Sterling Bancorp, Inc. - (SBT)

10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

We have established an Information Security department within our Risk Management department that is independent of the Information Technology department. Furthermore, we have a documented Information Security Strategy that guides the Information Security teams and business departments across the Company. The Information Security Strategy incorporates the external landscape, risk assessments, Company’s strategy, information technology strategy and other inputs.

Our appetite for cybersecurity risk is established within our enterprise risk appetite. We undertake an information technology risk assessment annually. This assessment considers our information assets, the potential threats/risks to those assets and the effectiveness of existing controls to identify and assess inherent and residual levels of information security risks. This assessment also identifies any control gaps that may exist and informs appropriate mitigation strategies to conform to our appetite for cybersecurity risk. Remediation plans for any identified gaps are monitored by management quarterly. Results from this risk assessment may affect changes in the Information Security Strategy and information security budget. Annually, we engage a third-party audit firm specializing in information technology audits to review the risk assessment and our Information Security Program overall as part of our information technology general controls audit.

We have previously experienced cybersecurity incidents, from time to time. These incidents have not materially affected our business strategy, results of operations or financial condition. We are not currently aware of any cybersecurity incidents that would have a material effect on our business strategy, results of operations or financial condition.

We use a security framework to guide our overall security posture, which has helped us develop and enhance our Information Security Policy, Incident Response Policy and Business Continuity Policy. These policies guide us in our effort to manage and control information technology risk and to define and communicate information security responsibilities and accountability throughout the Company. These policies also set the requirements to help ensure that we safeguard our data and information systems to reduce risk and minimize the effect of potential incidents. These policies are supported by written standards and procedures that ensure conformity with the policies that the board of directors has set forth.

Pursuant to our Incident Response Policy, we have adopted a written Incident Response Plan that documents employee and management responsibilities, incident classifications and the procedures to be followed during a cybersecurity incident. The Incident Response Plan is tested annually through a tabletop exercise led by a third-party vendor who assists in developing and executing the exercise.

We have a documented Third-Party Risk Management Policy and Program to ensure that our vendor relationships are assessed, monitored and documented appropriately. It is our policy to exercise appropriate oversight and risk management of the activities conducted through significant third-party relationships, taking into consideration the nature, magnitude, complexity and risk potential of the arrangement. Vendors are monitored for cybersecurity issues during the initial onboarding processes and on an ongoing basis. We may review or require a SOC 2 Type 2 report, cybersecurity controls, cyber insurance and monitoring frequency depending on our assessment of the risk of any vendor.

Management performs ongoing monitoring of the Information Security Program with a range of reports and tools that are commensurate with our risk profile. These reports and tools ensure the program continues to comply with all policies related to information technology risk and information security.

We have engaged a third-party provider that manages and monitors our Security Operations Center, including our firewall and intrusion detection and prevention system. Additionally, management has engaged a separate vendor to monitor and manage endpoint detection and response applications on all Company devices, including workstations, laptops and servers.

Additional controls include vulnerability scanning, identity and access management, mobile device management and other various security controls. We also conduct periodic phishing tests and social awareness training for all employees, which include how to report and escalate suspected incidents.

56

Information security metrics are reported quarterly to the Information Technology Steering Committee, the Enterprise Risk Management Committee and the Board Risk Committee to provide evidence of the effectiveness of these controls and tools. Any identified specific gaps in the controls are sent to management quarterly until resolved.

Cybersecurity Governance

Cybersecurity risks and activities are reported quarterly to the Information Technology Steering Committee and the Enterprise Risk Management Committee. The Bank’s chief risk officer and interim chief information officer are part of the Information Technology Steering and Enterprise Risk Management Committees. The Bank’s chief risk officer has over 15 years of experience managing the supervision of Information Security risks for financial institutions. The Bank’s interim chief information officer has over 30 years of experience managing technology.

We have also employed a chief information security officer who reports to the chief risk officer. The chief information security officer is responsible for information security, information technology risk management, vendor management and business continuity programs. The chief information security officer holds a graduate degree in cybersecurity and numerous information security certifications, including certified information systems security professional, certified information security manager, certified cloud security professional and qualified technology expert. Additionally, the chief information security officer has worked in the information security field for over 20 years within several financial institutions, implementing cybersecurity strategies, programs, policies and procedures.

Our Board Risk Committee generally meets quarterly and is responsible for overseeing cybersecurity risk and our information security program, including cybersecurity, and ensuring the continued development of the program as the Company grows and cyber and information risk exposures change. At each Board Risk Committee meeting, the chief information security officer presents information security metrics and any updates to the Information Security Program. New and changing cybersecurity risks are discussed when needed. The chair of the Board Risk Committee also serves as a board member and previously served as the chair and interim chief executive officer of the Information Systems Audit and Control Association. As a board member of the Information Systems Audit and Control Association, she is a member of their Audit and Risk Committee, Compensation and Human Capital Committee and Governance and Nominating Committee. All cybersecurity-related policies are reviewed and approved annually by the chief information security officer, chief risk officer, Enterprise Risk Management Committee, Board Risk Committee and the board of directors.