COMMUNITY WEST BANCSHARES / 10-K Cybersecurity GRC - 2024-04-05

Page last updated on April 11, 2024

COMMUNITY WEST BANCSHARES / reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-05 19:33:18 EDT.

Filings

10-K filed on 2024-04-05

COMMUNITY WEST BANCSHARES / filed an 10-K at 2024-04-05 19:33:18 EDT
Accession Number: 0001140361-24-018439

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognize the crucial importance of identifying, assessing, and managing material risks from cybersecurity threats. We are committed to implementing and maintaining a comprehensive cyber and information security program to manage such risks and safeguard our systems and data, including the data of our customers. Information Security Policies and Procedures We manage our cybersecurity risk in accordance with our Information Security Program (the Information Security Program ), which is applicable to all users of our information technology assets, information assets, and facilities, including our directors, officers, employees, temporary workers, business partners, contractors, vendors, service providers, and individuals affiliated with third parties. The Information Security Program includes a dedicated Cybersecurity Incident Response Plan (the CIRP ), which sets forth the rules and requirements for detecting, investigating, containing, eradicating, and resolving information security incidents, and addresses the response portion of security monitoring. The Information Security Program also includes: (i) a collection of Security Incident Forms (the Security Incident Forms ), which delineate the processes for reporting, classifying, investigating, documenting, and communicating information security incidents and (ii) Security Guidelines and Baseline Protections, that establish the rules and requirements for enabling, logging, alerting, and monitoring real time security alerts and security logs (automated or manual) in connection with security incidents. Potential information security incidents are identified in a number of ways, including, but not limited to: users reporting security violations, system weaknesses, violations of our Acceptable Use Policy which addresses the boundaries of acceptable and unacceptable use of our information technology assets, automated system alerts, and monitoring of both system generated and manually generated logs. Our Information Security Program mandates that any potential information security incident be reported to a IT Management, and / or member of the Information Security Team, to initiate the internal communication and investigation stage, during which such events undergo initial investigation for validation, including related to the scope and depth of such incident and to ensure that it has not resulted from a false positive. Internal communications regarding the potential incident are led by the Chief Risk Officer (CRO) and/or Information Security Officer in accordance with the Cybersecurity Incident Response Plan (CIRP). Following this initial stage, we gather and update impact information and related documentation for such incidents. We use an incident classification matrix to determine the initial classification of a potential information security incident, which considers users, customers, and systems affected, the sensitivity of data at risk, and the potential business impacts to the Company including financial, legal, regulatory, operational, and reputation. The resulting classification of severity level S1-Critical, S2-Moderate, or S3-Low identifies next steps for escalation and communication following the initial investigation of the potential incident. Upon escalation of an incident, per our Information Security Program, the CRO and ISO review and validate the initial determination of the priority of the incident prior to entering into subsequent investigative and response stages. Upon validation, the CRO or ISO will engage the Company s designated Breach Coach to respond to the incident and notifications or communications are made to either additional personnel or any external entities. Depending on the specific details of any such incident, we may notify additional members of our management team, legal, our board of directors, the Audit Committee, state and federal regulators, technology service providers, and/or the SEC. The timing of such communications varies based on the details of a particular incident and applicable regulations governing such disclosure. Following this classification and communication stage, we enter the recovery stage to determine containment and a response to the incident, the Company s technology service provider assigns technical staff to address such incident, implement containment, eradicate the incident source, and recover from such incident. Following any such incident and as determined by the Security Incident Forms, we engage in predefined follow-up activities to communicate with law enforcement and notify impacted third parties and customers, as appropriate, in addition to further investigating the cause of the incident, documenting takeaways, and engaging in remediation. Our Information Security Officer ( ISO ) coordinates with other members of our Incident Response Team identified in our Information Security Program to document, validate, respond, and manage actual or potential security incidents according to their threat classifications as described above, and report to our board of directors and/or the Audit Committee on a periodic basis. The ISO also provides annual reports on the status of our Information Security Program and its compliance with regulatory requirements to our board of directors in connection with our board’s general risk management oversight role, as described in further detail below. The ISO is responsible for overseeing day-to-day operations of the Information Security Program, coordinating, or contributing to reviews, audits, risk assessments, and other risk management material, development of departmental policies and procedures for board approval, and periodic updates to our Information Technology Steering Committee, Enterprise Risk Management Committee, and the Board of Directors Audit Committee. The ISO reports to the Chief Risk Officer. Page 19 Table of Contents With the approval of Audit Committee, we also engage third party assessors, consultants, and auditors in connection with the Company s Information Security Program and in accordance with our Audit Program, including to conduct external and internal penetration testing, independent audits, and risk assessments. The ISO performs information security assessments for third party service providers that store and/or process our confidential data. These information security assessments, include a review of any service organization controls (SOC) reports, and proof of the vendor s independent testing of their data protection controls, as well as a review of any exceptions noted and assessment of management responses, results of vulnerability and penetration testing, incident response processes, and third party data protection controls (which can include, but are not limited to: access reviews and controls, backups, monitoring, encryption standards, and disaster recovery). The review of these areas is taken into account in order to provide an overall information security conclusion and risk rating for the vendor. In addition, we use a combination of technology, policies, procedures, training, and monitoring to promote security awareness and prevent security incidents. Cybersecurity Risk Oversight Our business unit managers with oversight and guidance from our risk management team is responsible for the development of our policies and procedures and for managing any exception to the same. In particular, our ISO, nonmember of the executive management team, oversees information security compliance, as described above. The board of directors of the Company has ultimate oversight of cybersecurity-related risk and activities, including the review and approval of our policies and procedures related to cybersecurity. The Information Security Program is approved on an annual basis. Cybersecurity risk management is also incorporated into our overall enterprise risk management model, which is updated on an annual basis and subject to oversight by our board of directors. In the ordinary course of business, our board of directors receives at a minimum annual updates from the ISO regarding the Information Security Program and compliance with relevant regulations, as described above. Both our Information Technology Steering Committee and Enterprise Risk Management Committee consists of members of the Executive Management Team and department heads with relevant technology experience and meets on a monthly cadence with minutes, reports, and presentations flowing up to the Board of Directors Audit Committee which also meets on a monthly cadence. If an incident occurs, depending on its priority as identified through the procedures described above, management may inform our board of directors via the Audit Committee sooner than its next monthly update. Relevant Regulations As a regulated financial institution, the Bank is also subject to financial privacy laws, and our cybersecurity practices are subject to oversight by the federal banking agencies. In addition, the SEC recently enacted rules, effective as of December 18, 2023, requiring public companies to disclose material cybersecurity incidents that they experience on Form 8-K within four business days of determining that a material cybersecurity incident has occurred and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. Prior Incidents As of this reporting, the Bank has not experienced any S1-Critical/Material incidents.

Company Information