Risk Factors Dashboard

The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats. The Committee receives reports from, and oversees, IT Risk Assessment, Cybersecurity Risk Assessment, Annual IT Program Status Report, Vendor Management Risk Assessment, and Quarterly Internal Vulnerability Reports and current Cyber Events briefings. The Committee also makes budgeting, procedure, and policy decisions designed and intended to improve the Company’s residual risk. The Committee also makes budgeting, procedure, and policy decisions designed and intended to improve the Company’s residual risk.

The IT Steering Committee consists of the Company’s senior management, the entire IT team, and various operations personnel. The primary function of the IT Steering Committee is to perform Strategic Planning, discuss hardware and software replacement, new projects, current cybersecurity threats, and ongoing cybersecurity issues and threats. The primary function of the IT Steering Committee is to perform Strategic Planning, discuss hardware and software replacement, new projects, current cybersecurity threats, and ongoing cybersecurity issues and threats. The IT manager provides an IT status report to the Risk Management committee on a quarterly basis.

Our IT department performs annual risk assessments to evaluate the effectiveness of the controls to support the requirements under Gramm-Leach Bliley Act ("GLBA"), and Federal Institutions Examination Council ("FFIEC") Guidance on Securing Customer Information. The focus areas include:

Internal and external Penetration Testing is performed annually. Tests are conducted or reviewed by independent third parties or qualified Associates independent of those that develop or maintain the security program. Testing is performed annually by third party auditors contracted through the company's IT department. Management reviews test results promptly and ensures that appropriate steps are taken to address adverse test results. Management reviews test results promptly and ensures that appropriate steps are taken to address adverse test results. Remediation efforts are organized and made available to the Committee as well as for review by third party auditors and examiners.

The Company has adopted an Incident Response Plan (the “Plan”) to monitor, detect, mitigate and remediate cybersecurity incidents. The Plan requires all employees to have a working knowledge of the Company’s Information Security Program and Incident Response Policies. The Plan requires all employees to have a working knowledge of the Company’s Information Security Program and Incident Response Policies. Pursuant to the Plan, the Information Technology Administrator and Senior\Compliance Management identify information owners for sensitive customer information and create an incident response team. Pursuant to the Plan, the Information Technology Administrator and Senior\Compliance Management identify information owners for sensitive customer information and create an incident response team. Each Department Manager, upon notification of a potential unauthorized access, manipulation of data or theft of any item identified under GLBA Inventory and Asset Classification, is responsible for further assessing the situation in order to document the suspected or actual breech, and forward the appropriate documentation to the Information Technology Administrator. Each Department Manager, upon notification of a potential unauthorized access, manipulation of data or theft of any item identified under GLBA Inventory and Asset Classification, is responsible for further assessing the situation in order to document the suspected or actual breech, and forward the appropriate documentation to the Information Technology Administrator. The documentation of the suspected or actual incident includes the following:

Once the Department Manager has determined that unauthorized access, manipulation of data or theft of any item identified under GLBA Inventory and Asset Classification has occurred, Senior Management, the Compliance Officer and the Information Technology Administrator must be contacted immediately.

If theft of any item identified under GLBA Inventory and Asset Classification has occurred, and it cannot be determined what specific information was included on the Asset, the Asset is treated as if it contained sensitive customer information and Senior Management, the Compliance Officer and the Information Technology Administrator must be contacted immediately. If the Information Technology Administrator and Senior\Compliance Management declare an incident or if there is a confirmed theft or loss of customer information, appropriate regulatory authorities, law enforcement, and legal counsel are notified. If the Information Technology Administrator and Senior\Compliance Management declare an incident or if there is a confirmed theft or loss of customer information, appropriate regulatory authorities, law enforcement, and legal counsel are notified.