ITEM 1C. CYBERSECURITYCybersecurity Risk Management and Strategy
Assessing, identifying and managing material risks from cybersecurity threats is critical for maintaining the security of the Company’s data and information systems, and is integrated into our enterprise risk management systems and processes. The Bank’s approach to cybersecurity risk management and strategy is based on the FFIEC Cybersecurity Assessment Tool (“CAT”), which provides a repeatable and measurable process for evaluating cybersecurity preparedness and assessing, identifying, and managing material risks from cybersecurity threats. The CAT incorporates cybersecurity-related principles from the FFIEC Information Technology Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework.
The CAT consists of two parts: Cybersecurity Inherent Risk Profile and Cybersecurity Maturity. Completion of both parts of the CAT allow management and the Board to evaluate whether the Company’s cybersecurity risk and preparedness are aligned. The Cybersecurity Inherent Risk Profile is the level of risk posed to the Company by technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics and external threats. Cybersecurity Maturity is designed to help management measure the Company’s level of risk and corresponding controls under the following five domains: (i) Cyber Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience.
The Information Security Officer (“ISO”) and the Company’s Information Technology Committee conduct and review the CAT annually to identify changes to the Company’s inherent risk profile; when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management can determine whether additional risk management practices or controls are needed to maintain or augment the Company’s cybersecurity maturity.
In an effort to continually share threat intelligence and increase awareness of cybersecurity trends, the Company has also implemented a Cybersecurity Education and Awareness Program. This program includes the following components:
| ● | Mandatory annual cybersecurity employee training; |
| ● | Training specifically targeted to Senior Management and Information Technology staff; |
| ● | Bimonthly review of emerging security trends by the Information Technology Committee; |
| ● | Mandatory annual cybersecurity Board training; |
| ● | Periodic communication to employees highlighting internal control requirements and information about common threats or fraud schemes; and |
| ● | Periodic communication to the Bank’s customers highlighting emerging threats and good cybersecurity hygiene. |
To date, we have not experienced a cybersecurity incident that has materially impacted our business strategy, results of operations, or financial condition. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, result of operations or financial condition. Please see Part I, Item 1A. Risk Factors for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure.
Board and Management Governance
The Company’s Board of Directors recognizes the importance of maintaining the trust and confidence of our customers, employees, and shareholders. The Board of Directors’ responsibilities for cybersecurity risk management and strategy include the following: