Page last updated on March 17, 2025
RBB Bancorp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 16:11:01 EDT.
Filings
10-K filed on 2025-03-17
RBB Bancorp filed a 10-K at 2025-03-17 16:11:01 EDT
Accession Number: 0001437749-25-008002
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. Cybersecurity threats continue to evolve as the threat landscape evolves. The Bank continuously works to evolve its cybersecurity practices with the changing landscape. Significant resources are devoted to protecting and enhancing the security of networks, computer systems, data storage devices, and other systems and technology. The Bank’s security efforts and implemented controls are designed to protect against, among other things, cybersecurity attacks that can result in unauthorized access of confidential information, the destruction of data, disruptions to or degradations of service, the sabotaging of systems or other damage. Third parties with which the Bank does business, which facilitate the Bank’s business activities, e.g., vendors, supply chain, exchanges, clearing houses, central depositories, and financial intermediaries are sources of cybersecurity risk to the Bank. Third-party incidents such as system breakdowns or failures, misconduct by the employees of such parties, or cyber-attacks, including ransomware and supply-chain compromises could have a material adverse effect on the Bank, including in circumstances in which an affected third party is unable to deliver a product or service to the Bank or results in lost or compromised information of the Bank or its clients or customers. Bank customers are also sources of cybersecurity risk to the Bank and its information assets, particularly when their activities and systems are beyond the Bank’s own security and control systems. The Bank provides information to its customers and other external parties concerning cybersecurity risks including opportunities to reduce cybersecurity risk. The security program is commensurate with the size and complexity of the Bank. Risks from cybersecurity threats, including any previous cybersecurity events, have not materially affected the Bank or its business strategy, results of operations or financial condition. Cybersecurity Risk Management The Bank maintains an Information Security and Cybersecurity Program to support the management of cybersecurity risk as a component of the Bank’s Enterprise Risk Management (“ERM”) framework. The information security and cybersecurity program is designed to manage risks relating to cybersecurity threats and leverages controls, best practices recommendations, and standards from the Federal Financial Institutions Examination Council (“FFIEC”) and the National institute of Standards and Technology (“NIST”) Cybersecurity Framework, and standards set by relevant legal and regulatory authorities. The Information Security Officer (“ISO”) oversees the Bank’s Information Security and Cybersecurity Program and leads the Information Security team. Reporting to the Chief Risk Officer (“CRO”) and Chief Information Officer (“CIO”), the ISO and his team are responsible for identifying, assessing and managing information security and cybersecurity risks, and for implementing and maintaining controls to prevent, detect and respond to cybersecurity threats and incidents, safeguarding the confidentiality, integrity and availability of the Bank’s information systems and data. As part of the Information Security and Cybersecurity Program, the Bank conducts periodic employee training to educate employees on information and cybersecurity risks and to reinforce security management practices and compliance with the Bank’s security policies and standards. Training is mandatory for all employees and is supplemented by testing initiatives, including periodic phishing tests. The Bank’s policies and procedures concerning cybersecurity matters include processes to safeguard its information systems, monitor these systems, protect the confidentiality and integrity of its data, detect intrusions into its systems, and respond to cybersecurity incidents. Extensive technical controls are in place for identifying and managing cybersecurity risks and safeguarding Bank information systems and information. The Bank uses sophisticated industry-recognized monitoring and threat detection technologies that continuously monitor its information systems and provide threat detection alerts. The Bank’s strategy for assessing, identifying, and managing cybersecurity risks and for evaluating the effectiveness of its cybersecurity program includes periodic risk assessments and testing of its systems, processes and procedures through audits, penetration testing, vulnerability scans, tabletop exercises, and other related exercises. The Bank has an incident response program designed to enable the Bank to respond to cybersecurity incidents, coordinate as appropriate with law enforcement and other government agencies, notify clients and customers, as applicable, and recover from such incidents. In addition, the Bank actively partners with appropriate government and law enforcement agencies and peer industry forums to participate in threat intelligence discussions and simulations to assist with understanding the full spectrum of cybersecurity risks and enhancing defenses and improving resiliency in the Bank’s operating environment. The Bank engages third parties on a regular basis to assess, test, audit or assist with the implementation of risk management strategies, policies, and procedures to enhance the detection and management of cybersecurity risks. Cybersecurity risk management strategies include, but are not limited to: consultants who assist with assessing risks, assessing systems alignment with NIST Cybersecurity Framework, and FFIEC, penetration testing, tabletop exercises and other regulatory agency requirements. The Bank maintains a process to evaluate and manage risks associated with third-party service providers. We conduct a full vendor due diligence review before engagement, review specific security measures in our contracts, and maintain continued monitoring during the engagement including yearly due diligence reviews. Governance The IT Committee and Audit Committee are the principal board committees that oversee the Bank’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of the Bank’s Information Security and Cybersecurity Program. Both the IT and Audit Committees are comprised of professionals with risk management and information technology expertise to manage any material risk from a cybersecurity threat standpoint. The membership of the IT Committee includes members of the executive management team as well as directors of the Bank. The CIO and ISO actively participate in all IT Committee meetings. The CIO has over 20 years of work experience in the development, operation and management of Information Technology at financial institutions. The ISO has over 10 years of work experience in building and overseeing cybersecurity programs at financial institutions. Both CIO and ISO have extensive experience and qualifications in various technology and information security disciplines, including relevant experience at the Bank. Additionally, the Audit Committee has oversight of the management of cybersecurity risk via validation and review of IT and cybersecurity risk assessments and audits. The ISO provides reporting metrics on cybersecurity risks to the IT Committee, which meets at least four times a year. The IT and Audit Committees assist the Board of Directors in its oversight. As part of its oversight of management’s implementation and maintenance of the Bank’s risk management framework, the Bank’s Board of Directors receives regular updates directly from both IT and Audit Committees concerning cybersecurity matters. These updates generally include information regarding cybersecurity and technology developments, the Bank’s Information Security Program and recommended changes to that program, cybersecurity policies and practices, and ongoing initiatives to improve information security, as well as any significant cybersecurity incidents and the Bank’s efforts to address those incidents. Notwithstanding the Bank’s efforts at cybersecurity, the Bank cannot guarantee that those efforts will successfully prevent or mitigate a cybersecurity incident that could have a material adverse effect on it. To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Bank, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A. Risk Factors- Risks Related to Our Business .
Company Information
Name | RBB Bancorp |
CIK | 0001499422 |
SIC Description | State Commercial Banks |
Ticker | RBB - Nasdaq |
Website | |
Category | Accelerated filer |
Fiscal Year End | December 30 |