Cybersecurity Risk, Management, and Strategy

Cybersecurity is a significant and integrated component of the Company’s risk management strategy, designed to protect the confidentiality, integrity, and availability of sensitive information contained within the Bank’s information services. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident disrupting business operations, compromising sensitive data or both. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company, including its business strategy, results of operation or financial condition.

To prepare and respond to incidents, the Company has implemented a multi-layered “defense-in-depth” cybersecurity strategy, integrating people, technology, and processes. This includes advanced employee training, innovative technologies, and policies and procedures in the areas of Information Security, Data Governance, Business Continuity and Disaster Recovery, Privacy, Third Party Risk Management, and Incident Response.

Core activities supporting our strategy include cybersecurity training, technology optimization, threat intelligence, vulnerability and patch management and the testing of incident response, business continuity and disaster recovery capabilities.

Employees are the first line of defense against cybersecurity measures. Every employee is responsible for protecting Bank and client information. Accordingly, employees complete formal training and acknowledge security policies annually. In

addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities.

Our employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection systems, security automation and response capabilities, user behavior analytics, multi-factor authentication, data backups to immutable storage and business continuity applications. Notable services include 24/7 security monitoring and response, vulnerability scanning, third-party monitoring, and threat intelligence.

Like many companies, the Company relies on third-party vendor solutions to support its operations. Many of these vendors have access to sensitive and proprietary information. Third-party vendors continue to be a notable source of operational and informational risk. Accordingly, the Company has implemented a Third-Party Risk Management program, which includes a detailed onboarding process and periodic reviews of vendors with access to sensitive Company data.

As indicated above, supporting our operations are incident response, business continuity, and disaster recovery programs. These programs identify and assess threats and evaluate risk. Further, these programs support a coordinated response when responding to incidents. Periodic exercises and tests verify these programs’ effectiveness.

Validating solution and program effectiveness in relation to regulatory compliance and industry standards is important. Accordingly, the Company engages third-party consultants and independent auditors to conduct penetration tests, external audits, program enhancement where applicable and review of cybersecurity risk assessments.

Cybersecurity Governance

The Company has established an Information Technology Steering Committee consisting of department leaders. The committee focuses on strategic and tactical delivery as well as policy oversight. All such policies are approved by the board of directors. All Information Security activity is led by the Information Security Officer.