|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Assessing, identifying and managing material risks from cybersecurity threats is critical for maintaining the security of the Company’s data and information systems, and is integrated into our enterprise risk management systems and processes. The Bank’s approach to cybersecurity risk management and strategy is based on the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool (“CAT”), which provides a repeatable and measurable process for evaluating cybersecurity preparedness and assessing, identifying, and managing material risks from cybersecurity threats. The CAT incorporates cybersecurity-related principles from the FFIEC Information Technology Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework.
The CAT consists of two parts: Cybersecurity Inherent Risk Profile and Cybersecurity Maturity. Completion of both parts of the CAT allow management and the Board to evaluate whether the Company’s cybersecurity risk and preparedness are aligned. The Cybersecurity Inherent Risk Profile is the level of risk posed to the Company by technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics and external threats. Cybersecurity Maturity is designed to help management measure the Company’s level of risk and corresponding controls under the following five domains: (i) Cyber Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Assessing, identifying and managing material risks from cybersecurity threats is critical for maintaining the security of the Company’s data and information systems, and is integrated into our enterprise risk management systems and processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company’s Board of Directors recognizes the importance of maintaining the trust and confidence of our customers, employees, and shareholders, including the risks associated with cybersecurity threats. The Board of Directors’ responsibilities for cybersecurity risk management and strategy include the following:
|●
|Engaging management in establishing the Bank’s vision, risk appetite, and overall strategic direction;
|●
|Approving plans to ensure the use of the CAT;
|●
|Reviewing management’s analysis of the CAT results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results;
|●
|Reviewing management’s determination of whether the Bank’s cybersecurity preparedness is aligned with its risks;
|●
|Reviewing and approving plans to address any risk management or control weaknesses; and
|●
|Reviewing the results of management’s ongoing monitoring of the Bank’s exposure to and preparedness for cyber threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Company has also appointed an ISO, who reports directly to the Audit Committee and to the Chief Executive Officer and shares a co-sourced relationship with a third party consultant. The ISO has been with Bank First for over 10 years in various operational and administrative roles. For the past five years, he has served as the Bank’s Enterprise Risk Manager, and as ISO for the past three years. In 2022, he earned the Certified Banking Security Manager certification from SBS Cybersecurity. The ISO works closely with the Director of Technology to ensure that the Bank’s cybersecurity controls are in line with established internal culture, Board expectations and risk appetite, and all regulatory requirements. The ISO’s responsibilities include the following:
|●
|Developing a plan to conduct and complete the CAT on an annual basis;
|●
|Working with the VP-Director of Technology to evaluate the results of the CAT;
|●
|Leading employee efforts during the CAT to facilitate timely responses from across the Bank;
|●
|Setting the target state of cybersecurity preparedness that best aligns to the Board of Directors’ approved risk appetite;
|●
|Reviewing, approving, and supporting plans to address risk management and control weaknesses;
|●
|Analyzing and presenting the results of the CAT to the full Board of Directors;
|●
|Providing periodic cybersecurity updates to the full Board of Directors;
|●
|Overseeing the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk; and
|●
|Overseeing the Bank’s cybersecurity preparedness.
|●
|Finally, the Company has established an Information Technology Committee to support the ISO in implementing the CAT, document formal action plans to be presented to the Board of Directors, enforce and implement the controls established by the CAT, and ensure employee compliance with internal controls
|Cybersecurity Risk Role of Management [Text Block]
|
The CAT consists of two parts: Cybersecurity Inherent Risk Profile and Cybersecurity Maturity. Completion of both parts of the CAT allow management and the Board to evaluate whether the Company’s cybersecurity risk and preparedness are aligned. The Cybersecurity Inherent Risk Profile is the level of risk posed to the Company by technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics and external threats. Cybersecurity Maturity is designed to help management measure the Company’s level of risk and corresponding controls under the following five domains: (i) Cyber Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Information Security Officer (“ISO”) and the Company’s Information Technology Committee
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Company has also appointed an ISO, who reports directly to the Audit Committee and to the Chief Executive Officer and shares a co-sourced relationship with a third party consultant. The ISO has been with Bank First for over 10 years in various operational and administrative roles. For the past five years, he has served as the Bank’s Enterprise Risk Manager, and as ISO for the past three years. In 2022, he earned the Certified Banking Security Manager certification from SBS Cybersecurity.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
|●
|Developing a plan to conduct and complete the CAT on an annual basis;
|●
|Working with the VP-Director of Technology to evaluate the results of the CAT;
|●
|Leading employee efforts during the CAT to facilitate timely responses from across the Bank;
|●
|Setting the target state of cybersecurity preparedness that best aligns to the Board of Directors’ approved risk appetite;
|●
|Reviewing, approving, and supporting plans to address risk management and control weaknesses;
|●
|Analyzing and presenting the results of the CAT to the full Board of Directors;
|●
|Providing periodic cybersecurity updates to the full Board of Directors;
|●
|Overseeing the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk; and
|●
|Overseeing the Bank’s cybersecurity preparedness.
|●
|Finally, the Company has established an Information Technology Committee to support the ISO in implementing the CAT, document formal action plans to be presented to the Board of Directors, enforce and implement the controls established by the CAT, and ensure employee compliance with internal controls
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true