BYLINE BANCORP, INC. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

BYLINE BANCORP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 17:18:14 EST.

Filings

10-K filed on 2026-02-27

BYLINE BANCORP, INC. filed a 10-K at 2026-02-27 17:18:14 EST
Accession Number: 0001193125-26-083194

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. Managing Material Risks and Integrated Enterprise Risk Management We have developed an Information Security Program (the "Program") as part of our overall Enterprise Risk Management ("ERM") framework to address material risks from potential cybersecurity threats, including threats utilizing generative AI, and to facilitate the governance and oversight of cybersecurity risks. The Program is administered by our Chief Risk Officer, Ms. Michelle Johnson, and includes policies and procedures that identify how security measures and controls are developed, implemented, maintained and assessed, and the Company's response readiness about potential and actual cyber threats and incidents. Governance As part of our Risk Governance and ERM, our Board of Directors reviews and approves the Program on an annual basis. The Board oversees efforts to develop, implement, and maintain an effective Information Security Program, including reviewing management's reporting on Program effectiveness. In addition to Board oversight, we also have Governance, Risk, Information Technology, Information Security, and Compliance functions that monitor and address enterprise risks, including cybersecurity risks. A risk assessment, based on a method and guidance from a recognized national standards organization, is conducted at least annually. The risk assessment, along with risk-based analysis and judgment, are used to select security processes and controls to address and to seek to mitigate risks. Factors considered during this assessment include, but are not limited to, the likelihood and severity of the risk, the impact on the Company and others, such as our customers and employees, if a risk materializes, the feasibility and cost of controls, and the impact of controls on our operations. Engaging Third Parties on Risk Management Specific controls and procedures that address and seek to mitigate cybersecurity risks include endpoint threat detection and response, identity and access management, logging and monitoring involving the use of security information and event management, multi-factor authentication, conditional access, penetration testing, firewalls and intrusion detection and prevention, vulnerability and patch testing and management, and employee awareness and training. We engage third-party security firms in different capacities to provide or operate some of these controls, such as vulnerability assessments and audits, penetration testing and other procedures to identify potential weaknesses in our systems and processes. In addition, as a financial institution, we conduct appropriate due diligence and monitoring procedures to address potential cybersecurity threats related to the use of third-party technology and outsourced services, including pre-acquisition due diligence, imposition of contractual obligations, and performance monitoring. Oversight of Third-party Risk We have processes in place to oversee and manage risks associated with third-party service providers, including risks related to data breaches or other security incidents. This includes conducting security due diligence reviews of critical third-party providers, subjecting third parties to periodic risk assessments and requiring third parties to sign standard contractual provisions before receiving sensitive information from and about the Company. Risk from Cybersecurity Treats We recognize that individual employees are frequent targets of threat actors. We regularly train employees on the importance of protecting our information, and also regularly communicate with our customers and employees. If specific threats are identified, management may communicate those threats directly to employees for heightened awareness. Our cybersecurity program requires employees to review and acknowledge information security and privacy policies annually, complete multiple cybersecurity training courses throughout the year, and participate in mock phishing campaigns regularly. We also have a written Incident Response Plan and conduct tabletop exercises to enhance incident response preparedness and readiness. Business Continuity and Disaster Recovery plans are used to prepare for the potential for a disruption in technology we and our customers rely on. Employees undergo security awareness training when hired and annually. While to-date we have not experienced a material cybersecurity threat, incident, significant data loss or any material financial losses related to cybersecurity attacks on our systems and those of our customers and third-party service providers , we are under constant threat, and it is possible that we could experience an incident in the future that could have a material adverse effect on our business strategy, results of operations and financial condition. See also Item 1A., "Risk Factors - Technology Risks". As a financial institution we may not be able to fully, continuously, and effectively implement security controls as intended. We utilize a risk-based approach and judgment to determine the security controls, processes and procedures to implement as part of the Company's overall ERM, and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate, and not fully eliminate risks. Additionally, events when detected by security tools or third parties may not always be immediately understood or acted upon.

Company Information