BayCom Corp 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

BayCom Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:05:26 EDT.

Filings

10-K filed on 2025-03-14

BayCom Corp filed a 10-K at 2025-03-14 16:05:26 EDT
Accession Number: 0001730984-25-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity is one of the cornerstones of our strategic business plan and the driving force behind our digital transformation journey. As a financial institution, we confront a spectrum of cyber threats, ranging from common attacks like ransomware to sophisticated, organized assaults by nation-state actors. These risks extend to our customers, shareholders, suppliers, and partners, emphasizing the critical need for a robust cybersecurity stance. In light of these challenges, maintaining resilience in our cybersecurity posture is not just a priority but a fundamental necessity to safeguard our operations, performance, and the maintenance of customer confidence in our banking services. The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk appetite with our strategic objectives. Our enterprise risk management program is designed to identify, measure, monitor and control all significant risks across various aspects of the Company. Cybersecurity risk management processes are integrated into this program, given the increasing reliance on technology and potential of cyber threats. Our Director of Information Technology leads our cybersecurity program, reporting directly to the Chief Operating Officer (“COO”) and provides reports and updates to the Audit Committee, the Enterprise Risk Committee and the Chief Risk Officer (“CRO”) quarterly or more frequently as required. Our objective for managing cybersecurity risk is to maintain appropriate layers of safeguards to protect information systems from possible threats and to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. Our Information Security Program aligns with industry frameworks, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbooks, and the FFIEC Cybersecurity Assessment Tool, and is periodically reviewed and updated at least annually or more frequently upon significant changes to our operating environment. Our Information Security Program is led by our Information Security Officer in conjunction with our Director of Information Technology. We maintain an Incident Response Plan (“IRP”) that provides a documented framework for responding to actual or potential cybersecurity incidents. The IRP is coordinated through the Director of Information Technology, COO, CRO, and key members of management and addresses roles, responsibilities, and communication and contract strategies in the event of a compromise, including analysis of reportable events in accordance with applicable legal and compliance requirements. We rely on a series of processes to identify threats, hazards, and other risks to our information assets . We employ a variety of preventative and detective tools from our Managed Security Services provider designed to monitor, detect, block, and alert us to suspicious and unauthorized activity, including suspected advanced persistent threats. In addition to regular risk assessments, we rely on independent assessments, audits, and cybersecurity feeds from vendors, which integrate directly into our patch and vulnerability management tools. We engage cybersecurity experts and third-party specialists to perform regular assessments of our infrastructure, software systems, and network architecture. We also leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including our information security program, to assess their design and operating effectiveness. We provide regular and ongoing security education and training for employees and conduct recovery and resilience tests. The Company maintains a cyber insurance policy as part of its overall risk management strategy to mitigate financial losses in the event of a cybersecurity incident. The Bank also retains third-party experts to conduct intrusion and penetration testing on an annual basis. All risk and security assessment results are shared with the Board of Directors. Our assets are classified and protected based on the results of our risk assessment practices, which assess a variety of critical factors, including the type of data stored, system availability needs, confidentiality requirements, recovery time objectives, transactional processing, the number of users, and the volume and magnitude of transactions. Our Information Technology teams meet to ensure that risks are timely identified, patch and vulnerability requirements are monitored, and the necessary changes are implemented. Our Information Technology Governance ensures alignment between the Bank’s technological strategy and business goals. We strive for efficient utilization of IT resources while effectively managing IT risks within the Bank’s risk appetite. Additionally, our robust Vendor Management Program ensures proper oversight during the onboarding of new products, projects, and third-party vendors . Identified Cybersecurity Risks Federal and state regulators have issued guidance requiring financial institutions to implement layered security controls, strengthen client authentication for online services, and address risks from compromised credentials. Institutions must also maintain business continuity plans to ensure timely recovery of operations and data following a cyber-attack. Failure to comply with these regulations may result in sanctions, including financial penalties. State regulators have increasingly enacted cybersecurity laws, including requirements for cybersecurity programs, data encryption, and breach notification. Many states have recently updated their data privacy regulations, and we expect this trend to continue. We actively monitor legislative and regulatory developments to ensure compliance. In the ordinary course of business, we rely on electronic communications and information systems to conduct operations and store and transmit sensitive data. We employ a layered cybersecurity approach, leveraging people, processes, and technology to monitor, detect, and mitigate threats. Our defenses include a variety of preventative and detective tools designed to block unauthorized activity and identify advanced persistent threats. Despite these measures, cyber-attacks are increasingly sophisticated and frequent, particularly in the financial services sector. While we have not experienced a material cybersecurity incident to date , a significant breach could result in financial losses, operational disruptions, reputational harm, regulatory scrutiny, or legal liability. In addition to securing our own systems, we rely on third-party service providers for various critical functions, including payment processing, cloud storage, and cybersecurity tools. Our systems, as well as those of our clients and third-party vendors, remain under constant threat, and vulnerabilities within these external providers could also pose risks to our operations. Given the evolving nature of cyber threats and the expanding use of online banking and digital services, our risk exposure is expected to remain high. We continuously assess and monitor cybersecurity threats in real time, including risks associated with third-party providers, to enhance our security posture. However, there can be no assurance that our cybersecurity risk management program will fully protect the confidentiality, integrity, and availability of our information systems and solutions. See “Risks Related to Cybersecurity, Third Parties and Technology” under “Item 1A. Risk Factors” in this Form 10-K for further discussion of risks related to cybersecurity. Management and Board Oversight of Cybersecurity Risks Our Cybersecurity Program is managed by our Director of Information Technology , who leads our Information Technology team responsible for implementing our enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The Director of Information Technology provides periodic reports to the executive risk management committee, the board-level risk committees of the Company and the Bank and the Chief Executive Officer and other members of our senior management, as well as the cross-functional management team that oversees the information security and information technology programs. These reports address key cybersecurity topics, including the implementation and operation of preventative controls and the detection, mitigation, and remediation of cybersecurity incidents. The Board receives formal cybersecurity updates at least quarterly from the Director of Information Technology , the Chief Operating Officer, and the Chief Risk Officer. These reports include updates on emerging threats, incident response activities, regulatory developments, and enhancements to cybersecurity frameworks. Additionally, the Board periodically conducts cybersecurity resilience reviews, including scenario planning and tabletop exercises, to evaluate preparedness for potential cyber incidents. The Chief Operating Officer, Chief Risk Officer, and board-level risk committees of the Bank also provide comprehensive reports to the full Board of Directors regarding pertinent cybersecurity risk management topics. Our Director of Information Technology has more than 20 years’ experience in financial services, substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management and is accountable for managing our enterprise information technology department and developing and implementing our cybersecurity and information security programs. These qualifications, certifications, and experience include a degree from the University of California, Santa Barbara with a focus on business administration coursework and a Certified Information Systems Security Professional designation from ISC2 Organization.

Company Information