Meridian Corp - (MRBK)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
We have taken a cross-departmental approach to addressing cybersecurity risk, including input from employees and our Board of Directors (the "Board"). The Board, Audit Committee, senior management and the IT Steering Committee (a task force comprised of senior representatives from all functional areas of the bank) devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our information technology (IT) security team reviews enterprise risk management-level cybersecurity risks annually, and key cybersecurity risks are incorporated into the IT Steering Committee’s framework. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, which include an IT security manual as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management. We have designed our enterprise-wide information security programs consistent with industry standards using the National Institute of Standards and Technology Cybersecurity Framework.
The Corporation’s Information Security Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board. Our Information Security Officer has over a decade of experience leading cyber security oversight, and others on our IT security team have cybersecurity experience or certifications. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete cybersecurity trainings on an annual basis and have access to more frequent cybersecurity trainings through online trainings. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings.
We have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The team also prepares a monthly cyber scorecard, regularly collects data on cybersecurity threats and risk areas and conducts an annual risk assessment. Further, we conduct periodic external penetration tests, and maturity testing to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. Our Internal Audit team conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of the hosted applications are required to document user access reviews at least annually and provide from the vendor a System and Organization Controls (SOC) 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.
The IT Steering Committee and the full Board actively participate in discussions with management regarding cybersecurity risks. The IT Steering Committee performs an annual review of the Corporation’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. The IT Steering Committee’s annual review also includes review of recent enhancements to the Corporation’s defenses and management’s progress on its cybersecurity strategic roadmap. In addition, the Board receives quarterly cybersecurity reports, which include a review of key performance indicators, test results and related remediation, and recent threats and how the Corporation is managing those threats. Further, at least annually, the Board receives updates on the Corporation’s Incident Response Plan, which covers, among other things, potential cybersecurity incidents, data privacy and its compliance programs. To aid the Board with its cybersecurity and data privacy oversight responsibilities, the Board periodically hosts experts for presentations on these topics.
24


We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. For more information about the cybersecurity risks we face, see the risk factor entitled “The occurrence of fraudulent activity, breaches or failures of our information security controls or cybersecurity-related incidents could have a material adverse effect on our business, financial condition or results of operations.” in Item 1A- Risk Factors.