Sound Financial Bancorp, Inc. 10-K Cybersecurity GRC - 2025-03-18

Page last updated on March 19, 2025

Sound Financial Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-18 16:19:18 EDT.

Filings

10-K filed on 2025-03-18

Sound Financial Bancorp, Inc. filed a 10-K at 2025-03-18 16:19:18 EDT
Accession Number: 0001541119-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our enterprise risk management program is designed to identify, measure, monitor and control significant risks across various aspects of the Company. Cybersecurity risk management processes are integrated into this program, given the increasing reliance on technology and potential of cyber threats. Our cybersecurity risk management program contains eleven key elements: Information Security Policies, Strategic Planning, Risk Assessment, Audit and Examination, Business Continuity Planning, Incident Response Planning, Third-Party Due Diligence, Cyber Insurance Coverage, Employee Training and Testing, Patch and Vulnerability Management, and the Federal Financial Institutions Examination Council (“FFIEC”) Cyber Assessment Tool (“CAT”). The Company is committed to protecting the information of clients, employees, and stakeholders from both conventional and cyber threats. This commitment is upheld through the implementation of our comprehensive Information Security Program (“ISP”), designed to ensure the confidentiality, integrity, and availability of critical information technology (“IT”) systems and data. The Information Security Steering Committee (“ISSC”), appointed by the Board, bears the responsibility for cybersecurity risk management and strategy. It aids the Board in fulfilling its oversight duties related to IT security, aligning with the Bank’s business strategy, and adhering to regulatory requirements. The Virtual Chief Information Security Officer (“vCISO”), who is also appointed by the Board, oversees the ISP and coordinates the ISSC. The ISSC’s responsibilities encompass: - Review and approval of the ISP-related documents, including policies, strategies, plans and risk assessments; - Monitoring of control statuses and program gaps, including findings from audit reports and assessments; - Participation in program assessments, such as risk and business impact assessments; - Providing input on mitigation of current issues and threats; - Reporting, at least quarterly, to the Enterprise Risk Management Committee on ISSC activities and risk impacts on the Risk Appetite Statement. - Reporting, at least annually, to the Board on the status of the ISP, covering compliance, risk management, vendor management, audit and testing results, breaches and incidents, and recommended updates to the ISP. The Company’s approach to managing cybersecurity risks is shaped by insights from the FFIEC CAT, a tool designed for assessing and improving cybersecurity practices. This tool undergoes a thorough examination by an independent third-party on an annual basis to ensure an unbiased and comprehensive evaluation. In its most recent assessment in 2023, the FFIEC CAT identified that the Company is operating at an acceptable level of cyber maturity. This means the Company is effectively handling the inherent risks it faces in five critical areas: cyber risk management and oversight, collaboration on threat intelligence, implementation of cybersecurity controls, management of external dependencies, and resilience in handling cyber incidents. To stay ahead of potential cybersecurity challenges, the Company has established a formal process. This process is activated whenever the FFIEC CAT or the ISSC identifies changes in inherent risks. In response, the Company proactively updates its cybersecurity objectives, policies, and tactical goals. This ensures that the Company’s cybersecurity strategy remains responsive, continuously adapting to emerging threats and evolving industry standards. Acknowledging the crucial role of third-party service providers, the Board-approved Vendor Management Policy, coupled with the ISP, guides the identification and management of risks posed by critical vendors. A third-party risk assessment, based on due diligence criteria and identified controls, is conducted regularly to assess inherent and residual risks. Contractual requirements ensure that providers maintain information security controls, providing reasonable assurance of data confidentiality, integrity, and availability. Third-party access is inventoried and monitored, with management reporting to the Board annually on the status and overall effectiveness of the Vendor Management Program . Further, to enhance cybersecurity awareness, reduce vulnerability, and foster consideration of cybersecurity threats, our employees and the Board of Directors attend annual trainings. Specific role-based trainings are mandatory for certain employees, tailored to their duties. In the ordinary course of business, we rely heavily on electronic communications and information systems to conduct our operations and to store sensitive data. We employ a layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. A variety of preventive and detective tools are used to monitor, block, and alert us to suspicious activity, including potential advanced persistent threats. Despite our defenses, the severity and sophistication of cyber-attacks are on the rise. Attackers adapt quickly to changes in defense measures. While we have not identified significant compromises, substantial data losses, or major financial setbacks from cybersecurity attacks so far, our systems, along with those of our clients and service providers, face constant threats. There is no guarantee that our cybersecurity risk management program will completely safeguard the confidentiality, integrity, and availability of our information systems and solutions. Cybersecurity risks are anticipated to stay elevated due to the evolving nature of threats and the increased use of online and mobile banking services. See “Risks Related to Cybersecurity, Data and Fraud” under “Item 1A. Risk Factors” in this Form 10-K for a further discussion of risks related to cybersecurity. Governance The Board of Directors oversees cybersecurity risk management as part of its broader risk oversight responsibilities. The Board receives at least annual reports from the ISSC on cybersecurity risks, emerging threats, regulatory developments, and the effectiveness of our information security program. The Board also reviews and approves the ISP annually to ensure alignment with business strategy and regulatory requirements. The ISSC, chaired by the vCISO, is responsible for implementing cybersecurity risk management policies and strategies. The vCISO, appointed by the Board, has extensive experience in information security, holding various professional certifications, including a Certified Information Systems Security Professional (“CISSP”). The ISSC also includes senior executives from risk, compliance, IT, and internal audit functions, ensuring a multidisciplinary approach to managing cybersecurity threats. Adherence to the ISP is of utmost importance, and any exceptions to policy must be recommended by the ISSC, approved by the Enterprise Risk Management Committee, and reported to the Board at least annually. The ISSC includes key personnel including the vCISO, Chief Operating Officer, Technology Services Director, Information Technology Manager, Internal Audit Manager, Compliance Manager, and Information Security Specialists. The ISSC members bring diverse qualifications, certifications, and extensive experience to the table. This collective expertise ensures a comprehensive and well-rounded approach to our information security initiatives. Our vCISO has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management and is accountable for managing our enterprise information security department and developing and implementing our information security program. The responsibilities include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, client, vendor and employee education and awareness, and business continuity and disaster recovery.

Company Information