Business First Bancshares, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Business First Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 13:49:06 EST.

Filings

10-K filed on 2026-02-26

Business First Bancshares, Inc. filed a 10-K at 2026-02-26 13:49:06 EST
Accession Number: 0001624322-26-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. Cybersecurity Risk Management and Strategy Financial institutions have an obligation to customers, consumers and stakeholders to safeguard the confidentiality, integrity and availability of nonpublic, sensitive information and the information systems used to store, transmit or process such information. Consistent with industry guidelines, such as the National Institute of Standards and Technology Cybersecurity framework, and regulatory requirements, guidelines and standards, b1BANK's cybersecurity program has been adopted to fulfill this obligation by establishing and employing administrative, technical and physical safeguards to maintain a secure and dependable infrastructure and environment. This program focuses on identifying and addressing threats to the company and its customers and contributes corporate decision-making guidance for cybersecurity and risk management objectives. Effectively defending against cybersecurity threats demands a concentrated, collaborative approach and, as such, supplementary programs and processes have been instituted into cybersecurity and risk management strategies. We employ a multilayered approach to assessing, identifying and managing material risks from cybersecurity threats. These processes include continuous monitoring of global threat intelligence, vulnerability management processes, incident alerting and periodic, independent audits. Our risk assessment methodology evaluates potential impacts to critical systems and sensitive information across operational, financial, legal, and reputational domains, enabling us to determine whether a cybersecurity threat or incident is material. Materiality determinations follow structured criteria consistent with emerging industry practices and SEC guidance. Security considerations are integrated into our enterprise risk management (ERM) program . Cyber risks are incorporated into the Company's risk taxonomy, risk appetite framework, and enterprise-level risk assessments, ensuring consistency in how operational risks-including technology and security risks-are identified, prioritized, and managed. We maintain incident response and business continuity plans that provide structured processes to contain, eradicate, and recover from cybersecurity events. These plans are tested at least annually and updated as necessary to reflect emerging threats, operational changes, and regulatory developments. We also manage cybersecurity risks arising from third-party service providers through a dedicated vendor management program. Service providers are subjected to comprehensive due-diligence reviews, contract controls, and ongoing monitoring. Governance Our Board of Directors, through its Risk Committee , provides oversight of cybersecurity risk. The Committee receives quarterly reports from management regarding cybersecurity events, vulnerability trends, risk assessments, and program maturity. Management of cybersecurity risk is led by our Chief Information Security Officer ("CISO") , who has over 20 years of information security experience and maintains relevant industry certifications. The CISO is responsible for implementing and monitoring the cybersecurity program and reports directly to the Chief Operating Officer ("COO"). Consistent with peer disclosures, our management structure ensures that individuals with appropriate expertise lead cybersecurity functions and regularly communicate with the Board. Our cybersecurity governance model includes cross-functional committees and working groups responsible for coordinating risk assessments, program enhancements, incident response preparedness, and alignment with regulatory requirements. Security awareness and training programs are mandatory for all employees, reinforcing a security-focused culture across the enterprise. Cybersecurity Incidents We assess whether identified cybersecurity incidents are material under applicable regulatory standards. During the reporting period, we did not identify any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Bank. We continue to monitor the evolving threat landscape and adapt our controls accordingly. While immaterial cybersecurity incidents may occur from time to time, our established controls and incident response processes have effectively mitigated these events without material impact.

Company Information