UNITED SECURITY BANCSHARES 10-K Cybersecurity GRC - 2025-03-20

Page last updated on March 20, 2025

UNITED SECURITY BANCSHARES reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 16:45:54 EDT.

Filings

10-K filed on 2025-03-20

UNITED SECURITY BANCSHARES filed a 10-K at 2025-03-20 16:45:54 EDT
Accession Number: 0001137547-25-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Privacy The GLBA and the California Financial Information Privacy Act require financial institutions to implement policies and procedures regarding the disclosure of non-public personal information about consumers to non-affiliated third parties. In general, the statutes require disclosures to consumers on policies and procedures regarding the disclosure of such non-public personal information and, except as otherwise required by law, prohibit disclosing such information except as provided in the Bank’s policies and procedures. We have implemented privacy policies addressing these restrictions that are distributed regularly to all existing and new customers of the Bank. Bank Merger Act The Bank Merger Act grants the FDIC and other bank regulatory agencies the authority to review and approve or deny proposed bank mergers. It is part of the broader regulatory framework designed to ensure that such transactions do not harm competition, financial stability, or public interest. Understanding the regulatory framework of the Bank Merger Act ensures that the Company and the Bank are prepared for any potential changes in the competitive landscape, including shifts in market dynamics or new entrants that could arise from future mergers in the industry. In September 2024, the FDIC issued a final statement of policy outlining its approach to reviewing Bank Merger Act applications for FDIC-supervised institutions, including the Bank. This policy establishes higher expectations for the statutory factors the FDIC must consider when evaluating such applications. Additionally, in September 2024, the DOJ withdrew its 1995 Bank Merger Guidelines and introduced the 2024 Banking Addendum, clarifying that it will evaluate competition concerns related to bank and bank holding company mergers using the 2023 Merger Guidelines and the 2024 Banking Addendum. This analysis may involve considering theories of harm and relevant markets not addressed by the 1995 guidelines, which primarily focused on deposit and branch concentrations. Recently, the FDIC board of directors approved a proposal to revoke that policy statement, reverting on an interim basis to guidelines published in 2008 for consideration of bank mergers, and indicated the FDIC was conducting a broader reevaluation of its bank merger review process. The proposed revocation is currently open for public comment until April 10, 2025. Other Aspects of Banking Law The Bank is subject to federal statutory and regulatory provisions covering, among other things, security procedures, management interlocks, funds availability and truth-in-savings. There are also a variety of federal statutes that regulate acquisitions of control and the formation of bank holding companies, and the activities beyond owning banks that are permissible. Moreover, additional initiatives may be proposed or introduced before Congress, the California Legislature, and other government bodies in the future which, if enacted, may further alter the structure, regulation, and competitive relationship among financial institutions and may subject the bank holding companies and banks to increased supervision and disclosure, compliance costs and reporting requirements. In addition, the various bank regulatory agencies often adopt new rules and regulations and policies to implement and enforce existing legislation. Bank regulatory agencies have been very aggressive in responding to concerns and trends identified in examinations, and this has resulted in the increased issuance of enforcement actions to financial institutions requiring action to address credit quality, liquidity and risk management, capital adequacy, compliance with the Bank Secrecy Act, as well as other safety and soundness concerns. It cannot be predicted whether, or in what form, any such legislation or regulatory changes in policy may be enacted or the extent to which the Bank’s businesses would be affected thereby. In addition, the outcome of examinations, any litigation, or any investigations initiated by state or federal authorities may result in necessary changes in the Bank’s operations and increased compliance costs. Human Capital The Company employed 114 full-time equivalent staff as of December 31, 2024 . The employees are not represented by a collective bargaining unit, and the Company believes its relationship with its employees is good. The Company’s ability to attract, retain, and develop employees is a key to its success. We provide competitive pay that is consistent with the employee’s position and experience. Annual increases in compensation are based on merit, which is documented throughout internal systems and communicated at the time of review and upon promotion or transfer. Certain employees participate in the Company’s performance-based incentive programs, which may include additional bonus and incentive compensation and equity-based awards. Certain benefits are subject to eligibility, vesting, and performance requirements. Employee performance is measured formally at least annually. Our employees’ health, wellness, and safety are a priority to the Company. Employees receive a comprehensive benefits package that includes paid time off, sick time, Company matching contributions of 100% up to 4% of salary contributions to a qualified retirement plan, and other health and wellness benefits including participation in Company paid or subsidized medical, dental, term-life, accidental death and dismemberment, long-term disability insurance, and employee assistance programs. The Company’s code of ethics prohibits discrimination or harassment. The Company requires all employees to agree to the code of ethics and participate in harassment prevention training annually. Available Information The Company files periodic reports and other reports under the Securities Exchange Act of 1934 with the Securities and Exchange Commission. These reports, as well as the Company’s Code of Ethics, are posted and are available at no cost on the Company’s website at http://www.unitedsecuritybank.com as soon as reasonably practical after the Company files such reports with the SEC. The Company’s periodic and other reports filed with the SEC are also available at the SEC’s website ( http://www.sec.gov ). Item 1A - Risk Factors Not required for smaller reporting companies. Item 1B - Unresolved Staff Comments The Company had no unresolved staff comments at December 31, 2024. Item 1C - Cybersecurity - Management of the Company’s wholly-owned subsidiary, United Security Bank (Bank), reports to the Board of Directors, or an appropriate committee of the board, at least annually. This report describes the overall status of the information security program and the Bank’s compliance with these guidelines. - The report discusses material matters related to the information security program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program. - The intent of this report is to communicate the overall status of the information security program, including any updates to the program components. - In regard to cybersecurity threats and controls, the information security program addresses the Bank’s cybersecurity strategy. - Cybersecurity is an element of information security. Information security deals with information, regardless of its format - paper documents, digital and intellectual property, and verbal or visual communications. - Cybersecurity focuses on protecting digital assets from intentional attacks. These assets include networks, computer hardware/software, and information that is processed, stored, or transported by networked systems and devices. - The Information Security Program was initially designed, and is regularly updated, to comply with the following laws and regulations: ◦ The Gramm-Leach-Bliley Act (GLBA) regarding protection of nonpublic personal information, ◦ The Federal Financial Institutions Examination Council’s “Interagency Guidelines Establishing Information Security Standards,” ◦ Supplemental federal and state banking regulations and guidelines regarding protection of nonpublic customer information, as applicable to this program. - Oversight of the Bank’s cybersecurity program is the responsibility of the IT Committee of the Board of Directors. This committee is also responsible for approving the program’s budget and staffing. Management of the program is the responsibility of the Bank’s information security officer. - To ensure appropriate segregation of duties, the information security officer is independent of IT operations staff and reports to the Bank’s chief risk officer. The information security officer is responsible for responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services. - The IT Committee of the Board of Directors meets bi-monthly, or as needed, to review risks resulting from cybersecurity threats. - Testing is conducted annually using external third-party penetration testing and internal vulnerability assessments. While cybersecurity risks have the potential to materially affect the Company’s business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches. Preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks, and the Company may not be able to implement effective preventive measures against cyber security breaches in a timely manner.
Item 1C - Cybersecurity - Management of the Company’s wholly-owned subsidiary, United Security Bank (Bank), reports to the Board of Directors, or an appropriate committee of the board, at least annually. This report describes the overall status of the information security program and the Bank’s compliance with these guidelines. - The report discusses material matters related to the information security program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program. - The intent of this report is to communicate the overall status of the information security program, including any updates to the program components. - In regard to cybersecurity threats and controls, the information security program addresses the Bank’s cybersecurity strategy. - Cybersecurity is an element of information security. Information security deals with information, regardless of its format - paper documents, digital and intellectual property, and verbal or visual communications. - Cybersecurity focuses on protecting digital assets from intentional attacks. These assets include networks, computer hardware/software, and information that is processed, stored, or transported by networked systems and devices. - The Information Security Program was initially designed, and is regularly updated, to comply with the following laws and regulations: ◦ The Gramm-Leach-Bliley Act (GLBA) regarding protection of nonpublic personal information, ◦ The Federal Financial Institutions Examination Council’s “Interagency Guidelines Establishing Information Security Standards,” ◦ Supplemental federal and state banking regulations and guidelines regarding protection of nonpublic customer information, as applicable to this program. - Oversight of the Bank’s cybersecurity program is the responsibility of the IT Committee of the Board of Directors. This committee is also responsible for approving the program’s budget and staffing. Management of the program is the responsibility of the Bank’s information security officer. - To ensure appropriate segregation of duties, the information security officer is independent of IT operations staff and reports to the Bank’s chief risk officer. The information security officer is responsible for responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services. - The IT Committee of the Board of Directors meets bi-monthly, or as needed, to review risks resulting from cybersecurity threats. - Testing is conducted annually using external third-party penetration testing and internal vulnerability assessments. While cybersecurity risks have the potential to materially affect the Company’s business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches. Preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks, and the Company may not be able to implement effective preventive measures against cyber security breaches in a timely manner.

Company Information