Orange County Bancorp, Inc. /DE/ - (OBT)

10-K Filing Date: March 29, 2024

Item 1C. Cybersecurity

Cybersecurity Risk Management, Strategy and Governance

Cybersecurity is a material part of Orange County Bancorp’s business. As a financial institution offering products through multiple digital delivery channels, cybersecurity incidents could have a material effect on the Company, its results of operations and its reputation. Although to date the Company has not experienced any cybersecurity event which has had a material effect or is reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition the impact of a cyber-incident could have a future impact on the results of operations or financial condition of the Company. Cyber-attacks or other security breaches could adversely affect our operations, net income, or reputation.

Cybersecurity risk is initially overseen by bank management through a Cybersecurity Management Committee (“CMC”). The CMC is responsible for the coordination, oversight, and development of the bank-wide cyber security policies, standards, guidelines, and procedures. As part of the oversight responsibilities, the CMC also evaluates cybersecurity exposures ensuring appropriate response and design of controls to mitigate risks as well as monitoring the performance and effectiveness of the overall cybersecurity program. The CMC meetings typically include various department heads from within the organization, but the primary members of the CMC include the following:

Information Technology Officer, (Chairperson)

Virtual Chief Information Security Officer

Bank Secrecy Officer

Compliance Officer

The Cybersecurity Management Committee operates in connection with the Bank’s Technology Committee (the “Tech Committee” or “TC”). The primary function of the Bank’s Tech Committee is oversight of the Bank’s technology planning and strategy, including cybersecurity and technology trends, major technology investments, and operational performance that may affect the bank. The Technology Committee is comprised of three independent directors, one of which is Committee Chair. In addition to the directors, TC meetings typically include the Chief Information Officer, the Information Technology Officer, the Chief Information Security Officer, the Chief Executive Officer, the Chief Financial Officer, the Chief Operating Officer, and the Chief Risk Officer.

The specific experience of management who oversee cybersecurity are as follows:

• Chief Information Officer (“CIO”) – The CIO has over 15 years of industry experience and has facilitated the management of information security programs at financial institutions during his entire career.

• Chief Information Security Officer (“CISO”) - The CISO has over 25 years of broad technology and cyber experience and maintains the following certifications: Certified Information Systems Auditor (“CISA”), Certified Information Systems Security Professional (“CISSP”), and Certified Information Security Manager (“CISM”).

• Chief Operating Officer (“COO”) – The COO’s career has been primarily in bank operations and has participated in end-to-end implementations and upgrades of core banking technology, from vendor selection to managing implementation, to leading enhancement and efficiency initiatives throughout the life of the application.

• Chief Risk Officer (“CRO”) – The CRO oversees entity-wide risk management, including cybersecurity related risk.

45

• Information Technology Officer (“ITO”) – The ITO has over 25 years of IT experience and is a technology subject matter expert as well as over 8 years of IT leadership at the Company with over 20 years of financial services experience. The ITO has been responsible for technology strategy, enterprise program management, and IT service management.

In order to ensure that cybersecurity risk management is integrated into the Company’s overall risk management plans, systems and processes, management provides regular reporting to the Board Audit and Risk Committee at least quarterly. In addition, the Company’s Board of Directors receives regular IT updates during its monthly meetings and the Technology Committee minutes are provided to the Board of Directors for review.

The Company’s cybersecurity risk mitigation program involves a combination of internal resources and the use of third parties. Through a third party vendor, the Company’s internal IT team performs monthly vulnerability scanning and performs an annual risk assessment based on the National Institute of Standards and Technology Cybersecurity Framework. The results are reported to the Tech Committee. The Company’s IT and compliance staff also review potential cybersecurity threats associated with the Company’s third-party vendors, including performing a review of and obtaining a System of Organization Controls report from all vendors rated as “high risk” by the Company’s internal vendor management program. The Company also has an internal Incident Response Plan and Team, which is charged with overseeing the Company’s response to any cybersecurity incident. The team performs a table-top exercise at least annually to prepare to respond in the event of any actual cybersecurity incident.

In addition to these internal resources, the Company uses a third-party vendor to undertake annual penetration and vulnerability testing, with the results reported to the Tech Committee. Finally, the Company’s cybersecurity compliance program is audited by the Bank’s outsourced internal auditor.

The Company also maintains insurance which may provide coverage for expenses and certain losses incurred in connection with a cybersecurity incident.