Merchants Bancorp - (MBIN)

10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity.

Privacy and Cybersecurity

Merchants Bank is subject to many U.S. federal and state laws and regulations governing requirements for maintaining policies and procedures to protect non-public confidential information of their customers. These laws require banks to periodically disclose their privacy policies and practices relating to sharing such information and permitting customers to opt out of their ability to share information with unaffiliated third parties under certain circumstances. They also impact a bank’s ability to share certain information with affiliates and non-affiliates for marketing and/or non-marketing purposes, or to contact customers with marketing offers. In addition, banks are required to implement a comprehensive information security program that includes administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information.

Risk Management and Strategy

To combat the ever-present cyber risks, the Company maintains a comprehensive Information Security Program (“ISP”), which includes annual risk assessments, an Incident Response Plan, and a layered control environment meant to

31

protect, detect, respond, and limit unauthorized or harmful actions across our information technology environment. Standards over information security are Board-approved and various types of control testing is conducted throughout the year, by internal and external parties. Recommendations are implemented and reported to various committees. These security and privacy policies and procedures, for the protection of personal and confidential information, are in effect across all businesses and geographic locations. Board-approved policies are in place to effectively mitigate risks linked to third-party service providers, encompassing factors such as availability, confidentiality, and governance and compliance.

The Company employes a defense and depth posture, designed to safeguard information, prevent unauthorized access, detect, and respond to threats, and maintain the confidentiality, integrity, and availability of data. The ISP establishes controls across many domains including but not limited to: Information Security Governance, Inventory and Control of Enterprise Assets and Software, Data Protection, Secure Configuration of Enterprise Assets and Software, Account and Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Network Monitoring and Defense, Security Awareness and Skills Training, Service Provider Management, Application Software Security, Incident Response Management, and Penetration Testing.

Recognizing people as a key component of an effective information security program, the Merchants Information Security Program strives to enhance education and awareness at all levels of the Company. One critical component of education and awareness is an internal cybersecurity committee, comprised of employees from all levels and departments, who act as embedded security representatives for their business units.

However, it is difficult or impossible to defend against every risk being posed by changing technologies as well as criminal intent on committing cyber-crime. Increasing sophistication of criminal organizations and advanced persistent threats make keeping up with new threats difficult and could result in a breach. Controls employed by our information technology department and cloud vendors could prove inadequate. A breach of our security that results in unauthorized access to our data could expose us to a disruption or challenges relating to our daily operations, as well as to data loss, litigation, damages, fines and penalties, significant increases in compliance costs and reputational damage, any of which could have an adverse effect on our business, financial condition, and results of operations. The Company has set the conditions to quickly respond to a cyber incident, ensuring a resilient, digital environment.

Governance

The Board established an IT Committee to assist executive management and the Board of Directors of the Bank in fulfilling their oversight responsibilities related to information security. The IT committee membership includes senior management from business units, as well as information security risk experts such as the Information Security Officer, experts from Enterprise Risk Management, Internal Audit, and Information Technology Leaders. At the IT Committee meetings, security-related policies and standards are reviewed and approved, annual risk assessment results and action plans are noted, annual penetration test reports shared, current security incidents discussed, emerging threats reported on, and relevant cyber risks and trends are presented. The IT Committee is responsible for governing the assessment and treatment of cyber risks. The Committee reports its activities, key conclusions, and recommendations to the Board on a quarterly basis.

The Chief Administrative Officer is responsible for the appointment of the Information Security Officer. The Information Security Officer serves as the focal point for the information security program and is responsible and accountable for its implementation and monitoring, and management of the Information Security team. The current Information Security Officer has over a decade of experience in the cyber security field, including critical roles in security operations, security governance, risk, and compliance, and cyber threat intelligence. They have multiple industry leading certifications, including nine Global Information Assurance Certifications (“GIAC”), Certified Information Systems Security Professional (“CISSP”) from the International Information System Security Certification Consortium (“ISC2”) and a Master of Engineering in Cybersecurity Policy and Compliance.

The Information Security Officer presents an Annual Information Security Review to the board which summarizes the previous year’s threat landscape, risk assessment, service provider, and audit testing activities, results of security incidents, information security program changes, and future strategies and recommendations.

32