BCB BANCORP INC 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

BCB BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 14:36:52 EST.

Filings

10-K filed on 2025-03-07

BCB BANCORP INC filed a 10-K at 2025-03-07 14:36:52 EST
Accession Number: 0001228454-25-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Cybersecurity risks are continually evolving, becoming increasingly complex and pervasive across all industries. To mitigate these cybersecurity risks and protect nonpublic, personally identifiable customer data, financial transactions and our classified information systems, the Bank has implemented a comprehensive information security program, which is a component of its overarching enterprise risk management program. Key components of the information security program include: - A risk assessment process that identifies and prioritizes material cybersecurity risks; defines and evaluates the effectiveness of controls to mitigate the risks; and reports results to executive management and the Board of Directors. - Annual security assessments that proactively identify potential vulnerabilities that are both externally facing and internal within the bank’s infrastructure; reports the results for all assessments to executive management and the Board of Directors with tracking and resolution to potential areas of risk. - Vulnerability management program that patches known vulnerabilities across operating systems and software platforms. - Strong controls around user access including creation, changes and termination of access, ongoing user access reviews, multifactor authentication and password policies. - A technology team covering all critical cyber defense functions such as engineering, data protection, identity and access management, insider risk management, security operations, threat emulation and threat intelligence. - A training program that educates employees about cybersecurity risks and how to protect themselves from cyberattacks. - An awareness program that keeps employees informed about cybersecurity threats and how to stay safe online. - An incident response plan that outlines the steps the Bank will take to respond to a cybersecurity incident, which is tested on a periodic basis. - Adoption and implementation of a layered defense / defense in depth model n which security systems are linked or stacked so that the strengths of one security system compensate the weaknesses of the other system. - Additional controls that include but not limited to data encryption; change management; end of life management; asset management; malware and antivirus detection, response and mitigation; physical security; business continuity and disaster recovery management. The Bank engages reputable third-party assessors to conduct various independent audits on a regular basis, including but not limited to maturity assessments and various testing. Following a defense-in-depth strategy, the Bank leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks. The Bank’s Third-Party / Vendor Risk Management program is designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements. The Bank’s information security program and strategy are designed to ensure the Bank’s information and information systems are resilient and appropriately protected from a variety of threats, both natural and man-made. Periodic audits and risk assessments are performed to validate control requirements and ensure that the Bank’s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls and policies are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of Bank information. These controls and policies include, but are not limited to access control, data encryption, data loss prevention, incident response, security monitoring, third party risk management, and vulnerability management. The Bank’s information security program and strategy are regularly reviewed and updated to ensure that they are aligned with the Bank’s business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards. Material Effects of Cybersecurity Threats While cybersecurity risks have the potential to materially affect the Bank’s business, financial condition, and results of operations, the Bank does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Bank, including its business strategy, results of operations or financial condition. Accordingly, no matter how well designed or implemented the Bank’s controls are, there is a risk that it may not be able to anticipate all zero-day cyber security exploits and vulnerabilities, and it may not be able to implement effective preventive measures against such exploits / vulnerabilities and potentially associated security breaches in a timely manner. Governance Board of Directors Oversight The Bank’s Board of Directors is charged with overseeing the establishment and execution of the Bank’s security management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility the Board has delegated primary oversight responsibility over the Bank’s security management framework, including oversight of cybersecurity risk and cybersecurity risk management, to the Information Technology /Information Security Committee of the Board of Directors . The Information Technology /Information Security Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Information Technology Officer and provides periodic updates regarding cybersecurity risks and the cybersecurity program to the full Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Board on an annual basis. Management’s Role We recognize the critical importance of developing, implementing, assessing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Senior Management, in collaboration with the Information Technology and Risk Departments, is responsible for the implementation and oversight of the Bank’s Cybersecurity Risk Management Program. Information security risk is systematically reported to our Board of Directors by the Information Technology and Risk Departments through quarterly management reports, ensuring a structured and effective flow of cybersecurity risk information to the Board of Directors. Various committees and working groups are dedicated to monitoring and managing information security risks, including the Cybersecurity Incident Response Team and the Information Technology/Information Security Committee of the Board of Directors. These committees play a pivotal role in establishing and overseeing policies, programs, and guidance that define clear expectations for managing cybersecurity risk. Due to the evolving nature of cybersecurity threats, we actively engage with external experts to enhance our security expertise. These subject matter experts provide independent evaluations and testing of our cybersecurity risk management framework. Our collaboration with these entities includes regular audits, threat assessments, and consultations on security enhancements to reinforce our security posture.

Company Information