MainStreet Bancshares, Inc. - (MNSB)
10-K Filing Date: March 20, 2024
The Company recognizes the critical importance of identifying, assessing and managing material risks from cybersecurity threats and is committed to implementing and maintaining a comprehensive information security program to manage such risks and safeguard its systems and data.
The Company’s Board of Directors has ultimate oversight of cybersecurity-related risks and it is assisted in this role by the Technology Committee and the Audit & Risk Committee. Processes for identifying, assessing, and managing cybersecurity-related risks are integrated into the Company’s overall enterprise risk management process, which is overseen by the Audit & Risk Committee. The Audit & Risk Committee is responsible for monitoring risks that are being taken by the Company, understanding the enterprise-wide effect of those risks and reporting such risks to the Board. In fulfilling this role, the Technology Committee has primary oversight responsibility over management’s efforts to manage and mitigate cybersecurity-related risk and reviews and approves the Company’s cybersecurity strategy for protecting the Company’s information assets and technology platforms. The Audit & Risk Committee oversees the Company’s Internal Audit Department, which conducts reviews and assessments related to information security. Management provides periodic reports to the Technology Committee and the Audit & Risk Committee, both of which provide reports of their meetings to the full Board. These reports to the Board and its Committees address the threat environment, vulnerability assessments, specific cyber incidents and management’s efforts to monitor, detect and prevent cyber threats.
The Company’s information security program is primarily administered at the management level by the Information Security Department, which is led by the Company’s Chief Information Officer (CIO), and is supported by Chief Information Security Officer (CISO), and the Information Technology Department, which is led by the Company’s Chief Technology Officer (CTO). The Company’s Information Security Department is responsible for day-to-day management of the Company’s information security program, including data loss prevention, access control, threat monitoring, incident response and employee education and training. The Information Security Department also maintains policies related to cybersecurity and data security that provide the required governance for the information security program. Additionally, the Company’s Information Technology Department maintains policies that govern technical aspects of the Company’s information security program. Each policy is reviewed and approved by the Board at least annually. The Information Security team maintains and runs the Company’s security operations center and is responsible for cybersecurity event management and maintaining security tooling. The Company also maintains an Information Technology Management Committee, which is comprised of representatives from the Information Security, Information Technology, Enterprise Risk, Operations, and members of executive management. This committee meets at least quarterly to discuss and review the Company’s information security program and receives qualitative and quantitative update reports from the Information Security Department, Internal Audit Department, and Information Technology Department.
The Company engages third party assessors, consultants and auditors in connection with its information security program, including to conduct external penetration testing, independent audits and risk assessments. The Company also utilizes third party service providers in the ordinary course of business. The Information Security Department performs information security assessments for third party service providers that store or process Company confidential data. These information security assessments include a review of any systems and organization control reports, proof of the vendor’s independent testing of their data protection controls, as well as a review of any exceptions noted and assessment of management responses, results of vulnerability and penetration testing, incident response processes and third party data protection controls (which can include, but is not limited to: access reviews and controls, backups, monitoring, encryption standards and disaster recovery). The review of these areas is taken into account in order to provide an overall information security conclusion and risk rating for the vendor.
As a regulated financial institution, the Company is also subject to financial privacy laws and its cybersecurity practices are subject to oversight by the federal banking agencies. For additional information, see Item 1A – Risk Factors.
Although the Company has not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected its business strategy, results of operations or financial condition, there can be no guarantee that the Company will not experience such an incident in the future.