QUAINT OAK BANCORP INC 10-K Cybersecurity GRC - 2024-03-28

Page last updated on July 16, 2024

QUAINT OAK BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:07:57 EDT.

Filings

10-K filed on 2024-03-28

QUAINT OAK BANCORP INC filed a 10-K at 2024-03-28 17:07:57 EDT
Accession Number: 0000927089-24-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity for annual disclosures. Consumer Financial Services . The historical structure of federal consumer protection regulation applicable to all providers of consumer financial products and services changed significantly with the establishment of the Consumer Financial Protection Bureau (“CFPB”) as part of the Dodd-Frank Act reforms. The CFPB has broad rulemaking authority for a wide range of consumer protection laws that apply to all providers of consumer products and services, including Quaint Oak Bank, as well as the authority to prohibit “unfair, deceptive or abusive” acts and practices. The CFPB has examination and enforcement authority over providers with more than $10 billion in assets. FDIC-insured institutions with $10 billion or less in assets, like Quaint Oak Bank, continue to be examined by their applicable bank regulators. Anti-Money Laundering. Federal anti-money laundering rules impose various requirements on financial institutions intended to prevent the use of the U.S. financial system to fund terrorist activities. These provisions include a requirement that financial institutions operating in the United States have anti-money laundering compliance programs, due diligence policies and controls to ensure the detection and reporting of money laundering. Such compliance programs supplement existing compliance requirements, also applicable to financial institutions, under the Bank Secrecy Act and the Office of Foreign Assets Control Regulations. Quaint Oak Bank has established policies and procedures to ensure compliance with the federal anti-laundering provisions. Regulatory Enforcement Authority. The federal banking laws provide substantial enforcement powers available to federal banking regulators. This enforcement authority includes, among other things, the ability to assess civil money penalties, to issue cease-and-desist or removal orders and to initiate injunctive actions against banking organizations and institution-affiliated parties, as defined. In general, these enforcement actions may be initiated for violations of laws and regulations and unsafe or unsound practices. Other actions or inactions may provide the basis for enforcement action, including misleading or untimely reports filed with regulatory authorities. 26 Community Reinvestment Act. All insured depository institutions have a responsibility under the Community Reinvestment Act and related regulations to help meet the credit needs of their communities, including low- and moderate-income neighborhoods. An institution’s failure to comply with the provisions of the Community Reinvestment Act could result in restrictions on its activities. Quaint Oak Bank received an “Outstanding” Community Reinvestment Act rating in its most recently completed examination. On October 24, 2023, the federal banking agencies, including the FDIC issued a final rule designed to strengthen and modernize regulations implementing the CRA. The changes are designed to encourage banks to expand access to credit, investment and banking services in low- and moderate-income communities, adapt to changes in the banking industry including mobile and internet banking, provide greater clarity and consistency in the application of the CRA regulations and tailor CRA evaluations and data collection to bank size and type. Quaint Oak Bank cannot predict the impact the changes to the CRA will have on its operations at this time. Federal Home Loan Bank System. Quaint Oak Bank is a member of the Federal Home Loan Bank of Pittsburgh, which is one of 11 regional Federal Home Loan Banks. Each Federal Home Loan Bank serves as a reserve or central bank for its members within its assigned region. It is funded primarily from proceeds from the sale of consolidated obligations of the Federal Home Loan Bank System. It makes loans to members (i.e., advances) in accordance with policies and procedures established by the board of directors of the Federal Home Loan Bank. As a member, Quaint Oak Bank is required to purchase and maintain stock in the Federal Home Loan Bank of Pittsburgh in an amount in accordance with the Federal Home Loan Bank’s capital plan and sufficient to ensure that the Federal Home Loan Bank remains in compliance with its minimum capital requirements. At December 31, 2023, Quaint Oak Bank was in compliance with this requirement. Federal Reserve Board System. The Federal Reserve Board requires all depository institutions to maintain non-interest bearing reserves at specified levels against their transaction accounts, which are primarily checking and NOW accounts, and non-personal time deposits. The balances maintained to meet the reserve requirements imposed by the Federal Reserve Board may be used to satisfy the liquidity requirements that are imposed by the Pennsylvania Department of Banking and Securities. At December 31, 2023, Quaint Oak Bank was in compliance with these reserve requirements. TAXATION Federal Taxation General. Quaint Oak Bancorp and Quaint Oak Bank are subject to federal income tax provisions of the Internal Revenue Code of 1986, as amended, in the same general manner as other corporations with some exceptions listed below. For federal income tax purposes, Quaint Oak Bancorp files a consolidated federal income tax return with its wholly owned subsidiaries on a fiscal year basis. The applicable federal income tax expense or benefit will be properly allocated to each entity based upon taxable income or loss calculated on a separate company basis. Method of Accounting. For federal income tax purposes, income and expenses are reported on the accrual method of accounting and Quaint Oak Bancorp files its federal income tax return using a December 31 fiscal year end. 27 Taxable Distributions and Recapture. Prior to the Small Business Job Protection Act, bad debt reserves created prior to January 1, 1988 were subject to recapture into taxable income if a savings bank failed to meet certain thrift asset and definitional tests. New federal legislation eliminated these thrift related recapture rules. However, under current law, pre-1988 reserves remain subject to recapture should a savings bank make certain non-dividend distributions or cease to maintain a savings bank charter. At December 31, 2023, Quaint Oak Bank did not have federal pre-1988 reserves subject to recapture. Corporate Dividends Received Deduction. Quaint Oak Bancorp may exclude from income 100% of dividends received from a member of the same affiliated group of corporations. The corporate dividends received deduction is 80% in the case of dividends received from corporations, which a corporate recipient owns less than 80%, but at least 20% of the distribution corporation. Corporations that own less than 20% of the stock of a corporation distributing a dividend may deduct only 70% of dividends received. Other Matters. The Company is no longer subject to examination by taxing authorities for the years before January 1, 2020. State and Local Taxation Pennsylvania Taxation. Quaint Oak Bancorp is subject to the Pennsylvania Corporate Net Income Tax. The Corporation Net Income Tax rate for 2023 is 9.99% and is imposed on unconsolidated taxable income for federal purposes with certain adjustments. Quaint Oak Bank is subject to tax under the Pennsylvania Mutual Thrift Institutions Tax Act (the “MTIT”), as amended to include thrift institutions having capital stock. Pursuant to the MTIT, the tax rate is 11.5%. The MTIT exempts Quaint Oak Bank from other taxes imposed by the Commonwealth of Pennsylvania for state income tax purposes and from all local taxation imposed by political subdivisions, except taxes on real estate and real estate transfers. The MTIT is a tax upon net earnings, determined in accordance with U.S. generally accepted accounting principles with certain adjustments. The MTIT, in computing income under U.S. generally accepted accounting principles, allows for the deduction of interest earned on state and federal obligations, while disallowing a percentage of thrift’s interest expense deduction in the proportion of interest income on those securities to the overall interest income of Quaint Oak Bank. Net operating losses, if any, thereafter can be carried forward three years for MTIT purposes. Item 1A. Risk Factors. We are marketing for sale of our 51% stake in Oakmont Capital Holdings, LLC, primarily to reduce our asset size and increase our capital ratios. The Bank maintains a 51% ownership interest in Oakmont Capital Holdings, LLC (“Oakmont Capital”), a multi-state equipment finance company based in West Chester, Pennsylvania with a second significant facility located in Albany, Minnesota. We are currently marketing the Bank’s interest in Oakmont Capital for sale in order to reduce our asset size and increase the Bank’s capital ratios. In recent periods, Oakmont Capital has materially contributed to our growth in assets and our non-interest income. While we are currently marketing Oakmont Capital for sale, we may not complete the transaction if we are unable to receive favorable terms for the acquisition. If we complete a sale, we anticipate that our non-interest income will decrease. If we do not complete a sale, we may be required to raise additional capital to support the growth attributable to continued ownership interest in Oakmont Capital. Our ability to raise additional capital, when and if needed, will depend on conditions in the capital markets, economic conditions and a number of other factors, including investor preferences regarding the banking industry, market conditions and governmental activities, many of which are outside of our control, and on our financial condition and performance. Item 1B. Unresolved Staff Comments . Not applicable. 28 Item 1C. Cybersecurity. Overview. Our Board of Directors and management consider information security and cybersecurity as high priorities in our strategic and operational plans. We understand the critical nature of the confidentiality, integrity, and availability of customer and bank sensitive information. Any loss of confidentiality, integrity, or availability introduces operational, compliance, strategic, transactional, reputational, legal, and capital risks which we actively seek to avoid. It is understood that any one of these risks, if realized, will have a negative impact upon Quant Oak Bancorp and Quaint Oak Bank. Our approach to information and cybersecurity is proactive and strives to avoid incidents where possible through the use technical, administrative, and physical controls. Governance. Our efforts for increased information and cybersecurity readiness are driven from the top of the organization. The Board of Directors reviews and approves an Information Technology and Information Security Risk Appetite Statement which guides the actions of the management team, staff members, and supporting third-party service providers. In addition, the Board is active in the review and approval of all policies concerning information technology and information security. The Board further reviews reports provided by the management team regarding the status of Quaint Oak Bank’s GLBA compliance, risk management program, vendor management program, and the results of tests and exercises conducted for business continuity, disaster recovery, cybersecurity incident response, and pandemic response. Lastly, the Board of Directors reviews and approves the budget for information and cybersecurity, ensuring that we have sufficient resources to properly address all current and foreseeable information and cybersecurity threats. Management and Strategy. Senior management takes the guidance provided by the Board of Directors and transforms this guidance into operational priorities which are implemented and maintained by the staff members and third-party service providers. In addition, the senior management team ensures that budgeted resources are allocated in a timely manner to support the various security initiatives. Operational Information Technology and Information Security staff members, and third-party service providers utilize the direction and resources provided by the senior management team to develop procedures, standards, and guidelines to achieve the strategic goals defined by the Board of Directors. Operational and security health is reported monthly to Operating Risk and Executive Committees and the Board of Directors. Recommendations for improvements are shared between operational staff and the senior management team as part of a continuous improvement program for information security and cybersecurity. Operational staff members actively maintain, review, update, and exercise plans and procedures designed to enhance our overall business resiliency. All staff members are trained annually on current information and cybersecurity trends, techniques, and their responsibilities to keep our information confidential, accurate, and available. 29 We also utilize the services of third-party providers to conduct an IT audit, external and internal vulnerability testing, external and internal penetration testing, and social engineering testing on at least an annual basis. The results of these independent audits and tests are sent to the Board of Directors for review. Finally, Quaint Oak Bank complies with its regulatory requirements by having Federal and State safety and security examinations performed on a schedule dictated by the regulatory agencies. The results of these examinations are reviewed and approved by the Board of Directors. Additionally, all findings from these examinations are recorded and prioritized for remediation. Conclusion. Our Board of Directors and management take very seriously the information security and cybersecurity obligations Quaint Oak Bancorp and Quaint Oak Bank have to their respective customers, shareholders, staff members, and regulatory agencies. In support of these obligations, we have and actively maintain a robust information security and cybersecurity program based upon industry best practices, regulatory requirements, and the expertise of staff members and supporting third-party vendors. To our knowledge, we have not had a cybersecurity incident that has materially affected Quaint Oak Bancorp, its business strategy, financial condition, or results of operation.
Item 1C. Cybersecurity. Overview. Our Board of Directors and management consider information security and cybersecurity as high priorities in our strategic and operational plans. We understand the critical nature of the confidentiality, integrity, and availability of customer and bank sensitive information. Any loss of confidentiality, integrity, or availability introduces operational, compliance, strategic, transactional, reputational, legal, and capital risks which we actively seek to avoid. It is understood that any one of these risks, if realized, will have a negative impact upon Quant Oak Bancorp and Quaint Oak Bank. Our approach to information and cybersecurity is proactive and strives to avoid incidents where possible through the use technical, administrative, and physical controls. Governance. Our efforts for increased information and cybersecurity readiness are driven from the top of the organization. The Board of Directors reviews and approves an Information Technology and Information Security Risk Appetite Statement which guides the actions of the management team, staff members, and supporting third-party service providers. In addition, the Board is active in the review and approval of all policies concerning information technology and information security. The Board further reviews reports provided by the management team regarding the status of Quaint Oak Bank’s GLBA compliance, risk management program, vendor management program, and the results of tests and exercises conducted for business continuity, disaster recovery, cybersecurity incident response, and pandemic response. Lastly, the Board of Directors reviews and approves the budget for information and cybersecurity, ensuring that we have sufficient resources to properly address all current and foreseeable information and cybersecurity threats. Management and Strategy. Senior management takes the guidance provided by the Board of Directors and transforms this guidance into operational priorities which are implemented and maintained by the staff members and third-party service providers. In addition, the senior management team ensures that budgeted resources are allocated in a timely manner to support the various security initiatives. Operational Information Technology and Information Security staff members, and third-party service providers utilize the direction and resources provided by the senior management team to develop procedures, standards, and guidelines to achieve the strategic goals defined by the Board of Directors. Operational and security health is reported monthly to Operating Risk and Executive Committees and the Board of Directors. Recommendations for improvements are shared between operational staff and the senior management team as part of a continuous improvement program for information security and cybersecurity. Operational staff members actively maintain, review, update, and exercise plans and procedures designed to enhance our overall business resiliency. All staff members are trained annually on current information and cybersecurity trends, techniques, and their responsibilities to keep our information confidential, accurate, and available. 29 We also utilize the services of third-party providers to conduct an IT audit, external and internal vulnerability testing, external and internal penetration testing, and social engineering testing on at least an annual basis. The results of these independent audits and tests are sent to the Board of Directors for review. Finally, Quaint Oak Bank complies with its regulatory requirements by having Federal and State safety and security examinations performed on a schedule dictated by the regulatory agencies. The results of these examinations are reviewed and approved by the Board of Directors. Additionally, all findings from these examinations are recorded and prioritized for remediation. Conclusion. Our Board of Directors and management take very seriously the information security and cybersecurity obligations Quaint Oak Bancorp and Quaint Oak Bank have to their respective customers, shareholders, staff members, and regulatory agencies. In support of these obligations, we have and actively maintain a robust information security and cybersecurity program based upon industry best practices, regulatory requirements, and the expertise of staff members and supporting third-party vendors. To our knowledge, we have not had a cybersecurity incident that has materially affected Quaint Oak Bancorp, its business strategy, financial condition, or results of operation.


Company Information

NameQUAINT OAK BANCORP INC
CIK0001391933
SIC DescriptionSavings Institutions, Not Federally Chartered
TickerQNTO - OTC
Website
CategoryNon-accelerated filer
Smaller reporting company
Fiscal Year EndDecember 30