Esquire Financial Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

Esquire Financial Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 15:01:41 EDT.

Filings

10-K filed on 2024-03-29

Esquire Financial Holdings, Inc. filed an 10-K at 2024-03-29 15:01:41 EDT
Accession Number: 0001558370-24-004363

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity Risk, Management and Strategy Cybersecurity is a significant and integrated component of the Company s risk management strategy, designed to protect the confidentiality, integrity, and availability of sensitive information contained within the Company s information systems. As a financial services company, cybersecurity threats are present and growing, and the potential exists for a cybersecurity incident to disrupt business operations, compromise sensitive data or both. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company. To prepare and respond to incidents, the Company has implemented a multi-layered defense-in-depth cybersecurity strategy, integrating people, technology, and processes. This strategy includes employee training, innovative technologies, and policies and procedures in the areas of information security, data governance, business continuity and disaster recovery, privacy, third-party risk management, and incident response. The Company leverages a variety of industry frameworks and regulatory guidance to develop and maintain its information systems and cybersecurity program, including but not limited to Interagency Guidelines Establishing Information Security Standards, Federal Financial Institutions Examination Council ( FFIEC ) Information Technology Examination Handbook (with particular emphasis on the FFIEC s Information Security and Business Continuity Management Handbooks), FFIEC Cybersecurity Assessment Tool, Gramm-Leach-Bliley Act ( GLBA ) 501(b), and the Center for Internet Security ( CIS ) Critical Controls Framework. In addition, the program leverages certain, third-party benchmarking, audits, and third-party threat intelligence sources to facilitate and enhance the effectiveness of the program. Core activities supporting the Company s strategy include cybersecurity training, technology optimization, threat intelligence, vulnerability and patch management and the testing of incident response, business continuity and disaster recovery capabilities. Employees play a significant role in the defense against cybersecurity threats. Every employee is responsible for protecting the Company and client information. Accordingly, employees complete formal training and acknowledge security policies annually. In addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities. Employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection systems, security automation and response capabilities, user behavior analytics, multi-factor authentication, data backups stored at off-site locations and business continuity applications. Notable services include 24/7 security monitoring and response, continuous vulnerability scanning, third-party monitoring, and threat intelligence. Like many other companies, the Company relies on third-party vendor solutions to support its operations, and these third-party vendors continue to be a source of operational and informational risk. Accordingly, the Company has implemented a third-party risk management program, which includes a detailed onboarding process and periodic reviews of vendors with access to sensitive company data. As indicated above, supporting the operations are incident response, business continuity, and disaster recovery programs. These programs identify and assess threats and evaluate risk. Further, these programs support a coordinated response when responding to incidents. Periodic exercises and tests verify these programs effectiveness. Validating solution and program effectiveness in relation to regulatory compliance and industry standards is important. As such, the Company engages third-party consultants and independent auditors to conduct penetration tests, cybersecurity risk assessments, external audits, and program development and enhancement where applicable. 40 Table of Contents Cybersecurity Governance Management Oversight. The Chief Technology Officer oversees the Information Technology Department which, among other things, is responsible for identifying, assessing and managing material risks from cybersecurity threats and has more than thirty years of experience in the information technology field. The Chief Technology Officer is a member of various management committees and participates in Board of Directors meetings as well as Audit Committee meetings where the overall status of information technology and security is discussed including the related policies and risk assessments. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations are discussed as are management s responses and any recommendations for policy and program enhancements. Further, the Chief Technology Officer is a member of the Compliance Committee chaired by the Chief Compliance Officer, which consists of members of senior and executive management, as is it charged with maintaining Bank-wide compliance with relevant statutes, regulations, and interpretations as well as consumer protection. Board Oversight. The Board of Directors is responsible for reviewing the overall policies and practices for risk management, including delegation of oversight for particular areas of risk to the appropriate subcommittees. Collectively, the Board of Directors and its subcommittees are responsible for discussing with management major financial risk exposures as well as significant operational, compliance, reputational, strategic and cybersecurity risks, and the steps management has taken to monitor and manage such exposures to be within the Company s risk tolerance.

Company Information