MetroCity Bankshares, Inc. - (MCBS)

10-K Filing Date: March 11, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Information Security Officer is primarily responsible for the cybersecurity component of our risk management program and is a key member of the risk management organization, reporting directly to the Chief Executive Officer and, as discussed below, periodically to the Technology Committee of our board of directors.

Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Information Security Officer, who reports directly to our Chief Executive Officer, along with key members of their team, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.

We have established processes and systems designed to assess, identify, manage, and mitigate cybersecurity risk and threats, including regular and on-going education and training for employees, including information security awareness training, preparedness simulations and tabletop exercises, and recovery and resilience tests. We employ a variety of preventative and detective tools designed to monitor and block suspicious activity and to identify cybersecurity threats. We continue to strengthen the management and oversight of cybersecurity risks through new security system enhancements, policies, testing, identification and reporting. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity professionals and third-party specialists. We also engage a third-party to perform penetration testing and ongoing analysis to identifty potential vulnerabilities and areas for additional enhancement. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with third-party service providers. We also monitor our email gateways for

38

malicious phishing campaigns and monitor remote connections for cybersecurity threats. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.

We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to senior management and the Technology Committee of our board of directors, as well as the full board of directors. The Incident Response Plan is coordinated through the Information Security Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually.

We have not experienced a cybersecurity incident or identified risks from known cybersecurity threats or prior cybersecurity incidents that has materially impacted our business strategy, results of operations, or financial condition. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, results of operations or financial condition. For further discussion of risks from cybersecurity threats, see the section captioned “System failures or breaches of our network security could subject us to increased operating costs as well as litigation and other liabilities” in Item 1A. Risk Factors.

Cybersecurity Governance

Our Information Security Officer directs our enterprise information security department and manages our information security program. The responsibilities of enterprise information security department include cybersecurity risk assessment and defense, vulnerability assessment, incidend prevention, mitigation, response, and remediation, data access governance, third-party risk management, and business resilience. Our Information Security Officer has over ten years of relevant expertise and formal training in the areas of information security and cybersecurity risk management in the financial institutions industry.

The Technology Committee of our board of directors has primary responsibility for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Information Security Officer provides quarterly reports to the Technology Committee of our board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity risks and incidents. The Technology Committee also reviews our cyber security risk profile on a quarterly basis. The Technology Committee, as well as the full board of directors, reviews and approves our information security and technology budgets and strategies annually. The Technology Committee provides a report of their activities to the full board of directors on a quarterly basis.