MACATAWA BANK CORP - (MCBC)
10-K Filing Date: February 15, 2024
Cybersecurity.
Cybersecurity Risk Management and Strategy
The Company is exposed to cybersecurity threats and incidents that can range from uncoordinated individual attempts to gain unauthorized access to information systems to sophisticated and targeted measures known as advanced persistent threats, directed at the Company or its third party service providers. While we have experienced, and expect to continue to experience, cybersecurity threats, we have not experienced a material cybersecurity incident in the three year period ended December 31, 2023. Management considers various factors in assessing the materiality of a cybersecurity incident, including the potential for misappropriation, destruction, corruption or unavailability of critical data and confidential or proprietary information (our own or that of third parties) and the business operation disruption. The potential consequences of a material cybersecurity incident could include reputational damage, litigation with third parties, regulatory criticism or proceedings and increased cybersecurity protection and remediation costs, which in turn could materially adversely affect our results of operations. We evaluate the risks of data theft (including theft of sensitive, proprietary and other data categories, in addition to personal data), and harm to customer or third party relationships or the possibility of litigation or regulatory investigation or actions that could materially adversely affect our results of operations and our reputation.
The Company maintains a number of processes to identify and respond to cybersecurity threats and incidents. The Company’s information security and third party risk management programs evaluate cybersecurity threats posed by internal and external factors and support daily operational functions that prevent unauthorized access or compromise.
The information security and third party risk management programs report functionally to the Company’s overall risk management function, led by the Chief Risk Officer. The information security function, led by the Information Security Officer and the Chief Technology Officer, evaluates internal and external cybersecurity threat factors according to a written policy statement approved by the Board periodically. The Company maintains processes to evaluate third parties whose information systems support critical Company operations.
Risk management evaluates cybersecurity risks and information systems of third parties at onboarding and on an ongoing basis. Processes include evaluating reports or performing assessments of a third party’s information systems leveraging cybersecurity frameworks such as International Organization for Standardization (ISO) ISO 27001, Cybersecurity Framework (CSF) published by the US National Institute of Standards and Technology, as well as evaluating reports issued by a third party’s auditors developed under the attestation standards issued by the American Institute of Certified Public Accountants (AICPA). The Company integrates risk mitigation into additional onboarding requirements to address identified risk factors, such as developing service level agreements and minimum required information security performance expectations to enable cybersecurity threats and incidents to be managed within applicable industry or regulatory standards. The Company requires contracts of third parties to incorporate industry and regulatory standard clauses requiring reporting to the Company of the occurrence and mitigation of cyber security threats and incidents as well as to maintain adequate levels of cybersecurity insurance coverage.
The information security function performs periodic risk assessments of the Company’s information systems and cybersecurity threats using industry standard methodologies based on NIST CSF and MITRE Att&ck® methodologies, as well as regulatory guidance issued by the Federal Financial Institutions Examination Council (FFIEC) and state and federal regulators, including the Federal Deposit Insurance Corporation and the Michigan Department of Insurance and Financial Services. Based on risk, the Company’s information security function performs internal engagements to provide assurance to senior management and the Board that the company’s information systems are able to identify, escalate and mitigate cybersecurity threats on a routine basis. The Company also engages external independent parties to perform independent audit engagements, as well as other assessments of the Company’s information security and third party risk management program and information systems.
Cybersecurity Governance
On a periodic basis, typically monthly, management’s technology steering committee receives reporting summarizing cybersecurity threat and incident monitoring activity, along with details of remediation to address threats and incidents. The summary considers both internal as well as external threat events and outlines management’s approach to enable the timely identification and notice of a material incident, should one occur, without unreasonable delay. The results of internal and external assessments of the Company’s cybersecurity threat monitoring capabilities are provided to the committee. Meeting minutes of the committee are maintained and made available to the Board of Directors.
The Board of Directors receives periodic training related to cyber security and is responsible for approval and oversight of management’s policies governing information system security and cybersecurity threats and incidents, as well as oversight of management’s approach to secure the Company’s information systems. The Board of Directors delegates the oversight of risk management to the Audit Committee of the Board.
The Audit Committee receives and reviews reports on the Company’s risk management processes, which include assessments of management’s cybersecurity threats and incident management functions. The committee receives periodic reporting of certain cybersecurity risks from the information security officer, including reports related to social engineering, effectiveness of cyber security training, as well as vulnerability and penetration assessments performed on management’s information systems by internal and by external parties and audit reports of information systems and cybersecurity threat and incident monitoring.
Any event that could become a cybersecurity incident is reviewed by risk management and information security and the technology steering committee. The evaluation of reported events by the committee includes reporting of any mitigation or remediation determined necessary to address the threat posed by the reported event. If any event rose to the level of a material incident, management maintains a response plan to mitigate the impact, maintain business continuity and provide for internal and external communication, including required communication.
|