Bank First Corp 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Bank First Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:15:04 EST.

Filings

10-K filed on 2026-02-27

Bank First Corp filed a 10-K at 2026-02-27 16:15:04 EST
Accession Number: 0001104659-26-021567

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Assessing, identifying and managing material risks from cybersecurity threats is critical for maintaining the security of the Company's data and information systems, and is integrated into our enterprise risk management systems and processes. The Bank's approach to cybersecurity risk management and strategy is based on the Cyber Risk Institute ("CRI") Profile, which is a comprehensive, industry-standard cybersecurity framework tailored for the financial sector to assess risk and ensure regulatory compliance. The CRI incorporates cybersecurity-related principles from the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, regulatory guidance, and concepts from other industry standards. The CRI consists of two parts: Impact tiering, which is used to identify the Bank's cybersecurity maturity expectations; and the risk assessment. Completion of both parts of the CRI allows management and the Board to evaluate whether the Company's cybersecurity risk and preparedness are aligned. The CRI impact tiering is a self-assessment, prompting questions to customize the profile assessment, based on the institution's risk and activities. The risk assessment portion of the CRI contains diagnostic statements grouped by function, category and subcategory. The risk assessment indicates the applicability of each diagnostic statement to each impact tier level. Each statement is given an assessment rating with supporting rationale and evidence provided to justify the rating given. Functions in the risk assessment portion include: (i) Govern; (ii) Identify; (iii) Protect; (iv) Detect; (v) Respond; (vi) Recover; and (vii) Extend. The Information Security Officer ("ISO") and the Company's management-level Information Technology Committee conduct and review the CRI annually to identify changes to the Company's inherent impact tier and risk profile; when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management can determine whether additional risk management practices or controls are needed to maintain or augment the Company's cybersecurity maturity. In an effort to continually share threat intelligence and increase awareness of cybersecurity trends, the Company has also implemented a Cybersecurity Education and Awareness Program. Among others, this program includes the following components: ● Mandatory annual cybersecurity employee training for all employees; ● Training specifically targeted to Senior Management and Information Technology staff; ● Monthly cybersecurity phishing simulation campaigns; ● Quarterly review of emerging security trends by the management-level Risk Management Committee; ● Mandatory annual cybersecurity Board training; and ● Periodic communication to employees highlighting internal control requirements and information about common threats or fraud schemes. The Company retains external consultants to assist in the development and monitoring processes for assessing, identifying, and managing potential cybersecurity threats. The Company engages third-party service providers to conduct evaluations of security controls including through penetration testing and independent assessments, and to provide consulting regarding recommended practices to address new challenges. The Company also requires third-party service providers to report on cybersecurity incidents so the Bank can assess their impact. As part of the Bank's vendor management process, the Bank conducts information security due diligence of third-parties with whom the Bank will interact, including risk profiling and classification. The Company's vendor risk management program includes regular reviews and oversight of all service providers in accordance with a risk profile classification. To date, we have not experienced a cybersecurity incident that has, or is reasonably likely to have, materially impacted our business strategy, results of operations, or financial condition. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. Please see Part I, Item 1A. Risk Factors for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure. Board and Management Governance The Company's Board of Directors recognizes the importance of maintaining the trust and confidence of our customers, employees, and shareholders, including the risks associated with cybersecurity threats. The Board of Directors' responsibilities for cybersecurity risk management and strategy, some of which are delegated to the Audit Committee, include the following: ● Engaging management in establishing the Bank's vision, risk tolerance, and overall strategic direction; ● Approving plans to ensure the use of the CRI; ● Reviewing management's analysis of the CRI results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results; ● Reviewing management's determination of whether the Bank's cybersecurity preparedness is aligned with its risks; ● Reviewing and approving plans to address and enhance any risk management procedures or controls; and ● Reviewing the results of management's ongoing monitoring of the Bank's exposure to and preparedness for cyber threats. The Board's oversight of cybersecurity risk is supported by our ISO, who reports directly to the Audit Committee and to the Chief Legal Counsel and shares a co-sourced relationship with a third-party consultant. The ISO attends Audit Committee meetings and provides cybersecurity updates to the Audit Committee. The ISO also provides annual risk assessments and reports regarding the information security program to the full Board. Cybersecurity risk metrics and program updates are reported to management and the Audit Committee on a regular cadence, with periodic director education sessions supporting oversight. The Audit Committee is also involved in oversight of potentially significant cybersecurity incidents, which are evaluated for materiality without unreasonable delay, consistent with SEC rules. The ISO has been with Bank First for over 12 years in various operational and administrative roles. For the past six years, he has served as the Bank's VP-Enterprise Risk Manager, and as ISO for the past three years. In 2022, he earned the Certified Banking Security Manager certification from SBS Cybersecurity. The ISO works closely with the Chief Information Officer to ensure that the Bank's cybersecurity controls are in line with established internal culture, Board expectations and risk appetite, and all regulatory requirements. The ISO's responsibilities include the following: ● Developing a plan to conduct and complete the CRI on an annual basis; ● Working with the Chief Information Officer to evaluate the results of the CRI; ● Leading employee efforts during the CRI to facilitate timely responses from across the Bank; ● Setting the target state of cybersecurity preparedness that best aligns to the Board of Directors' approved risk tolerance; ● Reviewing, approving, and supporting plans to address risk management and enhancing controls; ● Analyzing and presenting the results of the CRI to the full Board of Directors; ● Providing periodic cybersecurity updates to the full Board of Directors; ● Overseeing the performance of ongoing monitoring to address evolving areas of cybersecurity risk; ● Overseeing frequent testing/auditing activities, cybersecurity risk assessments, vulnerability scanning, penetration testing, monitoring of external threat intelligence and supplier risk sources, and 24/7 incident monitoring to inform our understanding of the cybersecurity risk landscape; ● Overseeing the Bank's cybersecurity preparedness. Finally, the Company has established an Information Technology Committee to support the ISO in implementing the CRI, documenting formal action plans to be presented to the Board of Directors, enforcing and implementing the controls established by the CRI, and assisting in ensuring employee compliance with internal controls.

Company Information