Capital Bancorp Inc - (CBNK)

10-K Filing Date: March 15, 2024
ITEM 1C CYBERSECURITY
As a publicly-traded financial institution, we are subject to various cybersecurity risks that could adversely affect our business, financial condition, results of operations and reputation, including, but not limited to, cyber-attacks against us or our critical third-party service providers. These cyber-attackers can attempt to gain unauthorized access to our digital systems for purposes including, but not limited to: misappropriation of company assets, accessing Company confidential or sensitive customer non-public information, corrupting data, causing operational disruptions, or as part of a ransom demand for payment. As described below, we believe we have appropriate risk management processes, governance policies, standards, and procedures, a system of internal controls designed to address and mitigate these risks, and experienced internal resources to execute our information security and cybersecurity risk management programs.
In 2020, the Company’s Board of Directors approved the implementation of a three lines of defense enterprise risk management framework upon the hiring of our current Chief Risk Officer/Chief Information Security Officer (“CRO/CISO”). Our three lines of defense enterprise risk management framework includes processes and procedures used to identify, assess, mitigate, and monitor the risks faced by the Company, including cybersecurity risk.
Within the three lines of defense framework for cybersecurity risk, the first line of defense is provided by the Information Technology department, which is responsible for the design and execution of information security practices and risk mitigation, led by the Company’s Business Information Security Officer (“BISO”). The BISO reports to the Chief Information Officer, who leads the Company’s Information Technology department.
The second line of defense is provided by the Enterprise Risk Management department, which is led by the Company’s CRO/CISO. The department seeks to identify, assesses, and monitors cyber risk, in collaboration with our first line, while maintaining independent oversight of our information security program. The CRO/CISO is independent of management and reports to the Board Risk Committee Chair.
The third line of defense is independent Internal Audit, led by our Head of Internal Audit, who is responsible for ensuring that the first and second line of defenses are both designed and operationally effective in mitigating cybersecurity risk through internal audits of including but not limited to: cybersecurity, electronic banking, GLBA/Privacy, information security, information technology, and vendor risk management. The Head of Internal Audit is independent of management and reports to the Board Audit Committee Chair.
Our BISO, CRO/CISO, and Head of Internal Audit have nearly seven decades of combined work experience, including six decades in banking and financial services risk management and information security roles, and all maintain several industry licenses and certifications through continuing professional education.
The Company’s information security program is designed to preserve the confidentiality, integrity, and availability of Company confidential information, customer non-public personal information, and other data on our systems as well as securing our interfaces with our critical third-party service providers.

30


Our information security program takes a risk-based approach to identifying and assessing the cybersecurity risks that exist within our business and information technology systems. The program addresses the roles and responsibilities of the Board, its committees, management, management’s committees, as well as each individual Company employee.
The Board of Directors is ultimately responsible for the oversight of cybersecurity risk management, with the Board Risk Committee assisting the Board with oversight of the Company’s cybersecurity risk program and reporting. The Board of Directors appoints the CISO, and the CISO is given the full authority of the Board for administering and executing the Company’s written information security program.. The CRO/CISO delivers an annual report to the full Board of Directors on the status and effectiveness of the Company’s written information security program, and reports to the Board Risk Committee any emerging threats or cyber risks on a periodic basis throughout the year. The Board Risk Committee has also approved an Information Security and Cybersecurity Risk Appetite Statement.
At the management level, the Enterprise Risk Management Committee (“ERMC”) is primarily responsible for cybersecurity risk management. The Committee is comprised of senior executives with risk management and information security expertise. The Information Technology Steering Committee (“ITSC”) is a sub-committee of ERMC and is also comprised of senior executives and staff with risk management and information security expertise. ITSC governs the first line of defense cybersecurity risk management activities and furnishes approval items, status reports, and approved Committee minutes to ERMC following a meeting. ERMC governs the second line of defense cybersecurity risk management activities and furnishes key risk indicators, risk assessments, reports, issues and committee minutes to the Board Risk Committee. The CRO/CISO assigns quarterly cyber security training to all Company employees and ERMC reviews and approves the training curriculum on an annual basis. Additionally, the CRO/CISO ensures the Board receives annual cyber security training.
We strive to minimize the occurrence of cybersecurity incidents and the risks resulting from such incidents. However, when a cybersecurity incident does occur, the Company has in place an incident response program to guide our assessment of and response to the incident. The CRO/CISO coordinates the Company’s response to a cybersecurity incident, including investigating, recording and evaluating any potential, suspected or confirmed incidents involving non-public customer information or Company confidential information. The CRO/CISO informs senior management and the Board Risk Chair and Board Audit Committee Chair as soon as practical if a significant security incident occurs. Formal incident reports, if/when applicable, are reviewed by ITSC, ERMC, and the Board Risk Committee.
The Company employs third parties in fulfilling certain aspects of its information security and cybersecurity programs. For example, we engage third parties to: monitor our network 24/7/365, escalate security alerts, when applicable, perform penetration testing, conduct social engineering tests and assist management with technology upgrades/installations. The BISO assists the CRO/CISO in assessing and monitoring information risks posed by third parties and any non-compliance with the controls created to address such risks. With respect to cybersecurity incidents affecting our third-party service providers, the CRO/CISO works with our service providers to understand and document any incidents, along with managing the impact to us and reporting such significant incidents to senior management, ITSC, ERMC, and the Board Risk Committee.
While we believe that our cybersecurity programs are appropriate to our risks, cybersecurity threats are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers.
Notwithstanding the investments made in mitigating our cybersecurity risks, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the
31


Company. As of the date of this filing, the Company is not aware of any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For further discussion, please see Item 1A. “Risk Factors” for a discussion of cybersecurity risks.