BROADWAY FINANCIAL CORP DE 10-K Cybersecurity GRC - 2024-05-20

Page last updated on July 16, 2024

BROADWAY FINANCIAL CORP DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-20 15:18:29 EDT.

Filings

10-K filed on 2024-05-20

BROADWAY FINANCIAL CORP \DE\ filed a 10-K at 2024-05-20 15:18:29 EDT
Accession Number: 0001140361-24-026827

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. We employ an in-depth, layered, defensive approach that leverages people, processes, and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected persistent threats. Notwithstanding the strength of our defensive measures, the threat from cybersecurity attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date we have not experienced a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, our systems and those of our customers and third-party service providers are under constant threat and it is possible that we could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of internet banking, mobile banking and other technology-based products and services by us and our customers. The security and maintenance of our information technology systems is important to our operations and business strategy. To this end, we have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by a dedicated information technology team, which is led by our Chief Information Security Officer, and includes mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and to maintain a stable information technology environment. For example, we conduct penetration and vulnerability tests, data recovery tests, security audits, and ongoing risk assessments, including due diligence on our key technology vendors, contractors, and suppliers. We conduct regular employee training on cybersecurity and information security, among other topics. In addition, we consult with outside advisors and experts, when appropriate, on a regular basis to assist with assessing, identifying, and managing cybersecurity risks, including anticipated future threats and trends, and their estimated impact on the Company’s risk environment. Our Chief Information Security Officer, who reports to the Chief Operating Officer, has over 27 years of experience managing information technology and cybersecurity matters and is experienced in cloud, infrastructure management, business operations, and cybersecurity, and, together with our Information Technology Steering Committee, is responsible for assessing and managing cybersecurity risks. We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. We have not identified risks from known cybersecurity threats, including as a result of prior cybersecurity incidents, that have materially affected us, and we face ongoing cybersecurity risks threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A “Risk Factors.” under the heading “Systems failures, interruptions and cybersecurity breaches in our information technology and telecommunications systems and of third-party service providers could have a material adverse effect on us.” The Board of Directors, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate cybersecurity risks. The Risk and Compliance Committee is a board-level committee designated by our board to oversee cybersecurity risks. The Risk and Compliance Committee receives updates on cybersecurity matters at least quarterly, and our processes require ad hoc updates within two days of a breach as part of the Bank’s cybersecurity risk management strategy designed to protect the information and assets that are critical to our business. The full Board of Directors receives an Annual Report from the Chief Information Security Officer on the Bank’s Information Technology Systems, including cybersecurity risk.

Company Information