Bank of Marin Bancorp - (BMRC)

10-K Filing Date: March 14, 2024
ITEM 1C.   CYBERSECURITY

Cybersecurity Risk Management, Strategy, and Governance

The Company recognizes that the security of our banking operations is critical to protecting our customers and maintaining our reputation. The cybersecurity landscape is constantly evolving. To mitigate these risks, the Company deploys a comprehensive and resilient information security program that consists of a layered security model using industry leading hardware, software, and services to protect customers' and the Bank’s data and to ensure the confidentiality, integrity, and availability of our information systems. This information security program is a critical component of our overall enterprise risk management program.

The Company leverages the following guidelines and frameworks to continue to refine and maintain the information security program: FFIEC Information Security IT Examination Handbook, FFIEC Business Continuity Planning Handbook, FFIEC Cybersecurity Assessment Tool, Center for Internet Security Critical Security Controls, National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Key components of the information security program include:

A risk assessment process that identifies and prioritizes material cybersecurity risks; refines and evaluates the effectiveness of controls to mitigate the risks; and reports results to executive management and the Board of Directors.
A third-party Managed Detection and Response (“MDR”) service, which monitors the security of our network, infrastructure and computer systems 24x7, 365 days a year.
An incident response plan that outlines the steps the Bank will take to respond to a cybersecurity incident, which is tested on a periodic basis.
Annual recurring cybersecurity controls testing program, which includes independent third-party penetration testing, cybersecurity procedures and system testing, and third-party independent network traffic monitoring.
A training and awareness program that educates and tests employees on how to avoid and identify cybersecurity risks.
A Cyber Security Insurance Policy that covers insurance, incident response, incident mitigation, and legal support.

The Company engages reputable third-party assessors to conduct various independent risk assessments on a regular basis, including but not limited to maturity assessments and various other tests. Following a defense-in-depth strategy, the Company leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks.

Our vendor management program is designed to ensure that our vendors meet our cybersecurity requirements and manage our third-party risks. This includes conducting periodic risk assessments of critical vendors, requiring vendors to implement appropriate cybersecurity controls, and monitoring vendor compliance with our cybersecurity requirements.

Security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to ensure the confidentiality, integrity, and availability of Bank’s and customers' information. These controls include, but are not limited to, access control, data encryption, data loss prevention, incident response, security monitoring, third party risk management, and vulnerability management.

The Company's cybersecurity risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Bank's business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards.
22



The Company’s Board of Directors is charged with overseeing the establishment and execution of the Company’s risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility, the Board has primary oversight of cybersecurity risk and cybersecurity risk management and receives reporting from management about material risks from cybersecurity threats. All members of the Board of Directors receive regular updates on cybersecurity risks and incidents from the Information Security Officer (“ISO”) and Chief Information Officer (“CIO”) and annual security awareness training. The Information Security department consists of cybersecurity professionals who assess, identify, and manage cybersecurity risks and are responsible for implementing and maintaining the Company’s cybersecurity risk management program.