|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
The Company implements a comprehensive Information Security Program ("Program") to safeguard data confidentiality, integrity, and availability. The Program leverages recognized frameworks like National Institute of Standards and Technology (or NIST) and Federal Financial Institutions Examinations Council (“FFEIC”) to identify, prevent, and mitigate cybersecurity threats. Regular assessments and updates ensure the Program's effectiveness in managing and reducing risk.
The Program integrates seamlessly with the Company's enterprise risk management program. Continuous threat and vulnerability assessments inform system and control updates, effectively mitigating risks. Layered security controls work together to protect customer information and transactions. Additionally, third-party experts conduct periodic program evaluations through penetration testing, audits, and best practice consultations, with results driving program improvement initiatives. As a regulated entity, California Bank of Commerce undergoes regular bank regulatory examinations evaluating the information security program and its compliance with federal regulations.
The Company's third-party risk management program oversees and identifies cybersecurity threats associated with service providers. While visibility into third-party operations is limited, risk-based evaluations are conducted. These evaluations involve reviewing security assessment questionnaires, testing summaries, audit reports, and information security policies.
Recognizing the importance of continuous security awareness, the Company provides comprehensive employee training. This includes mandatory cybersecurity and fraud training at onboarding, monthly email phishing tests, and annual computer-based training.
In addition, the Company has an incident response plan (“IRP”) that is in effect if an event is identified by information technology or information security team or one of our third party vendors. The Company’s Information Security Officer (“ISO”) would activate the IRP and communicate with the team members in accordance with the IRP. If the incident is material, the Chief Risk Officer would disclose the incident to the management Disclosure Control Committee.
While no material cybersecurity incidents have been identified during the reported fiscal year, the Company acknowledges the ongoing and evolving nature of cyber threats and remains vigilant in its efforts to defend against them.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company implements a comprehensive Information Security Program ("Program") to safeguard data confidentiality, integrity, and availability. The Program leverages recognized frameworks like National Institute of Standards and Technology (or NIST) and Federal Financial Institutions Examinations Council (“FFEIC”) to identify, prevent, and mitigate cybersecurity threats. Regular assessments and updates ensure the Program's effectiveness in managing and reducing risk.
The Program integrates seamlessly with the Company's enterprise risk management program. Continuous threat and vulnerability assessments inform system and control updates, effectively mitigating risks. Layered security controls work together to protect customer information and transactions. Additionally, third-party experts conduct periodic program evaluations through penetration testing, audits, and best practice consultations, with results driving program improvement initiatives. As a regulated entity, California Bank of Commerce undergoes regular bank regulatory examinations evaluating the information security program and its compliance with federal regulations.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Company's internal controls incorporate a protocol for reporting and escalating information security matters to management and the Board of Directors for resolution and, if necessary, disclosure of any material incidents. The Board oversees continuous efforts to strengthen operational resilience and receives ongoing education to enhance their oversight capabilities in the face of evolving threats
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Board of Directors provides ultimate oversight and monitoring of the Program and its policies. The ARC Committee oversee areas like information technology activities, cybersecurity-related risks, and disaster recovery processes. Additionally, management-level technology and security personnel oversee program management and related assessments, while operational committees manage specific cybersecurity-related risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|who reports directly to the Chief Risk Officer, periodically updates the Company’s Information Technology Committee, the Company’s Audit and Risk Committee (“ARC Committee”) and the Board of Directors on information and cybersecurity risks, threats, exposures, and mitigation measures.
|Cybersecurity Risk Role of Management [Text Block]
|The ISO, who reports directly to the Chief Risk Officer, periodically updates the Company’s Information Technology Committee, the Company’s Audit and Risk Committee (“ARC Committee”) and the Board of Directors on information and cybersecurity risks, threats, exposures, and mitigation measures. The Company's IRP is regularly tested, incorporating cybersecurity scenarios.
The ISO leads program development, implementation, and reporting to the Board. The ISO possesses extensive experience with over 25 years of securing information systems and data, and holds many industry certifications including Microsoft Certified Software Engineer + Security, Exchange Security, Comptia Security+, Pentest+, Cyber Security Analyst(CYSA+), Cisco Certified Network Admin + Security enhancement, Cisco Certified Design architect and Certified Ethical Hacker. Recognizing cybersecurity as a shared responsibility, the Company conducts periodic management-level simulations and tabletop exercises with external resources and advisors as needed.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The ISO, who reports directly to the Chief Risk Officer, periodically updates the Company’s Information Technology Committee, the Company’s Audit and Risk Committee (“ARC Committee”) and the Board of Directors on information and cybersecurity risks, threats, exposures, and mitigation measures. The Company's IRP is regularly tested, incorporating cybersecurity scenarios.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The ISO possesses extensive experience with over 25 years of securing information systems and data, and holds many industry certifications including Microsoft Certified Software Engineer + Security, Exchange Security, Comptia Security+, Pentest+, Cyber Security Analyst(CYSA+), Cisco Certified Network Admin + Security enhancement, Cisco Certified Design architect and Certified Ethical Hacker.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|who reports directly to the Chief Risk Officer, periodically updates the Company’s Information Technology Committee, the Company’s Audit and Risk Committee (“ARC Committee”) and the Board of Directors on information and cybersecurity risks, threats, exposures, and mitigation measures.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef