MEDALLION FINANCIAL CORP - (MFIN)
10-K Filing Date: March 07, 2024
Risk Management and Strategy
Identifying, assessing, and managing material cybersecurity risks is an important function of our enterprise risk management program. Material cybersecurity risks from cybersecurity threats are managed across Medallion Financial Corp., the Bank, Medallion Capital, and third-party vendors and monitoring such risks and threats involves coordination between us as the parent company and our two main operating subsidiaries. We continue to integrate our cybersecurity programs into our enterprise risk management program, which is led by various senior representatives of the Company and overseen by the Audit Committee of the Company’s Board of Directors.
Medallion Financial Corp., the Bank and Medallion Capital are each responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. These programs have been guided by the National Institute of Standards and Technology Cybersecurity Framework, other industry-recognized standards, and contractual requirements, as applicable, and seek to protect each entity against cybersecurity risks and provide a foundation to respond promptly to cybersecurity events. Each entity maintains technical and organizational safeguards, including, among other things, employee testing and training, incident response programs and tabletop exercises, evaluations and assessments by third parties, vulnerability scanning, vendor management, cybersecurity insurance, and business continuity mechanisms for the protection of Company assets. Our programs also assess and manage third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors and other business partners associated with our use of third-party service providers.
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, and we currently do not expect that risks from cybersecurity threats are reasonably likely to materially affect us, but we cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.
Governance
The Audit Committee of our Board of Directors is responsible for overseeing the Company’s enterprise risk management program, including overseeing the adequacy of protection of the Company’s technology, including physical security, patent and trademark program, proprietary information, and information security. The Audit Committee receives quarterly reports from our Information Security Director and third parties on cybersecurity matters. In addition, the Audit Committee receives quarterly reports addressing cybersecurity as part of our enterprise risk management program and to the extent cybersecurity matters are addressed in regular business updates. These reports include, among other things, existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents, if any, and the status of key information security initiatives. Our Audit Committee members also engage in ad hoc conversations with management on cybersecurity-related news and events, and discuss any updates, as needed, to our cybersecurity risk management and strategy programs.
Medallion Financial Corp. employs a Director of Information Security, and our main operating subsidiaries have similar functions and/or roles conducted by various individuals. Such information security leadership are responsible for developing cybersecurity programs appropriate for their respective entities, including as may be required by applicable law or regulation. These individuals’ expertise in information security and cybersecurity generally has been gained from a combination of education, including relevant degrees and/or certifications, and prior work experience. They are informed by their respective cybersecurity teams and third-party vendors about, and monitor, the prevention, detection, mitigation and remediation efforts relating to any cybersecurity incidents as part of the cybersecurity programs described above.
Information regarding cybersecurity risks may be elevated from information security leadership through a variety of different channels, including discussions between or among subsidiary and parent company management, reports to subsidiary and parent company risk committees and reports to subsidiary and parent company boards and board committees. As noted above, the Audit Committee regularly receives reports on cybersecurity matters from our Information Security Director and third parties as well as part of our enterprise risk management program.
34