1st FRANKLIN FINANCIAL CORP 10-K Cybersecurity GRC - 2025-04-29

Page last updated on April 30, 2025

1st FRANKLIN FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-29 19:39:10 EDT.

Filings

10-K filed on 2025-04-29

1st FRANKLIN FINANCIAL CORP filed a 10-K at 2025-04-29 19:39:10 EDT
Accession Number: 0000038723-25-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY : RISK MANAGEMENT AND STRATEGY 1 st Franklin is committed to maintaining the confidentiality, integrity and availability of our data and information systems. We understand the risks presented by existing and emerging cybersecurity threats against our electronic infrastructure and the information it stores and processes, as well as against our customers and employees. We also recognize that there are cybersecurity risks associated with remote work environments which are utilized by some of 1 st Franklin’s employees, our use of cloud-based infrastructure and networks, and our use of third parties to support our operations. As a part of our overall risk management processes, we have implemented a comprehensive cybersecurity program designed to identify and manage cybersecurity risks. This program includes a robust risk assessment process designed to identify security vulnerabilities, incorporates regulatory requirements and also provides the foundation for the Information Security department’s annually updated multi-year project roadmap, which is used to continually enhance 1 st Franklin’s cybersecurity program to respond to new threats and challenges. We employ a comprehensive set of cybersecurity policies and guidelines and a strong security training and awareness program to communicate policy directives and current threats to 1 st Franklin employees. Additionally, we have a strong due diligence and risk assessment process to identify and manage risks associated with our use of third-party service providers. Some of the other features of our cybersecurity program include: - Monthly phishing simulations and additional training as required for incorrect identification of phishing attempts - Ongoing vulnerability scanning and annual penetration testing of our internal and external environments - IDS/IPS ( Intrusion Detection Device / Intrusion Prevention System) - Firewalls - 8 - - Endpoint Detection and Response - 24x7x365 Security Operations Center - Security Incident and Event Monitoring - Cloud alerting and monitoring - Disaster recovery and business continuity planning and backup strategy - Incident response process - Network segmentation - Data classification labeling and data loss prevention - Privileged access management - Secure builds - Multi-factor and adaptive authentication - Physical security - Internet filtering, email spam filtering and anti-phishing - Brand protection and phishing takedown service - Database security - Data transfer and encryption Additionally, we maintain cybersecurity insurance coverage to help mitigate risk in the event of a potential breach or attack. Although we maintain insurance coverage at levels we deem appropriate for our business, it is possible that such coverage could be insufficient to cover all losses or types of claims that may arise. We have been, and in the future may be, the target of cyberattacks, including the previously disclosed November 2022 cyberattack on the Company and related data breach. We do not believe any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. We continue to enhance our data security infrastructure and take further steps to prevent unauthorized access to our systems and the data we maintain. For additional information regarding the risks from cybersecurity threats we face, see " Risks Related to Our Business - We could incur significant liability, and our business, financial condition, results of operations and reputation could be harmed, if our information systems are breached or we otherwise fail to protect customer, investor, employee or Company data or systems " under Part I, Item 1A. “Risk Factors” above. GOVERNANCE The Board of Directors maintains the ultimate responsibility for oversight of the Company’s risks, including cybersecurity risks. The Board regularly receives presentations on matters of cybersecurity risk from management. Management discusses matters of particular importance or concern as they may be materially impacted by risk on an ongoing basis, and members of the Company’s Executive Committee (“EXCO”) are also available to members of the Board for discussion and review both during meetings of the Board of Directors and at other times. The Company’s information security efforts are led by our Chief Information Security Officer (“CISO”) . The CISO meets at least quarterly with each of the Board of Directors, the EXCO, and the Senior Leadership Team (“SLT”), facilitating the Company’s robust cybersecurity oversight and strategies that help us to assess, identify, and manage cybersecurity risks. This includes performing tabletop exercises at least annually with the Board, the EXCO and the SLT to evaluate our incident response processes and keeping them informed of the evolving threat landscape and how 1st Franklin is managing such risks. The CISO is supported by a team of highly technical and experienced security professionals who are responsible for implementing and maintaining the security program for 1st Franklin, including security engineers and a cybersecurity analyst. - 9 -

Company Information