Board of Directors receives training annually. The Bank engages trusted third parties to audit and examine its processes, review the security of its network infrastructure, and assist the Bank in designing and implementing robust cybersecurity systems. These trusted third parties help the Bank improve and test its cybersecurity readiness. The Bank engages third party vendors to monitor and test its network infrastructure. These third-party vendors take an active role in ensuring that the Bank s systems are protected by testing, reviewing and advising the Bank to strengthen cybersecurity controls when necessary. The Bank has a vendor oversight risk management process that helps to validate the security and integrity of information collected and maintained by third party vendors that the Bank uses to provide banking services. A key goal of the Bank s vendor management program includes assessing risks, which include but are not limited to operational, strategic, reputational, cyber, and credit risks. These processes are supported by specialized vendors that assist the Bank s management and Board of Directors with properly assessing these risks. Finally, the Bank also has an incident response and business continuity program that is intended to address operational concerns, including cybersecurity risks, during contingency scenarios that may create unknown circumstances. This program is tested annually. Although the Company and Bank have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected their business strategy, results of operations or financial condition, there can be no guarantee that the Company or Bank will not experience such an incident in the future. As regulated financial institutions, the Company and Bank are also subject to financial privacy laws and their cybersecurity practices are subject to oversight by the federal banking agencies. For additional information, see Supervision and Regulation Cybersecurity included in Part I. Item 1 Business of this report. 23 Table of Contents

Company Information