10-K Filing Date: April 01, 2024
Item 1C.Cybersecurity


The Cyber Incident Reporting for Critical Infrastructure Act, enacted in March 2022, requires certain covered entities to report a covered incident to the U.S. Department of Homeland Security's Cybersecurity & Infrastructure Security Agency ("CISA") within 72 hours after a covered entity reasonably believes an incident has occurred. Separate reporting to CISA will also be required within 24 hours if a ransom payment is made as a result of a ransomware attack.

The SEC adopted a new rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies in 2023, which applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and requires disclosure of material cybersecurity incidents in Current Reports on Form 8-K and periodic disclosure of cybersecurity risk management, strategy, and governance in Annual Reports on Form 10-K.

State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations and many states have recently implemented or modified their data breach notification and data privacy requirements. The Company expects this trend of state-level cybersecurity regulatory activity to continue and continues to monitor these developments.

Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential cyber threats. Our Information Security Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization, coordinating with our Chief Risk Officer with board oversight through our Information Technology Steering Committee and the Audit Risk and Compliance Committee.



We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees, and to the Information Technology Steering Committee. The Incident Response Plan is coordinated through the Information Security Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually.

In the ordinary course of its business, the Bank relies on electronic communications and information systems to conduct its operations and to store sensitive data and employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding these defensive measures, the threat from cybersecurity attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected our company. The Bank’s systems and those of its customers and third-party service providers are under constant threat and it is possible that we could experience a future significant event. The Bank expects risks and exposures related to cybersecurity attacks to remain high for the foreseeable future.

© 2025 Material-Incidents. All rights reserved.