Richmond Mutual Bancorporation, Inc. - (RMBI)

10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

The Company's Information Security Program ("ISP") is a robust framework overseen by the Information Technology Board Committee ("ITBC") and the IT Steering Committee ("ITSC"). These committees play a pivotal role in managing technology and cyber risks, ensuring compliance with regulatory requirements, and fostering a controlled risk environment.
The ITBC meets quarterly, while the ITSC meets monthly. Meeting minutes from the ITSC are regularly submitted to the Board for review. These two committees jointly oversee the organization's information technology and cyber risk posture, focusing on the assessment of information and cybersecurity risks. Evaluated risks are subject to rigorous controls, ensuring both design and operational effectiveness and adherence to regulatory requirements. In instances where a risk is identified as inadequately controlled, remediation measures are implemented to reduce the risk to an acceptable level. This commitment to ongoing assessment and responsiveness enhances our ability to adapt to emerging threats and maintain a proactive stance in managing risks effectively.
The identification of risks is a multifaceted process that involves a range of activities. This includes monitoring of guidance issued by regulatory authorities, participating in professional forums, conducting both internal and external audits, collaborating with third-party services, reviewing policies, and adhering to best practice frameworks including Federal Financial Institutions Examination Council ("FFIEC") guidance and information security requirements established in the Gramm-Leach Bliley Act, along with other relevant state laws and agency regulations. Furthermore, we emphasize the importance of maintaining a collaborative relationship with third-party service providers/vendors. This collaborative approach enhances our risk management capabilities and ensures a shared commitment to maintaining a secure information environment.
Moreover, our commitment to robust risk management extends to the maintenance of a comprehensive Security Incident Response Plan ("SIRP"). This SIRP serves as a framework for effectively addressing and mitigating security incidents. Within this plan, we integrate accessible resources to fortify our response capabilities. This includes establishing collaborative partnerships with insurance providers, regulatory agencies, and law enforcement agencies, ensuring a seamless and coordinated approach in the event of a security incident. Recognizing the interdependence of our practices with service providers and vendors, we actively engage with our partners during the notification and investigation processes following a security incident. This collaborative effort is designed to foster complete visibility into the nature and scope of security risks and events, enabling a unified and effective response.
Our SIRP is dynamic and adaptable, evolving in tandem with the ever-changing cybersecurity landscape. By regularly updating and refining our response strategies, we remain prepared to confront emerging threats.
As of the reporting period, the Company has not experienced any material cybersecurity events or incidents. Although third-party service providers have encountered cybersecurity events or incidents, these occurrences have not resulted in a material impact on our systems, computing environments, or data.
Governance
Our Board, supported by the ITBC and the ITSC, actively oversees our processes for management of cybersecurity risks and threats. The Board's responsibilities include the ongoing administration of the ISP, conducting an annual review, and granting approval. Regular reviews of reports by both the Board and the ITBC, submitted by the ITSC, ensure timely awareness of emerging concerns and facilitate continuous enhancements to our cybersecurity posture. In addition to governance oversight, the Board designates key roles crucial for effective cybersecurity management. This includes appointing the Information Security Officer ("ISO"), Chief Information Officer ("CIO"), and Chief Compliance Officer ("CCO"). The ISO and CIO roles are filled jointly by one individual, who has been with the organization for 19 years with over 25 years of experience in information technology. Our Chief Compliance Officer has been with the organization for over 36 years, with over 15 years of experience in compliance. These professionals bring diverse qualifications, certifications, and experience, ensuring a
43


comprehensive approach to our information security initiatives. These qualifications and certifications include Certified Information Security Manager (CISM), Certified Banking Security Manager (CBSM), and Certified Information Security Professional (CISSP).
Our governance structure ensures a comprehensive approach to managing cybersecurity risks and threats, aligning with the Board-approved ISP. The ITBC, which is comprised of several Board members, the CIO, ISO, Chief Executive Officer and Chief Operating Officer, is responsible for establishing and updating the Company's Risk Appetite Statement. The ITSC, appointed by the Board of Directors and comprised of the CIO, ISO, CCO and various other representatives from each area of the Bank, is responsible for overseeing ISP compliance. This involves delineating lines of responsibility and accountability for information security risk management decisions. The ITSC also reviews and approves significant changes to our control environments, ensuring that outside independent organizations conduct annual vulnerability assessments and penetration tests. Furthermore, they examine reports submitted by the ISO.
The ISO is responsible for reporting, at least annually, to the Board of Directors on the status of the ISP, including overall compliance, risk management, vendor management, audit and testing results, breaches and incidents, and recommended updates to the ISP.