1st FRANKLIN FINANCIAL CORP 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

1st FRANKLIN FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:49:04 EDT.

Filings

10-K filed on 2024-04-01

1st FRANKLIN FINANCIAL CORP filed an 10-K at 2024-04-01 16:49:04 EDT
Accession Number: 0000038723-24-000047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY : RISK MANAGEMENT AND STRATEGY 1 st Franklin is committed to maintaining the confidentiality, integrity and availability of our data and information systems. We understand the risks presented by existing and emerging cybersecurity threats against our electronic infrastructure and the information it stores and processes, as well as against our customers and employees. We also recognize that there are cybersecurity risks associated with remote work environments which are utilized by some of 1 st Franklin s employees, our use of cloud-based infrastructure and networks, and our use of third parties to support our operations. As a part of our overall risk management processes, we have implemented a comprehensive cybersecurity program designed to identify and manage cybersecurity risks. This program includes a robust risk assessment process designed to identify security vulnerabilities, incorporates regulatory requirements and also provides the foundation for the Information Security department s annually updated multi-year project roadmap, which is used to continually enhance 1 st Franklin s cybersecurity program to respond to new threats and challenges. We employ a comprehensive set of cybersecurity policies and guidelines and a strong security training and awareness program to communicate policy directives and current threats to 1 st Franklin employees. Additionally, we have a strong due diligence and risk assessment process to identify and manage risks associated with our use of third-party service providers. Some of the other features of our cybersecurity program include: Monthly phishing simulations and additional training as required for incorrect identification of phishing attempts Ongoing vulnerability scanning and annual penetration testing of our internal and external environments IDS/IPS ( Intrusion Detection Device / Intrusion Prevention System) Firewalls Endpoint Detection and Response 24x7x365 Security Operations Center Security Incident and Event Monitoring Cloud alerting and monitoring Disaster recovery and business continuity planning and backup strategy Incident response process Network segmentation Data classification labeling and data loss prevention Privileged access management Secure builds Multi-factor and adaptive authentication Physical security Internet filtering, email spam filtering and anti-phishing Brand protection and phishing takedown service Database security Data transfer and encryption Additionally, we maintain cybersecurity insurance coverage to help mitigate risk in the event of a potential breach or attack. Although we maintain insurance coverage at levels we deem appropriate - 8 - for our business, it is possible that such coverage could be insufficient to cover all losses or types of claims that may arise. We have experienced targeted and non-targeted cybersecurity attacks in the past, and we could experience similar attacks in the future. As previously disclosed, we suffered a cyber-attack against certain systems within our network environment in November 2022. The attack temporarily affected operations and caused delays in originating loans at some locations. During the incident, the attackers had access to the PII of certain Company employees, customers and investors. We contained the harm caused by the incident, quickly restored our business operations, and provided timely notifications to affected individuals, entities, and governmental agencies as required by law. Following the cyber-attack, we began undertaking significant remediation efforts and other steps to enhance our cybersecurity and data security infrastructure. Five (5) putative class action lawsuits were filed in the United States District Court in the Northern District of Georgia against the Company alleging harm from the cyber-attack. The Court consolidated all cases into one, and after extensive motion practice, administratively dismissed the consolidated case in full in January 2024. The Plaintiffs have asked the Court to reconsider its dismissal. To date, the Company’s cyber insurance policy has covered and paid all material costs and expenses related to the class action litigation. Other than as described above, we do not believe any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. We continue to enhance our data security infrastructure and take further steps to prevent unauthorized access to our systems and the data we maintain. For additional information regarding the risks from cybersecurity threats we face, see " Risks Related to Our Business We could incur significant liability, and our business, financial condition, results of operations and reputation could be harmed, if our information systems are breached or we otherwise fail to protect customer, investor, employee or Company data or systems " under Part I, Item 1A. Risk Factors above. GOVERNANCE The Board of Directors maintains the ultimate responsibility for oversight of the Company s risks, including cybersecurity risks. The Board regularly receives presentations on matters of cybersecurity risk from management. Management discusses matters of particular importance or concern as they may be materially impacted by risk on an ongoing basis, and members of the Company’s Executive Leadership Team (“ELT”) are also available to members of the Board for discussion and review both during meetings of the Board of Directors and at other times. The Company s information security efforts are led by our Chief Information Security Officer (“CISO”). The CISO meets at least quarterly with each of the Board of Directors, the ELT, and the Senior Leadership Team (“SLT”), facilitating the Company’s robust cybersecurity oversight and strategies that help us to assess, identify, and manage cybersecurity risks. This includes performing tabletop exercises at least annually with the Board and with the SLT to evaluate our incident response processes and keeping them informed of the evolving threat landscape and how 1 st Franklin is managing such risks. Our current CISO is a veteran security professional with over 30 years of information technology and information security experience. Prior to joining 1st Franklin, she worked at one of the largest banks in Canada and the U.S., where she was initially the Head of Application Security and later the Head of Cyber Innovation and Emerging Technologies. Prior to that, she also worked for two multinational banks in New York City in information security and information technology roles. The CISO is supported by a team of highly technical and experienced security professionals who are responsible for implementing and maintaining the security program for 1 st Franklin, including security engineers, a cybersecurity analyst and a VP of Information Security.

Company Information