HERITAGE COMMERCE CORP - (HTBK)

10-K Filing Date: March 09, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

Our cybersecurity program provides what we believe is an effective level of protection of client information and of our operating systems while also promoting the timely detection of, and defense against, cyberattacks and other unauthorized access to our information technology (“IT”) systems. In order to accomplish these goals, we invest heavily in up-to-date information security and monitoring controls, which we believe provide the best mechanism to mitigate cybersecurity risks and threats. At the same time, cyberattacks are becoming increasingly common, sophisticated and destructive, and several highly sophisticated financial institutions have been successfully targeted in recent years, leading to significant losses of client data, denials and loss of online banking and other data services, and other critical functions that have become essential to modern banking. In order to mitigate these risks and the potential harm that may result, our Chief Information Security Officer, who reports directly to the Chief Information Officer and who reports regularly to our Board’s Audit Committee, oversees certain policies and procedures that are intended to guard against, detect, and respond to potential breaches of our IT systems. We also maintain and periodically review our cybersecurity disclosure procedures to assure the timely compliance with the Company’s obligations under Item 1.05 of Form 8-K.

Managing Material Risks & Integrated Overall Risk Management

We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. Our Company’s Corporate Security Handbook and Information Security Program are the guiding policies over our cybersecurity risk management. Additionally, our IT team uses industry-leading tools to help protect stakeholders against cybercriminals. We leverage the latest encryption practices and cyber technologies on our systems, devices, and third-party connections and further review vendor encryption to ensure proper information security safeguards are maintained. Our Company team members are responsible for complying with our cybersecurity standards and complete training to understand the behaviors and technical requirements necessary to keep information secure.

Engaging Third Parties for Risk Management

We recognize the complexity and evolving nature of cybersecurity threats, which is why we engage a range of external experts, including cybersecurity consultants, in evaluating and testing our risk management systems. Our IT security team partners with third-parties to perform annual penetration testing, vulnerability scanning, and monitoring of any potentially suspicious activity across the Company.

Oversight of Third-party Risk

The Company’s Third-Party Relationship Risk Management (“TPRM”) Policy governs of all aspects of third-party risk management. The Board has ultimate responsibility for providing oversight for third-party risk management and

55

holding management accountable. The Board provides clear guidance to the Audit Committee and management regarding the Company’s strategic goals and acceptable risk appetite with respect to third-party relationships. The Board reviews the TPRM Policy on at least an annual basis and ensures that appropriate implementation procedures and practices have been established by management. The Chief Risk Officer is responsible for development and implementation of third-party risk management policies, procedures, and practices, commensurate with the Company’s strategic goals, risk appetite and the level of risk and complexity of its third-party relationships. The Chief Risk Officer periodically provides reports to the Audit Committee on third-party risk management activities. The Company’s Internal Audit department determines the frequency and scope of independent third-party audits of the TPRM program and its effectiveness.

The Company recognizes that not all third-party relationships present the same level of risk, and therefore not all third-party relationships require the same level, degree or type of oversight or risk management. As part of its risk management program, management analyzes the specific risks associated with each third-party relationship, including but not limited to, cybersecurity and information security related risks.

Risks from Cybersecurity Threats

We have not encountered cybersecurity risks or threats that have materially impaired our business strategy, results of operations, or financial condition.

Governance

The Board recognizes the importance of managing risks associated with cybersecurity threats. The Board has established robust oversight procedures to promote effective governance in managing cybersecurity risks because of the significance of these threats to our operational integrity and shareholder confidence.

Board of Directors Oversight

The Audit Committee is central to the Board’s oversight of cybersecurity risks. The Audit Committee currently oversees risks relating to cybersecurity, technology, and finance, and in support of this objective has designated an ad hoc committee consisting of both Committee members and non-Committee member directors so as to assure that the Board maintains appropriate expertise to assure the appropriate management of cybersecurity risk. The Audit Committee reports periodically to the Board on the effectiveness of cybersecurity risk management processes and cybersecurity risk trends The Board also receives specific reports from senior management with oversight responsibility for cybersecurity risks within the Company. These reports include cybersecurity and related risks and our exposure to those risks. The Audit Committee conducts an annual review of the company’s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with its overall risk management framework.

Management’s Role in Managing Risk

The Chief Information Security Officer plays a pivotal role in informing the Audit Committee on cybersecurity risks. He reports quarterly to the Audit Committee on a range of topics, including:

Current cybersecurity landscape and risks;

Status of ongoing cybersecurity incidents, threats and strategies;

Cybersecurity incident reporting and post-incident reviews; and

Compliance with regulatory requirements and evolving industry trends.

The Chief Information Security Officer reports to the Chief Information Officer, has a dotted line to the Chief Executive Officer, and maintains independence in reporting on the status and impact of any information security related developments and strategic initiatives to the Audit Committee, and depending on the severity of the situation, directly to the Board of Directors. In addition to regular meetings, the Audit Committee, Chief Information Security Officer, Chief

56

Information Officer, Chief Risk Officer and Chief Executive Officer maintain an ongoing dialogue regarding emerging or potential cybersecurity risks that we face, particularly as a financial institution. The Company’s internal Risk Management Steering Committee also reports directly to the Audit Committee regarding our risk management initiatives. The Audit Committee also receives quarterly reports from the Risk Management Steering Committee, the Company’s Internal Audit department, and IT department in order to say informed on all aspects of cybersecurity risk affecting the Company.

Risk Management Personnel

Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our Chief Information Security Officer, who has more than 20 years of cybersecurity experience working with large financial institutions and actively maintains multiple information security certifications. Additionally, our Chief Information Security Officer oversees our cybersecurity incident disclosure and communications. Our Chief Risk Officer separately chairs our Risk Management Steering Committee. Our Chief Risk Officer has served in her position since 2014 and is an accomplished banking professional with more than 40 years of experience in compliance and risk management.

Monitoring Cybersecurity Incidents

The Company monitors cybersecurity events using multiple methods. The Company’s 24/7 Security Operations Center (“SOC”) has the ability to detect and respond to threats in real time and is authorized to shut threats down before they can harm the organization. Additionally, the SOC periodically performs pro-active “threat hunts,” searching for potential indicators of compromise and bad actors on our network. Endpoint and network detection tools alert IT staff of security events that warrant further analysis. The Chief Information Security Officer is kept abreast of all active investigations. If an incident is identified, we attempt to contain the threat is immediately, such as if systems could be taken offline to stop the spread of an attack. Eradication of an attacker’s artifacts, such as user accounts and malicious code, would then be performed. The Company maintains Business Continuity and Disaster Recovery plans, processes, and technology to restore systems affected by a cybersecurity incident. The Chief Information Security Officer may determine that an incident has the potential to be materially relevant and would escalate that determination to the Cybersecurity Incident Disclosure Team comprised of the senior leaders, including the Chief Executive Officer, Chief Risk Officer, Chief Information Officer, Chief Financial Officer, outside counsel and other leaders and advisors of the Company. In addition, we maintain insurance that we believe is customary against certain insurable cybersecurity risks. However, certain aspects of cybersecurity risks are not insurable, and the availability, extent, and cost of coverage may limit our recourse to these sources of risk mitigation.

Reporting to Board of Directors

The Chief Information Security Officer, in his capacity as such, regularly reports to management and the Audit Committee on all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept informed of our cybersecurity and the potential risks we face. In the event of certain cybersecurity matters which present increasing concern, our policies require escalating these cybersecurity and risk management decisions to the full Board.