Metropolitan Bank Holding Corp. - (MCB)
10-K Filing Date: February 28, 2024
Risk Management and Strategy
The Company believes that a strong cybersecurity program is vital to effective cybersecurity risk management. The Company recognizes the importance of developing, implementing, and maintaining robust cybersecurity measures to help safeguard sensitive information and its business operations, and to protect the confidentiality, integrity, and availability of its information systems and the nonpublic information transmitted, processed and stored on its systems or those of third-party service providers.
Managing Material Risks & Integrated Overall Risk Management
The Company has integrated cybersecurity risk management into its broader risk management framework in order to promote a culture that values protecting sensitive information. This integration is intended to promote the inclusion of cybersecurity considerations in decision-making processes throughout the Company. As the operating company, the Bank’s general risk management personnel, including the Chief Risk Officer (“CRO”), work closely with their information technology and security counterparts to evaluate and address cybersecurity threats in alignment with our business objectives and operational needs.
The Company also maintains a system-wide information systems security program that applies to all employees. All employees are expected to assist in safeguarding the Company’s information systems and to assist in the discovery and reporting of cybersecurity incidents. This Company-wide program is intended to identify and assess internal and external cyber and information security risks that may threaten the security or integrity of nonpublic information stored on the Company’s information systems or those of third-party providers from unauthorized access, use or other malicious acts.
The Board of Directors is responsible for overseeing the Company’s cybersecurity program. The Board of Directors has established oversight mechanisms that are intended to promote effective governance in managing risks associated with cybersecurity threats because it recognizes the significance of these threats to the Company’s operational integrity and the information stored on the Company’s information systems or those of third-party service providers. See “—Governance—Board of Directors Oversight.”
Engage Third-parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts from time to time, including cybersecurity assessors, risk management professionals, and other consultants, in evaluating and testing our risk management systems. We also engage third-party services on an ongoing basis to conduct independent audits of our risk management systems. These engagements enable us to leverage specialized knowledge and insights and assist the Company with its goal of maintaining cybersecurity strategies and processes that are consistent with industry best practices. Our collaboration with these third-parties includes table top exercises, penetration testing and other cyber-support services.
Oversee Third-party Risk
Because the Company is aware of the risks associated with third-party service providers, the Company has implemented policies and processes to oversee and assist with managing these risks. The Company’s Third-Party Risk Management Officer (the “TPRM”) conducts security and risk assessments of all third-party providers before engagement and monitors these third-party providers on an ongoing basis to assess each provider’s compliance with the Company’s cybersecurity standards, which are intended to be commensurate with the level of risk and complexity of the relationship with, and the activities performed by, a given provider engaged by the Company. In addition, the TPRM conducts an annual risk assessment of any third-party provider that provides critical services to the Company or has access to customers’ protected data. This approach is designed to help identify and mitigate risks related to data breaches or other cybersecurity incidents originating from third-parties in order to better protect our customers’ personally identifiable information and the Company’s assets and data.
40
Risks from Cybersecurity Threats
We have not encountered cybersecurity threats or incidents that have materially and adversely affected, or are reasonably likely to materially and adversely affect, the Company’s business strategy, results of operations or financial condition. Notwithstanding the defensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats, incidents or disruptions may not be fully insured. For more information regarding the risks we face from cybersecurity threats, see Part I, Item 1A., “Risk Factors—Risks Related to the Company’s Operations—A failure in the Company’s operation and/or information systems or infrastructure, or those of third parties, including cyber-attacks, could impair the Company’s liquidity, disrupt its businesses, result in the unauthorized disclosure of confidential information, damage its reputation, and cause financial losses.”
Governance
Board of Directors Oversight
The Board of Directors is responsible for overseeing the Company’s cybersecurity program. In connection with carrying out these oversight responsibilities, the Board of Directors delegated certain matters to the Technology Committee (the “Technology Committee”) of the Board of Directors. The Technology Committee is central to the Board of Directors’ oversight of cybersecurity risks and is responsible for assisting the Board of Directors in its oversight of technology and innovation strategies, as well as developing plans related to information systems and cybersecurity. The Technology Committee meets at least quarterly and is composed of three board members with diverse skills and experience, including risk management, technology, and finance, which the Board of Directors considers to be helpful in overseeing cybersecurity risks. The Technology Committee reports quarterly (and more frequently if necessary) to the Board of Directors on the activities of the Technology Committee since its last report, including material developments with respect to the risks from cybersecurity threats.
One of the primary responsibilities of the Technology Committee is to review reports submitted by the Chief Information Security Officer (the “CISO”) of the Company, the Company’s Chief Digital Officer (the “CDO”), the CRO, and other officers or employees regarding cybersecurity threats and incidents in order to assist in coordinating prevention and mitigation efforts. In addition, the Technology Committee conducts an annual review of its own performance and the Company’s cybersecurity-related expenditures to identify areas for potential improvement that could benefit the cybersecurity program of the Company.
The Technology Committee also participates in strategic decisions by the Board of Directors by offering recommendations regarding significant investments or initiatives that could impact the Company’s cybersecurity. This involvement is meant to promote the integration of cybersecurity considerations into the broader strategic objectives of the Company by helping the Board of Directors remain aware of the role information security has in the Company’s broader risk management framework.
Reporting to Board of Directors
The CISO provides management, the Technology Committee and the Board of Directors with information regarding the Company’s cybersecurity program and potential cybersecurity threats or incidents. In addition, the CISO is empowered to escalate material cybersecurity threats or incidents and strategic risk management decisions to the Board of Directors so that they can provide appropriate oversight and guidance on these critical cybersecurity issues within the context of the Company’s overall strategic objectives and business operations. Management, the CDO, the CRO, and the Incident Management Team (the “IMT”) are also required to report cybersecurity threats and incidents to the Technology Committee and/or the Board of Directors, as applicable.
Management’s Role Managing Risk
The Company’s Enterprise Risk Management Committee (the “ERM”), an interdepartmental, management-level committee, meets at least quarterly and is responsible for ensuring that the Company has appropriate policies and
41
procedures in place to help identify, measure, monitor and control potentially significant business risks. In connection with these responsibilities, the ERM receives quarterly risk and control self-assessments and action plans for risk remediation, if required, to reduce residual risks. This includes information security action plans from the CISO, the CDO, and/or other key stakeholders. The incorporation of these reports into the ERM’s meetings is intended to promote the inclusion of cybersecurity considerations in the risk management decision-making processes throughout the Company.
The Information Technology Steering Committee (the “IT Steering Committee”) meets at least quarterly and is composed of sixteen members of management, including the CDO, the CRO and the CISO. The IT Steering Committee oversees information technology matters at the Company, including the implementation of all cybersecurity policies, standards, guidelines and procedures. The responsibilities of the IT Steering Committee include, among other things, updating the Company’s information technology policies, reviewing the architecture of the Company’s information system infrastructure and monitoring the progress of any significant hardware or software updates or installation. In addition, the IT Steering Committee provides quarterly reports to the Board of Directors regarding any information-technology-related matters that, in the opinion of the IT Steering Committee, should be brought to the attention of the Board of Directors of the Company.
The CISO plays an important role in the prevention, detection, mitigation, and remediation of cybersecurity incidents and in informing management, the Technology Committee and the Board of Directors on cybersecurity risks and issues. The CISO provides quarterly briefings to the Technology Committee on any significant information security issues, relevant cybersecurity metrics and the status of the Company’s security-related strategic initiatives. The CISO also provides mid-year and annual reports to the full Board of Directors of the Company regarding the state of the Company’s information security program. The annual reports encompass a broad range of topics, including:
● | Confidentiality of nonpublic information and the integrity and security of the Company’s information systems; |
● | Cybersecurity policies and procedures; |
● | Material cybersecurity risks; |
● | Effectiveness of our cybersecurity program; and |
● | Any material cybersecurity incidents. |
In addition to these scheduled meetings, the Technology Committee, the CISO, the CDO, the CRO, and other members of management maintain ongoing dialogues with respect to emerging or potential cybersecurity threats. The Technology Committee also receives reports and updates from management regarding significant cybersecurity developments so that the Board of Directors can be promptly notified, as and when appropriate, of any threats or incidents as well as management’s proposed responses.
Risk Management Personnel
The Company’s CISO has extensive experience in the field of cybersecurity and is responsible for managing the Company’s cybersecurity risks and ensuring that the Company’s security posture is aligned with its business objectives. Our CISO’s technical and business experience is helpful for developing and executing our cybersecurity strategies. The CISO helps to oversee the Company’s information security policies and programs, perform risk and vulnerability assessments of the Company’s information systems, and coordinate responses to cybersecurity incidents in conjunction with the CDO, the Company’s Incident Response Team (the “IRT”), the IMT and management.
The Company’s CDO has extensive experience in establishing and maintaining scalable and secure technology systems and is responsible for maintaining the Company’s various digital platforms. Our CDO worked in various systems, information technology and digital managerial roles at a global financial and investment firm prior to joining the Company. Our CDO’s technical and managerial experience is helpful for developing and executing our cybersecurity strategies. The CDO helps to oversee the Company’s efforts to improve its system’s capabilities, reliability, scalability and security.
42
The Company’s CRO is responsible for identifying, controlling and mitigating risks that could impact the Company’s operations. Our CRO’s decades of experience managing the various risks faced by financial institutions is helpful for developing and executing our cybersecurity strategies in a manner that is aligned with the overall risk management framework of the Company.
If the Company is notified of a cybersecurity incident affecting the Company’s information systems, either by an employee, our defensive infrastructure, a regular system audit or another mechanism, the IRT, led by the CDO, will perform the technical functions required to analyze and contain such an incident, including, but not limited to, technical triage, in-depth analysis, technical mitigation and any necessary recovery actions. The IMT will be activated by the CISO, the CRO or another member of the team to assist in the response and evaluate the cybersecurity threat and coordinate the business decisions necessary to limit the impact of the cybersecurity incident during and after the response. The IMT will also perform similar functions if we detect or are alerted to a cybersecurity threat or incident involving a third-party service provider.
The Company’s Network and Cloud Administration is led by the CDO and is also responsible for managing security infrastructure and deploying, configuring, and managing various security solutions, tools and products to assist in safeguarding the Company’s information system infrastructure and operations.
Monitor Cybersecurity Incidents
The Technology Committee established the Information Technology and Information Security Working Group (the “IT/IS Working Group”), which is comprised of the CDO, the Head of Information Technology Infrastructure, the CISO, the Information Security Officer, the Information Security Assurance Program Manager and certain other members of the Company’s information technology engineering staff. The mission of the IT/IS Working Group is to foster the sharing of information among departments regarding existing and emerging threats and risks related to cybersecurity and related compliance issues in order to better integrate cybersecurity risk management and increase awareness of cybersecurity threats throughout the Company. This group meets on a weekly basis to discuss, among other things, vulnerability management, threat and risk analysis and the status of our continued enhancements to the Company’s information security infrastructure that are intended to further manage and mitigate future risks.
The CISO implements and oversees policies and processes for the regular monitoring of our information systems. This includes the deployment of additional security measures, including defensive infrastructure, and regular system audits to identify potential vulnerabilities. If the CISO, the IRT and/or management believe a cybersecurity incident is potentially material, the CISO, the CRO or another member of the team can convene the IMT to further assist in the Company’s remediation and response efforts. Following the remediation of the cybersecurity incident, the IRT and/or IMT will review the effectiveness and appropriateness of the Company’s response in order to identify and implement potential enhancements to the Company’s security infrastructure and the broader risk management framework.