BANK OF THE JAMES FINANCIAL GROUP INC - (BOTJ)

10-K Filing Date: March 27, 2024
Item 1.C.Cybersecurity

As a publicly-traded financial institution, we are subject to various cybersecurity risks that could adversely affect our business, financial condition, results of operations and reputation, including, but not limited to, cyber-attacks against us or our service providers focused on gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data or causing operational disruption. As described below, we have risk management and governance practices and processes designed to address these risks.

The Company has established an enterprise risk management framework that outlines the processes and procedures the Company uses to identify, assess, mitigate, and monitor the risks faced by the Company, including cybersecurity risk. Within the overarching enterprise risk management framework, we have an information security program (“ISP”) designed to preserve the confidentiality, integrity, and availability of information or data on our systems and those of our service providers, as documented in our information security policy.

The Company maintains an ISP to support the management of cybersecurity risk as an integral component of the Company’s ERM framework. The ISP encompasses the Company’s cybersecurity policies and practices and procedures that we use to identify, assess, mitigate, and monitor the risks faced by the Company. In addition, as part of the ISP, the Company has a Cyberecurity Incident Response Policy (“CIRP”) and Incident Response Team (“IRT”).

The IRT includes members of executive and senior management and other employees, including representatives from audit, compliance, human resources, finance, credit, information technology, information security, and legal. The IRT manages how incidents are defined, identified, and classified and ensures that procedures are in place to properly escalate, report and respond to incidents, as they are defined in the policy. The CIRP covers incident preparation, detection, analysis, and declaration, as well as plan execution and process guides for specific scenarios. Post incident activity, which covers incident termination, metrics, lessons learned, evidence retention, and plan maintenance is also included. The ISP follows relevant industry frameworks and standards set by the relevant legal and regulatory authorities and is being updated to align with the NIST Cybersecurity Framework 2.0.

The Board is responsible for the oversight of cybersecurity risk management. In 2022, we elevated the Enterprise Risk Committee to a “committee of the whole” of the Bank’s board of directors. At the second board meeting of each calendar quarter, a significant portion of the meeting is dedicated to enterprise risk management. At that board meeting, management presents the enterprise risk management matrix, including the portions related to cybersecurity, to the board. In addition, the board receives regular reports from management on our cybersecurity threat risk management and strategic processes on topics including information on any cybersecurity incidents (including any remedial actions), including, for example, results of our EDR and XDR programs.

At the management level, the company has designated an information security officer (“ISO”). Our ISO is responsible for the overall administration and execution of the ISP and reports to our EVP-General Counsel. Our ISO has over twenty years of experience working in information security. The ISO monitors the security of, among other things, systems, applications, tools, databases, computers, websites, cloud infrastructure, vendor tools, and user access systems. The ISO also works with and oversees third-party vendors that provide us with information security services and products. The ISO performs an annual information security risk assessment, which, among other things, documents inherent risk levels and controls in place to manage those risks. The information security risk assessment is presented to the Board

30


annually. The ISO has various professional certifications in relevant fields. The ISO is responsible for administering and executing the ISP and formulating a risk-based approach for evaluating and managing technology and cybersecurity threats.

Management determines and prioritizes appropriate risk responses for each identified enterprise risk. In doing so, executive and senior management work directly with our information technology team and our ISO. Management is accountable for our day-to-day risk management activities.

We strive to minimize the occurrence of cybersecurity incidents and the risks resulting from such incidents. However, when a cybersecurity incident does occur, the Company has in place an incident response program to guide our assessment of and response to the incident. The ISO coordinates the Company’s response to a cybersecurity incident, including investigating, recording and evaluating any potential, suspected or confirmed incidents involving non-public customer information or Company confidential information.

On a regular basis, the ISO reports to executive management and the Board information security risk issues, risk mitigation progress and developments, and information security enhancement initiatives. The ISO also reports the status of information security-related key risk indicators to executive management.

The Company employs third parties in certain aspects of its information security and cybersecurity risk management. For example, we engage third parties to assess the information security risks related to our ISP as well as information security products, services, and security infrastructure. We have adopted a Third-Party Relationship Risk Management Program to help us effectively assess, measure, monitor and control the risks associated with third party relationships, including those related to information security. The board and senior management are responsible for all vendor relationships. The ISO assesses and monitors information risks posed by third parties and any non-compliance with the controls created to address such risks. With respect to cybersecurity incidents affecting our third-party service providers, the ISO works with our service providers to understand and document any incidents, along with managing the impact to us and reporting such incidents to executive management, and, if applicable, the Board. We utilize endpoint detection and response (EDR) and extended detection and response (XDR) platforms which both align to the MITRE ATT&CK® knowledge base for threat modeling and methodologies. These assist us in detecting, investigating, and responding to actual and potential security incidents.

Based on information known to us, to date, we have not incurred any material losses related to cybersecurity incidents. However, the risk management and governance processes described above may not be sufficient to prevent cybersecurity incidents, and we could incur substantial costs and suffer other negative consequences from cybersecurity incidents. We can give no assurance that we have detected or protected against all cybersecurity threats or incidents. Please refer to “A failure in or breach of our operational or security systems or infrastructure, or those of our third party vendors and other service providers, including as a result of cyber-attacks, could disrupt our business, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses” included “Item 1A, Risk Factors” of this Annual Report on Form 10-K for additional information about material risks related to cybersecurity threats.