NORTHRIM BANCORP INC - (NRIM)

10-K Filing Date: March 08, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy

The Company continuously monitors its information systems to proactively assess, identify, and manage risks from vulnerabilities and assess cybersecurity threats. The Company’s process for identifying and assessing material risks from cybersecurity threats operates alongside the Company’s broader overall risk assessment process. The Company’s Computer Security Incident Response Team immediately investigates system alerts that may indicate the presence of a cybersecurity threat or incident and escalates information regarding the threat or incident as necessary to address it in a timely manner. The Company also maintains a computer security incident response plan with formalized workflows and playbooks. The computer security incident response plan, among other things, provides for inter-departmental coordination and management of cybersecurity threats or incidents to quickly assess the impact, mitigate risks to information systems, and work to resolve vulnerabilities. We periodically conduct simulation exercises involving employees at various levels of the organization. We also periodically engage external partners to conduct annual audits of our systems, test our systems infrastructure, and suggest improvements. Through these channels and others, we work to proactively identify potential vulnerabilities in our information security system. Senior management meets regularly with the Company’s risk-management team and internal and external auditors to evaluate the effectiveness of the Company’s systems, controls, and management processes with respect to cybersecurity risks. The results of key assessments are reported in summary to the Board of Directors periodically.

We also recognize that we are exposed to cybersecurity threats associated with our use of third-party service providers. To minimize the risk and vulnerabilities to our own systems stemming from such use, our Cybersecurity Program Manager and other subject matter experts monitor and identify known cybersecurity threats and incidents at third-party service providers on a regular basis. In addition, we strive to minimize cybersecurity risks when we first select or renew a vendor by including cybersecurity risk as part of our overall vendor evaluation and due diligence process. A vendor management policy is in place, which is approved by the Board of Directors annually. The vendor management policy calls for the evaluation of risk for each vendor based upon an assessment of the degree to which their relationship could expose the Company to risk in relation to the Company’s reliance on the vendor’s promise to perform and to protect customer privacy and based on the vendor’s fiscal strength.

The Company provides mandatory initial and annual training thereafter for personnel regarding security awareness as a means to equip the Company’s personnel with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate the Company’s information security policies, standards, processes and practices. We also work to educate our customers about the importance and understanding of their role in protecting their identities and the privacy of their information. We consider customer education regarding the use of electronic convenience products to be especially important due to the Bank’s increased exposure to loss related to these products if procedures are not followed.

To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Part I. Item 1A, Risk Factors — Operational, Strategic and Business Risks.

Governance

Management of cybersecurity risk is the responsibility of the full Board of Directors, with additional assistance from the Audit Committee. The Board of Directors also devotes significant time and attention to the oversight of cybersecurity and information security risk and receives an operational risk update that includes a review of cybersecurity and information security risk. As part of its oversight of cybersecurity and informational security risk, on an annual basis, our Board of Directors reviews its Information Security Policy with its appointed Information Security Officer and frequently receives presentations on and discusses cybersecurity and information security risks, industry trends, and best practices from our Chief Information Officer and our Information Security Officer.

At the management level, the Chief Information Officer and Information Security Officer receive regular reports from the Company’s systems department, both historical and real-time, about the Company’s cybersecurity status. The Company has established written policies and procedures to ensure that significant cybersecurity incidents are immediately investigated, addressed through the coordination of various internal departments, and publicly reported (to the extent required by applicable
32


law). If management determines a material cybersecurity incident has occurred, the Company’s policies require management to promptly inform the Audit Committee with follow-up information to the full Board of Directors.

Under the direction of the Chief Information Officer, the Information Security Officer is responsible for cybersecurity and business continuity, which includes security architecture, security operations, incident response, IT risk and compliance, and security awareness and training. The Information Security Officer has over 40 years of security & risk management experience among other disciplines. The Cybersecurity Program Manager who reports directly to and supports the Information Security Officer in various aspects of cybersecurity and business continuity in the Company is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA), The other members of the Company’s information security organization also have extensive cybersecurity, business, and technology experience and hold certifications in their area of expertise.

33