CAMBRIDGE BANCORP - (CATC)

10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity.

 

Risk Management and Strategy

 

The Company maintains robust processes for assessing, identifying and managing materials risks from cybersecurity threats. The Company’s cybersecurity program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, as well as the GLBA and the risk of cybersecurity threats is integrated into the Company’s Enterprise Risk Management (“ERM”) program, governed by the Board level Risk Committee. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned risk owners to establish action plans and implement risk mitigation strategies. The cybersecurity threat risk action plan is managed at the enterprise level and led by the Director of Information Security. Periodically, the risk owners review and update the cybersecurity threat risk action plan to provide the status on specific risk mitigation actions and to identify new threats. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third-party service providers, the Company maintains a security operations center with round-the-clock monitoring, and the Director of Information Security along with the Chief Information Officer (“CIO”) receives regular reports on industry activity. Management also assesses the cybersecurity proficiency of potential third-party vendors and cloud suppliers before utilizing their services. The assessment identifies cybersecurity-related risks an includes recommendations to enhance the security of new cloud computing services. The Company reassesses cloud suppliers quarterly.

 

The Company works to continually assess, identify and manage cybersecurity risks. In addition, the Company engages with third-party cybersecurity specialists to provide an independent assessment of the Company’s cybersecurity programs to maintain compliance and operational excellence. Management periodically reviews operational plans and modifies them in response to changes in the threat landscape and otherwise as needed. Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. See “Item 1A. Risk Factors” above for more information.

 

Governance

 

The Board of Directors is responsible for overseeing the assessment and management of enterprise-level risks that may impact the Company. The Risk Committee has primary responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. Management, including the CIO and Director of Information Security, reports on cybersecurity matters at least quarterly to the Board, primarily through the Risk Committee, including an annual report regarding specific risks and mitigation efforts within the Company. Management provides benchmarking information and updates on key operational and compliance metrics to the Board. In addition, cybersecurity training is provided to the full Board, including training by third-party experts, to educate directors on the current cyber threat environment and measures companies can take to mitigate risks and impact of cyber attacks.

 

The Company maintains a Cybersecurity Incident Response Plan (the “CSIRP”), which establishes an organizational framework and guidelines intended to facilitate an effective response and handling of cybersecurity incidents that could jeopardize the availability, integrity, or confidentiality of the Cambridge Trust Company’s assets. The CSIRP outlines roles and responsibilities, criteria for measuring the severity of a cybersecurity incident, and an escalation framework, including processes for informing legal counsel and the Board of Directors of material cybersecurity incidents. As described above, management is actively involved in assessing and managing the Company’s material cybersecurity risks. The CIO, the Director of Information Technology as well as the Director of Information Security primarily lead these efforts. The CIO, who reports directly to CEO, is responsible for the oversight of the Company’s entire information technology operations. The Director of Information Security reports directly to the Risk Committee and has responsibility for leadership of the Company’s cybersecurity program.

24