Risk Management and Strategy

The Company prioritizes the security of our banking operations to protect our customers and our reputation, and to preserve our value. While eliminating all risk is unrealistic, we invest heavily in our Information Security program to mitigate cybersecurity risks. Our controls focus on safeguarding information systems, networks, and assets from unauthorized access, ransomware threats, and service disruptions. Third-party vendors are also held to similar standards, with reviews conducted annually.

The Company’s Information Security program establishes policies, procedures, and risk assessments related to effective and efficient controls related to design and operations of the program. The Company also leverages regulatory guidance issued by the Federal Financial Institutions Examination Council (FFIEC) and frameworks to develop and maintain the information security program, including, without limitation the: FFIEC Cybersecurity Assessment Tool, National Institute of Standards and Technology (NIST) Cybersecurity Framework, and Section 501(b) of the Gramm-Leach-Bliley Act of 1999. Senior Management also monitors notifications from the U.S. Computer Emergency Readiness Team (“CERT”) and the Financial Services Information Sharing and Analysis Center (FS-ISAC). Some of our procedures and controls include, without limitation:

•Security Information and Event Management (“SIEM”) logging and triggers, alerts, and 24/7 monitoring.

•Endpoint Detection and Response (“EDR”), encryption, and backups.

•Third party vendor risk management.

•Disaster recovery and incident response plans.

•Security awareness training, social engineering testing, and remedial training.

•Vulnerability scanning, remediation tracking, and reporting.

We [regularly] engage certified and reputable consultants and auditing firms to evaluate the maturity and effectiveness of our security, including testing the design and operational effectiveness of controls, penetration testing, engaging in independent reviews of policies and standards, and consulting on best practices.

Governance

The Board of Directors, Audit Committee and the Information Technology (IT) Steering Committee, which is comprised of members from various departments including IT, Accounting, Compliance, Lending, Credit, Human Resources, Operations, Treasury Management, Treasury Support, Retail, Mortgage Sales, Mortgage Operations, Commercial Operations, and the Executive Team, provide oversight and direction of cybersecurity threats and risk management. The Board of Directors reviews and approves the Company’s policies related to Information Security and receives periodic updates from the IT Steering Committee and management in the areas of cybersecurity risks, controls, projects and initiatives, vulnerability assessments, vendor management, and security considerations. The Board of Directors is promptly notified and provided information on any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates of any such incidents until they are resolved.

A dedicated team, led by the Senior Vice President of Information Technology and Information Security Officer (the “SVP of IT and ISO”) manages the day-to-day cybersecurity risk program and supervises internal personnel and relationships with external technology and security consultants. The SVP of IT and ISO has over 18 years of experience in the banking industry as it relates to strategy and cyber security and reports to the Chief Operating Officer, the IT Steering Committee, the Audit Committee, and the Board of Directors.

While we believe we have implemented robust security procedures and controls to mitigate cybersecurity threats, we cannot be certain that these measures will be successful. The threat from cybersecurity attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. Although to date the Company has not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, the Company’s systems and those of its customers and third-party service providers are under constant threat and it is possible that the Company could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers.

‎