MERCANTILE BANK CORP - (MBWM)
10-K Filing Date: March 01, 2024
Cybersecurity
Risk Management and Strategy
Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Chief Information Security Officer (the "CISO") is primarily responsible for this cybersecurity component and is a key member of the risk management organization, reporting directly to the Senior Management Team (“SMT”), and, as discussed below, periodically to our Board of Directors. As part of our overall enterprise risk management program, we maintain both an Information & Cyber Security Program Policy (“ICSPP”) and Information & Cyber Security Response Policy (“ICSRP”).
Our ICSPP is overseen by the SMT who is responsible for designating the CISO. The CISO is responsible for leading company-wide cybersecurity strategy, policy, standards, architecture, and processes. The CISO is charged with all logical security related matters, which include but are not limited to, PC/server security, network security, internet security, and database and application security. Our ICSRP is based on applicable federal and state laws as well as cybersecurity incident response best practices. The purpose of the ICSRP is to define procedures for reporting and responding to cybersecurity incidents. It creates objectives for actionable procedures that can be measured, evaluated, scaled and revised as necessary for each specific incident. These objectives include maximizing the effectiveness of our company's operations through an established plan of action and assigning responsibilities to appropriate personnel and/or third-party contractors.
Our company has engaged a third-party managed detection and response company to monitor the security of our information systems around-the-clock, including intrusion detection, and to provide instantaneous alerting should a cybersecurity event occur. If a cybersecurity threat or cybersecurity incident is identified through our company's information systems, the CISO and Incident Response Team (“IRT”) will take immediate steps to mitigate the threat and assess any damages. Upon report from the CISO, the SMT will evaluate the materiality of the cybersecurity threat or cybersecurity incident to determine if any public disclosures are required under the Security and Exchange Commission’s cybersecurity disclosure rule. If deemed necessary, third-party consultants, legal counsel, and assessors will be engaged to evaluate the materiality assessment.
Our company has training and awareness programs designed to educate its employees about cybersecurity risks and how to protect our company, our customers and themselves from cyber-attacks and to keep its employees informed about cybersecurity threats and how to stay safe online, including secure access practice, phishing schemes, remote work and response to suspicious activities.
Our cybersecurity program interfaces with other functional areas within our company, including but not limited to, our company's business segments and information technology, legal, risk, human resources and internal audit departments, as well as external third-party partners, to identify and understand potential cybersecurity threats. We regularly assess and update our processes, procedures and management techniques in light of ongoing cybersecurity developments.
Recognizing the complexity and evolving nature of cybersecurity threats, we also engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable our company to leverage specialized knowledge and insights, ensuring its cybersecurity strategies and processes remain at the forefront of industry best practices. Our company's collaboration with these third parties includes regular audits, testing, threat assessments and consultation on security enhancements.
To date, risks from cybersecurity threats or incidents have not materially affected our company. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and incidents and protect our systems and information may not successfully protect against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect our company's business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors.
Governance
Our company recognizes the importance of safeguarding sensitive customer information. Therefore, the Board of Directors recognizes that the protection of this information ranks as one of our highest priorities. The Board of Directors is responsible for reviewing and approving the ICSPP and ICSRP at least annually and monitoring material risks facing our company.
The Board has tasked the SMT with overseeing efforts to develop, implement and maintain an effective information and cybersecurity program. The SMT designates the CISO who also serves as the IRT leader. As part of its oversight responsibilities, the Board of Directors is responsible for discussing with the SMT our company’s major risk exposures, such as cybersecurity, and the steps management has taken to monitor and control those exposures, including our risk assessment and risk management policies. The Board of Directors also monitors our compliance with legal and regulatory requirements and the risks associated therewith. On a regular basis, the Board of Directors reviews with the SMT significant areas of risk exposure involving cybersecurity.
At the direction of the SMT, the CISO and IRT monitor internal and external cybersecurity threats and review and revise our company’s cybersecurity defenses on an ongoing basis. The CISO, together with other members of the IRT, bring a wealth of expertise to their respective roles, including expertise in security technologies; designing and implementing security strategies; security standards such as NIST, ISO, COBIT and ITIL; and risk management and incident response. The CISO prepares reports on IT general controls and cybersecurity metrics for the SMT and Board of Directors on a regular basis, and the CISO presents those reports to the SMT and Board of Directors and addresses any questions and concerns raised by the SMT and Board of Directors. At least annually, the Board of Directors meets with the CISO in person to discuss cybersecurity in greater detail.
|