Farmers & Merchants Bancshares, Inc. - (FMFG)

10-K Filing Date: March 11, 2024
ITEM 1C.

CYBERSECURITY

 

The Company’s cybersecurity risk program was developed and is maintained to identify, analyze, and remediate the associated risks that cyber threats pose to our organization, particularly in light of our continually increasing reliance on technology in delivering electronic banking solutions and supporting our computer network. The program is overseen and executed by a team of experienced, certified cybersecurity professionals.

 

The objective of our program is to avoid or minimize the impact of external threats and efforts to disrupt and/or gain unauthorized access to our computer systems and the secure customer data information stored on these systems. Our computer environment is aligned with the National Institute of Standards and Technology Cybersecurity (the “NIST”) framework, banking regulations, and other applicable security industry standards and protocols. We use industry expert vendors to provide 24/7/365 threat intelligence and network security monitoring and to provide periodic risk assessment audits, in addition to the periodic information technology audit examinations conducted by the FDIC and Maryland Commissioner. Our President and our Information Technology Security/Compliance Officer provide periodic reports, recommendations and information about industry best practices to the Board of Directors, the Board’s Audit Committee, and the Bank’s Information Technology Strategic Planning Committee.

 

- 20 -

 

Our Information Technology Security/Compliance Officer is primarily responsible for the ongoing review and management of our cybersecurity risk program and provides quarterly reports and other information throughout the year to our President, our Board of Directors, the Board’s Audit Committee and its Executive Committee, and the Bank’s Information Technology Strategic Planning Committee for the purpose of providing them with an understanding of our ongoing monitoring activities and preparedness with respect to our cybersecurity risks so that they can engage in an informed review of our program and direct the implementation of our ongoing monitoring activities and preparedness with respect to our cybersecurity risks so that they can engage in an informed review of our program and direct the implementation of appropriate changes as and when needed.

 

IT Security/Compliance Annual Cybersecurity Risk Assessment (Board Review/Approval)

 

Our Information Technology Security/Compliance Officer completed a comprehensive self-assessment of the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (“CAT”). The CAT is developed by the Financial Service Sector Coordinating Council and is aligned to the NIST Cybersecurity framework in the identification of organizational risks and determination of cybersecurity preparedness. These assessments take into account our organizational characteristics and actual and perceived external threats and evaluate, among other things, how those threats could impact and be impacted by our technologies and connection types, our delivery channels, our online and mobile banking products and other electronic banking services, our risk management oversight and controls, our dependence on outside vendors and how we manage those relationships, and our cybersecurity incident management process. The Company’s third-party information technology network security consultant reviews the completed CAT reports, along with our annual information technology risk assessment audit reviews.

 

Cybersecurity Defense Approach

 

We deploy and maintain a layered cybersecurity defense approach to securely protect our network computer systems, software applications, and stored data/information resources. As a first layer of defense, we employ a multi-faceted firewall and replication of primary and backup servers in our computer network. The Company receives daily and weekly reports and cybersecurity activity alerts, which are reviewed by our network administration management team. Our President and our Information Technology Security/Compliance Officer present quarterly Customer Data & Information Systems Security Program report updates to our boards of directors and their joint Executive Committee.

 

Third-Party Vendor Management

 

In accordance with the FDIC’s information technology (“IT”) compliance requirement for an annual vendor risk management program, the Bank developed a vendor management policy and performs an annual risk assessment review. This comprehensive review of mission-critical bank industry and network security vendors includes annual review of vendor compliance reports performed by accounting and audit firms, reviews of annual financial reports for vendors, and risk assessment reviews encompassing vendor performance, information technology compliance, operations, quality of service and support, contractual compliance, and business resumption contingency plans. These annual vendor management risk assessments are evaluated by the bank’s designated Information Technology Security/Compliance Officer for review and authorization by the bank’s President and senior information technology management, with final presentation, review, and approval by the Board of Directors. Complementing the Bank’s vendor risk assessment review and program, are additional risk assessment evaluations including the FDIC Risk Assessment, inclusive of network systems risk assessment, customer information systems risk assessment, and electronic banking vendor management risk assessment. Additionally, the Bank maintains a disaster recovery policy and conducts annual disaster recovery testing with respect to its mission-critical software vendor applications, as well as performs an annual business impact analysis that evaluates each mission-critical vendor in a prioritized hierarchy of hardware and software restoration relative to specified recovery time objectives and recovery time objectives in accordance with the FDIC’s information technology compliance requirements.

 

Incident Response Program

 

In accordance with the FDIC’s requirement for development of an annual IT incident response policy, the Bank maintains an incident response and computer forensics policy. This policy is reviewed on an annual basis and updated as necessary by the Bank’s President and its Information Technology Security/Compliance Officer and then presented for review and approval by the Bank’s Board of Directors. The policy is also reviewed as part of an annual network security risk assessment audit conducted by the Bank’s IT security consultant and by the FDIC and the Maryland Commissioner when they conduct their IT examinations. The Bank has established incident alert levels, response and recovery timeframes, and computer forensics procedures for cybersecurity attack events, data breaches of sensitive information, systems failures and alerts, and corresponding customer and key contact notification including regulatory, vendors, local authorities, and bank directors/employees. The Bank annually contracts with a third-party industry expert vendor to provide computer forensics guidance and escalated support in the event of a cybersecurity incident when such vendor’s expertise and resources are needed.

 

- 21 -

 

Security Awareness and Training

 

The Bank maintains a program led by our Information Technology Security/Compliance Officer that is intended to comply with the FDIC’s requirement for annual network security training of all employees. This training program includes a comprehensive network security overview, including phishing and ransomware awareness training, a summary review of the Bank’s disaster recovery and pandemic plans, and an annual renewal and authorization of an employee network acceptable use policy. In addition, the Bank’s IT management and network administrators attend periodic training programs and certifications, review regulatory compliance and industry IT security briefs, and participate in vendor application quality assurance reviews. Finally, we provide our customers with information about cybersecurity awareness and electronic banking security practices, phishing and malware awareness, and fraudulent scams targeting customers on our dedicated website.

 

© 2024 Material-Incidents. All rights reserved.