UNITY BANCORP INC /NJ/ - (UNTY)

10-K Filing Date: March 07, 2024

Item 1C. Cybersecurity Disclosures

Risk Management and Governance

Cybersecurity is a material part of Unity Bank’s business. As a technology forward financial institution offering products through multiple digital delivery channels, cybersecurity incidents could have a material effect on the Company, its results of operations and its reputation. To date, the Company has not experienced any cybersecurity incident which has had a material effect on the Company’s business strategy, results of operations or financial condition. See “Item 1A- Risk Factors – The Company cannot predict how changes in technology will impact its business”; as increased use of technology may expose us to service interruptions or breaches in security.

Cybersecurity risk is initially overseen by the management Information Technology Steering Committee (the “ITSC”). The members of this committee include the Company’s Chief Technology Officer, Chief Compliance Officer (who is also the Information Security Officer), Chief Executive Officer, Chief Financial officer and other critical executive management members. The ITSC also includes a non-voting member that is an outsourced cybersecurity expert. The ITSC includes multiple members, including the Chief Technology Officer and an outsourced consultant, who serves as the Company’s Virtual Information Security Officer.

21

Over his 16-year career, the Company’s Chief Technology Officer has served in multiple Information Technology and Cybersecurity roles, such as Senior Engineer, responsible for implementing hardened infrastructure for both physical and cloud applications; Solutions Architect, designing infrastructures for highly regulated industries including Financial Services, Local/State Government and Healthcare; Director of Service Delivery, overseeing engineering, solutions architecture and maintains the System and Organization Controls (SOC) program prior to joining Unity Bank. During his tenure at Unity Bank, he is a member of various Risk and Cybersecurity Committees of the New Jersey Bankers Association, is a member of FS-ISAC, The Independent Community Bankers of America and our primary banking vendors advisory and risk management committees.

The Company’s Chief Compliance Officer was appointed as the Company’s Information Security Officer in 2016.

The Virtual Information Security Officer (vISO) has an over 18-year career in Information Technology, Cybersecurity and both Internal/External Audit experience. He presently holds a position of Partner of Herbein, COA Advisor & Audit, where he’s held multiple positions within Information Technology and Cybersecurity.

The Company’s Information Technology Manager has an over 25-year career in Information Technology, during which the prior 13-years have been in Information Technology, Security and Cybersecurity, working primarily in regulated industries.

In order to ensure that cybersecurity risk management is integrated into the Company’s overall risk management plans, systems and processes, the ITSC and Chief Technology Officer provide reports and updates to the Board of Directors, or a Committee thereof on a quarterly basis.

The Company’s cybersecurity risk mitigation program involves a combination of internal resources and the use of third parties. The Company’s internal IT team performs monthly vulnerability scanning and performs an annual risk assessment based on the National Institute of Standards and Technology Cybersecurity Framework. The results are reported to the ITSC. The Company’s IT and compliance staff also review potential cybersecurity threats associated with the Company’s third party vendors, including performing a review of and obtaining a System of Organization Controls report from all vendors rated as “high risk” by the Company’s internal vendor management program. The Company also has an internal Incident Response Plan and Team, which is charged with overseeing the Company’s response to any cybersecurity incident. The team performs a table top exercise at least annually to prepare to respond in the event of any actual cybersecurity incident.

In addition to these internal resources, the Company uses a third party vendor to complete annual penetration and vulnerability testing, with the results reported to the ITSC. Finally, the Company’s cybersecurity compliance program is audited by the Bank’s outsourced internal auditor.

The Company also maintains insurance which may provide coverage for expenses and certain losses incurred in connection with a cybersecurity incident.

22