SHORE BANCSHARES INC - (SHBI)
10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
The Company recognizes the security of our banking operations is essential to protecting our customers, maintaining our reputation, and preserving the value of the Company. The Board of Directors, through the Board Risk Oversight Committee, provides direction and oversight of the enterprise-wide risk management framework of the Company, and cybersecurity represents a component of the Company’s overall approach to enterprise-wide risk management. The Enterprise Risk Management Program establishes policies and procedures for assessing the effectiveness and efficiency of information security controls related to both design and operations. The Company leverages the following guidelines and frameworks to develop and maintain its Information Security Program including its cybersecurity risk management program: Federal Financial Institutions Examination Counsel Cybersecurity Assessment Tools and GLB Act and regulations. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach focused on the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents that may occur.
As one of the elements of the Company’s overall enterprise-wide risk management approach, the Enterprise Risk Management Program is focused on the following key areas:
•Security Operation and Governance: As discussed in more detail under the section titled “Governance,” the Board Risk Oversight Committee has delegated to senior management responsibility for managing the Enterprise Risk Management Program. Senior management carries out this mandate through the Strategic Initiatives and Board Risk Oversight Committees. To maintain alignment and appropriate insight regarding information security activities, a bi-weekly operational committee provides general program insight.
•Collaborative Approach: The Company has implemented a cross-functional approach to identifying, assessing, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management.
•Security Competencies: The organization oversees a program of security competencies and tools designed to evaluate security risks and to protect the confidentiality, integrity and availability of our information systems and data. These assets represent a blend of various management (e.g., policies), operational (e.g., standards and processes), and technical controls (e.g., tools and configurations).
•Cyber Defense and Incident Response Plan: The Company utilizes sophisticated security monitoring and detection tools for continuous monitoring of our information systems 24 hours per day, seven days per week. The Company utilizes third-party tools and solutions to actively deliver threat analysis, vulnerability management, intrusion detection, intrusion hunting and red team exercises. We also receive the latest cybersecurity alerts and threat intelligence from government agencies and information sharing and analysis centers. The Company’s Incident Response Plan helps reduce the risks related to security incidents by providing guidance on our response to incidents by focusing on the coordination of personnel, policies, and procedures to ensure incidents are detected, analyzed and managed.
•Third-Party Risk Management: Management of the Company’s third parties, including vendors and service providers, is conducted through a risk-based approach and the level of due diligence is driven by risk factors established by the Vendor Management Program. The process provides awareness and collaboration across all internal teams including Information Technology and Risk Management. A review process is conducted on new or significantly changed key third parties, to ensure certain cybersecurity baseline requirements are met and cybersecurity incidents are appropriately disclosed. This process is aimed at advocating for appropriate standards and controls, based on risk factors, to secure the third parties’ information systems, and to ensure the third parties have recovery plans in place.
•Security Awareness and Education: The Company provides annual, mandatory training for personnel regarding security awareness as a means to equip the Company’s personnel with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate the Company’s information security policies, standards, processes and practices.
The Company leverages continuous monitoring and regular risks assessments to identify the Company’s current and potential cybersecurity risks. Technical vulnerabilities are identified using automated vulnerability scanning tools, penetration testing, and system management tools, whereas non-technical vulnerabilities are identified via process or procedural reviews. The Company conducts a variety of assessments throughout the year, both internally and through third parties. Vulnerability assessment and penetration tests are performed on a regular basis to provide the Company with an unbiased view of its environment and controls. Vulnerabilities identified during these assessments are inventoried in a centralized tracking system and reported to management on a regular basis. A multi-step approach is applied to identify, report and remediate these vulnerabilities, and the Company adjusts its information security policies, standards,
28
processes and practices as necessary based on the information provided by these assessments. The results of key assessments are reported in summary to the Board Risk Oversight Committee.
The Company engages third parties on a regular basis to assess, test and assist with the implementation of our cybersecurity program to detect and manage cybersecurity risks, including but not limited to third parties who assist with monitoring our information security systems and auditors who assist with conducting penetration tests.
Cybersecurity Governance
The Board of Directors, through the Board Risk Oversight Committee, provides direction and oversight of the enterprise-wide risk management framework of the Company, including the management of risks arising from cybersecurity threats. The Board Risk Oversight Committee reviews and approves the Information Security Policy, which includes the Company’s cybersecurity risk management program. The Board of Directors receives regular presentations and updates on cybersecurity risks, including the threat environment, evolving standards, projects and initiatives, risk and vulnerability assessments, independent audit reviews, and technological trends. The Board of Directors also receives information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the full board of directors discusses the Company’s approach to cybersecurity risk management.
The Information Security Officer, under the guidance of our Chief Risk Officer and Operational Risk Manager, works collaboratively across the Company to implement a program designed to protect the Company’s information systems and data from cybersecurity risks. The Information Security Officer is responsible for assessing and managing cybersecurity risks, responding to any cybersecurity incidents in accordance with the Company’s Incident Response Plan and Business Continuity Plan, and reporting incidents to appropriate personnel at the Company in accordance with the Incident Response Plan. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. The Information Technology and the Operational Risk Management teams monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report such threats and incidents to the Information Security Officer and Chief Information Officer and ultimately the Board Risk Oversight Committee when appropriate. The Information Security Department has over three decades of experience in managing Information Security and Cybersecurity programs at financial institutions. The Information Security Officer holds the Certified Information Security Manager Certification and is supported by additional team members with extensive backgrounds in cybersecurity and related fields.
Notwithstanding our efforts at cybersecurity, the Company cannot guarantee that it will be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on it. To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A, Risk Factors – Risks Related to Our Business.
29