FARMERS & MERCHANTS BANCORP INC - (FMAO)

10-K Filing Date: February 27, 2024
ITEM 1c. CYBERSECURITY

Board Oversight Responsibilities

The Board of Directors bears the ultimate responsibility for ensuring that an adequate cyber and information technology risk (IT risk) management framework is in place and functioning as intended. IT risk focuses on information and information systems, especially the most critical and vital information assets. Without reliable and properly secured information systems, business operations could be severely disrupted. Likewise, the preservation and enhancement of the Company’s reputation is directly linked to the way in which both information and information systems are managed. Maintaining an adequate level of security is one of several important aspects of managing IT risk. The Board’s oversight responsibility in this respect includes oversight of the Company’s vendor management program and the periodic evaluation of the Company’s IT risk management controls.

The Board of Directors implements its IT risk oversight obligations primarily through the Board’s Enterprise Risk Management Committee (ERM Committee). The primary function of the ERM Committee is to advise the Board of Directors regarding the enterprise risk management framework of the Company and to provide oversight to assist the Board of Directors in supervising enterprise risk management activities. The ERM Committee reviews and defines risk exposure limits for each specified risk category, including IT risk, while taking into consideration strategic goals and objectives and current market conditions. The Board ERM Committee reviews and approves any necessary changes to risk exposure limits after careful consideration of any changes in market conditions or corporate strategy and adopts guidelines, through the input of the Management Risk Committee’s analysis and discussion, regarding the maximum loss exposure the Bank is able and willing to assume.

The Management Risk Committee is comprised of various members of Senior Management, Department Leaders, Compliance, Internal Audit and Risk Management. The Management Risk Committee is responsible for loss control and day-to-day oversight of the risk management function. Management Risk Committee meetings are held monthly. Results of the monthly review of risk categories are reported to the Board of Directors Enterprise Risk Management Committee (ERM) each quarter. In addition, the Company’s risk position is reported to the Board of Directors quarterly.

At least annually, the Board of Directors reviews and approves the risk management program and policies based on information presented throughout the year from the ERM Committee and the Management Risk Committee.

In addition, the Information Systems (IS) Steering Committee, which is chaired by the Company’s Chief Information Officer, serves as an advisory group providing assistance and guidance to management regarding customer information security, information systems planning, systems management organization, systems performance, business continuity, information security, system related expenditures, vendor management, and related policies and procedures. The IS Steering Committee meets on a monthly basis. Formal meeting minutes serve to document decisions and recommendations by the IS Steering Committee and are reported to both the Management Risk Committee and the Board ERM Committee. Management has appointed the Chief Information Officer the responsibility for overall management of the Company’s “front line” IT risk.

 

17


 

Material Impact of Cyber Risk

As discussed more thoroughly below, the Company devotes significant resources to implement, maintain, monitor and regularly upgrade our systems and networks with measures such as intrusion detection and prevention and firewalls to safeguard critical business applications. The additional cost to the Company of our cyber security monitoring and protection systems and controls includes the cost of hardware and software, third party technology providers, consulting, and legal fees, in addition to the incremental cost of our personnel who focus a substantial portion of their responsibilities on cyber security. With the assistance of third-party service providers, we continue to implement security technology and establish procedures to maintain network security. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. In addition, we maintain insurance coverage that may, subject to policy terms and conditions, cover certain aspects of cyber risks, but such insurance coverage may not always be sufficient to cover all losses.

IT Risk and Vendor Management

We rely on third-party service providers to leverage subject matter expertise and industry best practice, provide enhanced products and services, and reduce costs. Although there are benefits in entering into third-party relationships with vendors and others, there are risks associated with such activities. When entering a third-party relationship, the risks associated with that activity are not passed to the third-party but remain our responsibility. At the direction of the Board and pursuant to its ultimate oversight, management is charged with the development and maintenance of a comprehensive vendor management program. In that respect, Company management has appointed the IS Steering Committee, chaired by the Chief Information Officer, to oversee the Company’s vendor management program. The vendor management program is used to identify, measure, monitor, and control the risks associated with outsourcing arrangements. While focusing on information and operational risks, outsourced relationships are reviewed through structured assessments and addressed from an end-to-end perspective. While we have implemented a vendor management program to actively manage the risks associated with the use of third-party service providers, any problems caused by third-party service providers could adversely affect our ability to deliver products and services to our customers and to conduct our business. Replacing a third-party service provider could also take a long period of time and result in increased expenses.

Internal and External Risk Evaluations

An annual Information Technology Audit, which is facilitated by the Internal Audit Department, is conducted via a co-sourcing agreement with a third-party auditor. The objective of the IT audit is to evaluate the effectiveness and efficiency of operations, test the reliability of data and IT controls, and ensure compliance with applicable laws, regulations, guidance, and industry best practices. The audit scope addresses IT Governance, IT Management, IT Operations, and IT Security. Testing of the internal network environment and external network perimeter are included in the Results of the IT Audit and are reviewed with the IS Steering Committee and Company management. For any exceptions identified, a responsible party is assigned, and action plans are developed to address corrective measures. The final results of the IT Audit are reviewed with the Board Audit Committee. The status of unresolved audit issues along with their priority ratings is reported to both Management and the Board Audit Committee at each meeting.

In addition, in accordance with Gramm-Leach-Bliley Act requirements regarding safeguarding and protecting customer information, an Information Security Risk Assessment is conducted at least annually by the Risk Department and reviewed with the Management Risk Committee, the ERM Committee, and the Board of Directors. A risk analysis is performed to evaluate current processes, identify information assets, and determine the adequacy of the safeguarding and protection of confidential customer information collected and maintained. For each information asset identified, the criticality of the asset, the threats to the defined asset, the likelihood of compromise of the asset, the business impact if an asset is compromised, and an overall risk rating for each asset are defined. The results of this assessment are reviewed with the Information Systems (IS) Steering Committee and the Risk Committee and reported at least annually to the Board ERM Committee.