MIDDLEFIELD BANC CORP - (MBCN)
10-K Filing Date: March 28, 2024
Risk Management and Strategy
We have developed a comprehensive Information Security Program (“ISP”) that was designed as the guiding policy to establish standards designed to protect the confidentiality of nonpublic, sensitive personal and business information, protect against potential threats to the security or integrity of such information, and protect against unauthorized access to or use of such information. The ISP applies to all Company employees, contractors, consultants, and third-party vendors as well as all technology owned and operated by the Bank. The scope of the ISP covers customer data as well as the Company’s strategic and proprietary information. The Board of Directors approves the ISP annually. Additionally, the Information Technology Steering Committee (“ITSC”) must approve significant modifications to the ISP prior to review and approval by the Board of Directors. The Chief Information Officer (“CIO”) is responsible for the implementation and maintenance of the ISP.
Key elements of our ISP include:
● | Identification of sources and types of technology threats |
● | Tools and processes to manage technology security, such as change control approval, employing a Unified Threat Management System, and usage of anti-virus and anti-spam hardware |
● | Ongoing security assessments conducted by third-party vendors, such as vulnerability assessments and penetration testing, and mitigation of any findings |
● | Continuous firewall monitoring provided by a third-party vendor |
● | Information security training for employees provided by a third-party vendor |
● | Annual security audits of third-party vendors |
Our Information Security Governance Plan (“InfoSec”) is a component of the ISP and provides for strategic oversight of critical aspects of the Bank’s information security. The objective of InfoSec is to provide a framework for decision-making and accountability for information security issues to ensure that the ISP is actively monitored and information security permeates through all areas and initiatives across the organization.
Security assessments are an ongoing activity within the Bank, and the Security Assessment Policy identifies security assessment requirements and those individuals accountable for ensuring the assessments comply with the requirements. All assessment activities must be approved by the Chief Risk Officer. The coverage of assessments includes, but is not limited to, physical security assessment, information technology general controls audit, vulnerability assessment, penetration testing, and social engineering testing. Results are shared with the ITSC, executive management and the Board of Directors.
There is an established Incident Response Program (“IRP”) that provides a framework for us to respond quickly, decisively, and appropriately to limit the impact of an adverse event, such as a cybersecurity incident, on customers and information resources. Procedures have been developed that outline the necessary steps should an incident occur, such as incident identification, classification, and escalation. We use a Cybersecurity Assessment Tool to assess our cybersecurity preparedness on a periodic basis. A Cybersecurity Incident Response Team, which is part of our general Incident Response Team, will take the appropriate actions as outlined in the IRP in the event a cybersecurity situation occurs.
We do not believe that risks from cybersecurity threats, including the previously disclosed cyber-attack that occurred in April 2023, have materially impacted or are reasonably likely to materially impact our overall business strategy, results of operations, or financial condition. We maintain cybersecurity insurance to cover the costs resulting from cyber-attacks; however, the policy may not cover all losses from cybersecurity incidents. Refer to the discussion on the April 2023 incident in Note 23 of our financial statements and the discussion of cybersecurity risk in Part I, Item 1A, “Risk Factors”.
Governance
Board of Directors
The Board of Directors, in coordination with the Audit Committee, oversees the Company’s management of cybersecurity risk. The Board receives monthly reports from the CIO, focusing on cybersecurity and information technology updates. The reports include key insights regarding our security risk score, areas of focus, and metrics from our third-party provider regarding security investigations and incidents as well as the results of training and phishing simulations. The Audit Committee receives periodic updates on information security risk and maturity of our ISP. The Audit Committee also receives reports with the results of security assessments conducted by third-parties.
Management
Under the leadership of the CIO, the Information Technology Steering Committee (“ITSC”) serves to improve the effectiveness of information technology at the Bank and ensure alignment with the Bank’s strategic business plan and statement of risk appetite. Composition of the ITSC will consist of senior management from the business areas. Meetings occur at least bi-annually. The ITSC is tasked with reviewing the Bank’s technology, information security, business continuity, digital initiatives, vendor management, and data management strategic direction and providing feedback to management.
The Information Security Governance Council (“ISGC”) acts on the behalf of and to assist the Board of Directors and executive management in fulfilling its oversight responsibilities regarding the Bank’s information security programs and risks. The ISGC is comprised of members from Risk, Information Technology, and other strategic areas within the Bank, including the CIO, and meets at least quarterly. The responsibilities of the ISGC include providing strategic oversight and implementation guidance for the ISP, aligning cybersecurity and business objectives, monitoring and reporting on cybersecurity and information security incidents, and promoting a strong culture around information security.
As stated above, the CIO is a member of the ISGC, chairs the ISTC, and reports to the Chief Strategy and Innovation Officer. The CIO has over 40 years of business experience in information technology and cybersecurity. We outsource the position of Chief Information Security Officer “(CISO”) to a third-party vendor that specializes in partnering with organizations to enhance cybersecurity management.