Management and Strategy. Senior management takes the guidance provided by the Board of Directors and transforms this guidance into operational priorities which are implemented and maintained by the staff members and third-party service providers. In addition, the senior management team ensures that budgeted resources are allocated in a timely manner to support the various security initiatives.

Operational Information Technology and Information Security staff members, and third-party service providers utilize the direction and resources provided by the senior management team to develop procedures, standards, and guidelines to achieve the strategic goals defined by the Board of Directors. Operational and security health is reported quarterly to the IT Steering Committee, Enterprise Risk Management Committee, and the Board of Directors. Recommendations for improvements are shared between operational staff and the senior management team as part of a continuous improvement program for information security and cybersecurity.

Operational staff members actively maintain, review, update, and exercise plans and procedures designed to enhance our overall business resiliency. Incident Response team members are trained annually on current information and cybersecurity trends, techniques, and their responsibilities to keep our information confidential, accurate, and available.

We also utilize the services of third-party providers to conduct an IT audit, external and internal vulnerability testing, external and internal penetration testing, and social engineering testing on at least an annual basis. The results of these independent audits and tests are sent to the Board of Directors for review.

Finally, Quaint Oak Bank complies with its regulatory requirements by having Federal and State safety and security examinations performed on a schedule dictated by the regulatory agencies. The results of these examinations are reviewed and approved by the Board of Directors. Additionally, all findings from these examinations are recorded and prioritized for remediation.

Conclusion. Our Board of Directors and management take very seriously the information security and cybersecurity obligations Quaint Oak Bancorp and Quaint Oak Bank have to their respective customers, shareholders, staff members, and regulatory agencies. In support of these obligations, we have and actively maintain a robust information security and cybersecurity program based upon industry best practices, regulatory requirements, and the expertise of staff members and supporting third-party vendors.

To our knowledge, we have not had a cybersecurity incident that has materially affected Quaint Oak Bancorp, its business strategy, financial condition, or results of operation.

Governance. Our efforts for increased information and cybersecurity readiness are driven from the top of the organization. The Enterprise Risk Management Committee has the responsibility of assessing risks associated with technology and information security, including cybersecurity. The Enterprise Risk Management Committee reports directly to our Board of Directors. The Board of Directors reviews and approves Information Security Risk Assessments and performance reviews which guides the actions of the management team, staff members, and supporting third-party service providers. In addition, the Board is active in the review and approval of all policies concerning information technology and information security. The Board further reviews reports provided by the management team regarding the status of Quaint Oak Bank’s GLBA compliance, risk management program, Third Party Risk Management program, and the results of tests and exercises conducted for business continuity, disaster recovery, cybersecurity incident response, and pandemic response. Lastly, the Board of Directors reviews and approves the budget for information and cybersecurity, ensuring that we have sufficient resources to properly address all current and foreseeable information and cybersecurity threats.