MVB FINANCIAL CORP - (MVBF)

10-K Filing Date: March 12, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

Cybersecurity threats are inherent in the banking and financial services industry. To safeguard our customers' sensitive data, financial transactions, information systems and information assets, we have established a comprehensive cybersecurity risk management program that is part of our enterprise risk management strategy. Our risk management team oversees the program and regularly collaborates with our information security function, led by our Chief Security Officer, to gather insights for identifying, assessing and managing cybersecurity threat risks, their severity, and potential mitigations.

As part of our strategy, we also leverage reputable third-party service providers to implement and maintain processes and controls to manage identified risks. We perform rigorous due diligence before onboarding and engage in ongoing monitoring of all third parties with access to our information assets to ensure such parties maintain adequate security controls. Our security practices also include continuous threat monitoring and detection services as well as vulnerability and patch management process to ensure systems are hardened to further protect our critical information assets.

Furthermore, we are consistently broadening our scope of training and awareness practices to alleviate potential risks associated with human error, including mandatory computer-based training, internal communications, and frequent phishing awareness campaigns.

Apart from the measures implemented to decrease the possibility of a material cyberattack being successful, we have created clear incident response protocols to deal with any cyber events that may arise. Our program provides for the coordination of different corporate functions and serves as a framework for the execution of responsibilities across businesses and operational roles. Our incident response plan includes processes to triage, assess severity for, escalate, contain, investigate, and remediate any incidents. Testing, training and exercising of our incident response capabilities are carried out routinely and After Actions Reports are prepared to continuously improve these practices. We also have processes to evaluate potential disclosure, comply with applicable legal obligations, and mitigate reputational damage.

Based on the information we have as of the date of this Annual Report on Form 10-K, we do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.

Governance

Oversight of cybersecurity matters is the responsibility of the Risk & Compliance Committee, which is a board committee, with oversight from the Board of Directors.

The Risk & Compliance Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity risk management program through direct interaction with the Chief Information Officer and provides periodic updates regarding cybersecurity risks and the cybersecurity risk management program to the full Board of Directors. Our Chief Information Officer has significant experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing compliance environments.


32