Live Oak Bancshares, Inc. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Live Oak Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 20:42:11 EST.

Filings

10-K filed on 2026-02-27

Live Oak Bancshares, Inc. filed a 10-K at 2026-02-27 20:42:11 EST
Accession Number: 0001462120-26-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy The Company maintains a cybersecurity risk management program that is designed to enable us to assess, identify, and manage risk associated with cybersecurity threats (the "Cybersecurity Program"). Our Cybersecurity Program is based on the Cybersecurity Framework promulgated by the National Institute of Standards and Technology and other applicable industry standards. It includes the following elements: - Identification and assessment of cybersecurity threats based on periodic internal and external assessments and monitoring, information from internal stakeholders, and external publications and resources. - Technical and organizational safeguards designed to protect against identified threats, including documented policies and procedures, employee training and awareness, and technical controls. - Processes to detect the occurrence of cybersecurity events and incidents, maintenance, and periodic testing of incident response and recovery and business continuity plans and processes. - A third-party risk management program to manage cybersecurity risks associated with our service providers, suppliers, and vendors using a risk-based approach that focuses on cybersecurity risks associated with critical service providers, suppliers, and vendors. Further, the Company's internal controls, various threat landscapes, internal events and incidents, and emerging risks are periodically reviewed to make adjustments to the Cybersecurity Program as needed. Additionally, annual risk assessments and penetration tests are performed. Management of Material Risks & Integrated Overall Risk Management Assessing, identifying, and managing cybersecurity risks is integrated into our overall risk management framework. The Cybersecurity Program is integrated into the Company's Enterprise Risk Management ("ERM") program and framework. Together, these programs are designed to foster a company-wide culture of cybersecurity risk management. Our Information Security team works closely with stakeholders across technology, legal, risk, and business units to implement and monitor controls. See "Governance" below for additional information on processes used by management to monitor cybersecurity incidents. Engagement of Third Parties in Connection With Risk Management The Company leverages various third parties to conduct evaluations of our Cybersecurity Program, including security controls. The Company engages a third party to audit its information technology function, which includes an assessment of the Company's cybersecurity efforts. The Company also maintains cybersecurity insurance; however, the costs related to cybersecurity threats or disruptions may not be fully insured. Additionally, the Company engages third parties to perform penetration tests on an annual basis. The Company also periodically engages third parties for assessments of specific products, services, or applications. The Company leverages various software and service providers as part of its Cybersecurity Program that assist with various services, including monitoring third-party suppliers. The Company also receives periodic threat intelligence reports from vendors, peers, and industry information sharing and analysis centers. The Company maintains a relationship with a leading incident response firm to assist the Company in responding to cybersecurity incidents, if appropriate. Oversight of Third-party Risks Our third-party service providers, suppliers, vendors, and partners face cybersecurity risks that could impact us. Therefore, the Company has developed and implemented processes to oversee and manage these risks. These processes include performing third-party onboarding due diligence such as risk assessments and information security reviews for critical service providers, suppliers, and vendors, seeking to have third-parties agree to contractual requirements designed to ensure cybersecurity and related matters are addressed, and conducting ongoing monitoring and due diligence in accordance with our vendor management and information security policies and standards. As noted above, we use a third-party to aid us in monitoring third-parties' cybersecurity risk. Risks from Cybersecurity Threats As of the date of this report, we have not encountered any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Governance Managing cybersecurity risk is a key focus for the Board of Directors. The Company seeks to ensure effective governance in managing risks associated with cybersecurity threats, as more thoroughly described below. Board of Directors Oversight The Risk Committee of the Board of Directors is responsible for the oversight of risks from cybersecurity threats. As described below, where appropriate, strategic risk management decisions are escalated to the Risk Committee, and the Risk Committee receives periodic reports on cybersecurity matters from management. Management's Role in Cybersecurity Risk Management Management convenes a standing Information Security Committee to monitor, measure, and report key indicators, risk assessments, and security measures to the management Corporate Risk Committee. Information Security leadership, in conjunction with the Corporate Risk Committee, make quarterly reports to the Risk Committee of the Board of Directors. Such quarterly reporting may include, but is not limited to, key metrics and risk indicators, penetration test results, risk assessment results, status of ongoing initiatives, incident and notable event reports, compliance with regulatory standards, and operational issues. In addition to quarterly reporting to the Board's Risk Committee, the Company's incident response processes include escalation to management when an incident is suspected. Risk Management Personnel Primary responsibility for assessing, monitoring, and managing our Cybersecurity Program rests with the Interim Information Security Officer , supported by two Interim Deputy Chief Information Security Officers and the broader Information Security function. The Chief Information and Digital Officer, Renato Derraik, also serves as Interim Information Security Officer. Mr. Derraik has served as the Bank's Chief Information and Digital Officer since June 2021 and has over 25 years of experience leading technology, digital, and operating model transformations, including leadership roles overseeing digital innovation and transformation at a large financial services company, and advising global organizations on technology and digital transformations. This experience supports his oversight of cybersecurity risk management, including integrating cybersecurity risk considerations into technology strategy, operations, governance, and risk reporting. The Interim Information Security Officer is supported by Scott McMichael and George Werbacher, who serve as the Interim Deputy Chief Information Security Officers. Mr. McMichael leads cybersecurity risk management and governance, including enterprise cyber risk oversight, training and awareness, portfolio oversight, regulatory alignment, and third-party information security risk management. He brings over 20 years of experience in financial services governance, security, and risk leadership, including senior leadership roles at Capital One Financial Corporation and Navy Federal Credit Union. Mr. McMichael holds a Juris Doctor from the University of Richmond School of Law. Mr. Werbacher leads key security controls and operations, including detection and response, incident management, vulnerability management, and cloud and network security. He brings over a decade of cybersecurity leadership experience across financial services and technology, including senior security roles at Capital One Financial Corporation, Truist Financial Corporation, and Blackbaud Inc. Mr. Werbacher holds a Master of Science in Information Security and Policy Management from Carnegie Mellon University. Mr. McMichael and Mr. Werbacher are both graduates of the Carnegie Mellon Executive Education CISO program. Monitoring Cybersecurity Incidents Information Security leadership are continually informed of and monitor cybersecurity risks and incidents through real-time updates, including a partnership with a managed security service provider. Periodic Information Security Committee meetings cover key metrics and risk indicators, penetration test results, risk assessment results, status of ongoing initiatives, incident and notable event reports, compliance with regulatory standards, and operational issues. In the event of a cybersecurity incident, we have an established incident response plan that requires prompt notification to Information Security leadership, who in turn engages with the corporate Incident Response Team (IRT) to respond to the incident. Information Security leadership are also responsible for informing the Information Security Committee of cybersecurity incidents, which in turn reviews the impact of incidents and monitors the Company's mitigation and remediation efforts. Depending on the nature of the incident, this process also provides for escalating notice to the Risk Committee of the Board of Directors. These processes assist management and the Risk Committee in staying informed of and monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. Reporting to Board of Directors Information Security leadership periodically inform the Information Security Committee, Corporate Risk Committee and Board's Risk Committee of cybersecurity risks and incidents. This enables the highest levels of management to be kept abreast of the Company's cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters and strategic risk management decisions are escalated to the Risk Committee of the Board of Directors, where appropriate.

Company Information