ConnectOne Bancorp, Inc. - (CNOB)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity

 

Cybersecurity Risk Management, Strategy and Governance

 

Cybersecurity is a material part of ConnectOne’s business. As a financial institution offering products through multiple digital delivery channels, cybersecurity incidents could have a material effect on the Company, its results of operations and its reputation, although to date the Company has not experienced any cybersecurity incident which has had a material effect on the Company’s business strategy, results of operations or financial condition. See “Item 1A- Risk Factors - We cannot predict how changes in technology will impact our business; increased use of technology may expose us to service interruptions or breaches in security.”

 

Cybersecurity risk is initially overseen at ConnectOne by the management IT Committee (the “ITC”). The members of this committee include, as co-chairs, the Chief Compliance Officer and the Chief Technology Officer. Additional members are our Information Security Officer, Information Technology (“IT”) Manager, Chief Risk Officer, Chairman & Chief Executive Officer, Chief Strategic Operations Officer, Chief Digital Officer and Chief Brand and Innovation Officer.

 

 

Tarak Patel, Information Security Officer - Mr. Patel has facilitated the management of information security programs at financial institutions for over 17 years.

     
 

Sharif Alexandre, Chief Technology Officer - Mr. Alexandre has over 20 years industry experience including managing Information Technology and Software Development teams at organizations ranging from technology startups to Fortune 500 companies. He recently oversaw IT operations and currently leads the Software Development and Data Management teams at the Bank.

     
 

Laura Criscione, Chief Compliance Officer - Ms. Criscione oversees the company’s Compliance and Information Security. Ms. Criscione has overseen Compliance and IT Operations throughout her more than 30-year career in financial institutions.

     
 

Dale Dwaileebe, IT Manager - Mr. Dwaileebe has over 20 years of IT experience, is a current member of Infragard, and holds multiple industry recognized certifications.

     
 

Michael O’Malley, Chief Risk Officer – Mr. O’Malley oversees entity-wide risk management, including cybersecurity related risk.

     
 

Dana Zeller, Chief Strategic Operations Officer – Ms. Zeller’s career has been primarily in bank operations, in which she has participated in end-to-end implementations and upgrades of core banking technology, from selecting a vendor to managing implementations, to leading enhancement and efficiency initiatives throughout the life of the application.

     
 

Ali Matera, Chief Digital Officer – Ms. Matera is a technology subject matter expert with over 13 years of IT leadership and over 18 years of financial service experience. In her career she has been responsible for technology/digital strategy, enterprise program management, data analytics and IT service management at other financial institutions.

 

In addition to the members above, Frank Sorrentino III, Chairman & Chief Executive Officer and Siya Vansia, Chief Brand & Innovation Officer are also members of the ITC due to their roles in overseeing entity-wide management.

 

 

 

-31-

 

In order to ensure that cybersecurity risk management is integrated into the Company’s overall risk management plans, systems and processes, members of the ITC, along with other lines of business heads, report to the management Enterprise Risk Management Committee (the “ERMC”), which in turn reports to the Board Audit and Risk Committee quarterly. The ERMC consists of the Company’s Chief Risk Officer, Chairman & CEO, President, Chief Financial Officer, Treasurer, Chief Compliance Officer, Chief Technology Officer, Chief Strategic Operations Officer and Chief Credit Officer. In addition, the Company’s Chief Technology Officer attends Company Board of Directors meetings and provides an information technology ("IT") report at each meeting.

 

The Company’s cybersecurity risk mitigation program involves a combination of internal resources and the use of third parties. The Company’s internal IT team performs monthly vulnerability scanning and performs an annual risk assessment based on the National Institute of Standards and Technology Cybersecurity Framework. The results are reported to the ITC. The Company’s IT and compliance staff also review potential cybersecurity threats associated with the Company’s third-party vendors, including performing a review of and obtaining a System of Organization Controls report from all vendors rated as “high risk” by the Company’s internal vendor management program. The Company also has an internal Incident Response Plan and Team, which is charged with overseeing the Company’s response to any cybersecurity incident. The team performs a table-top exercise at least annually to prepare to respond in the event of any actual cybersecurity incident.

 

In addition to these internal resources, the Company uses a third-party vendor to undertake annual penetration and vulnerability testing, with the results reported to the ITC. Finally, the Company’s cybersecurity compliance program is audited by the Bank’s outsourced internal auditor.

 

The Company also maintains insurance which may provide coverage for expenses and certain losses incurred in connection with a cybersecurity incident.

 

 

 

-32-