Table of Contents

ITEM 1C.Cybersecurity

​

Risk Management and Strategy

The Company’s Information Security Program (“Program”) uses a variety of safeguards to protect the confidentiality, integrity, and availability of information. The Program is designed to identify, prevent, or mitigate the risks from cybersecurity threats. The Program leverages recognized security frameworks, such as the National Institute of Standards and Technology (NIST), Financial Services Information Sharing and Analysis Center (FS-ISAC), Federal Financial Institutions Examination Council (FFIEC), and Ransomware Self-Assessment Tool (R-SAT), to organize, improve, and assess the program and to better manage and reduce cybersecurity risk. The Program is assessed and updated annually and as needed.

The Company regularly assesses the threats and vulnerabilities to its environment so it can update and maintain its systems and controls to effectively mitigate these risks. Layered security controls are designed to complement each other to protect customer information and transactions. The Company periodically engages third-party experts and consultants to conduct evaluations of our security controls, whether through penetration testing, audits, assessments, or consulting on best practices to address new challenges. Results are used to help drive priorities and initiatives to improve the Program. Additionally, as a regulated entity, bank regulators assess the quality of our information security program during their regular examinations of the Company and its compliance with federal regulations and requirements.

The Company’s third-party risk management program is designed to oversee and identify the cybersecurity threats associated with the use of third-party service providers. While the optics into a third-party’s operation are limited, the Company performs risk-based evaluations of third-party service providers. These evaluations include reviewing information including, but not limited to, security assessment questionnaires, security testing summaries, audit reports performed under the SSAE 18 Audit Standard, and information security policies.

We view security awareness as a continuous program. All Company employees receive cybersecurity and fraud training at the required new employee orientation and subsequently receive information security tips via email. Employees also receive annual security awareness training.

During the fiscal year of this Report, the Company has not identified risks from cybersecurity threats that individually or in the aggregate have materially affected or are reasonably anticipated to materially affect the organization. Nevertheless, the Company recognizes cybersecurity threats are ongoing and evolving, and we continue to remain vigilant.

Governance

The Company’s system of internal controls also incorporates a protocol for the appropriate reporting and escalation of information and cyber security matters to management and the Board of Directors for resolution and, if necessary, disclosure of any material incidents. The Board of Directors is actively engaged in the oversight of the Company’s continuous efforts to reinforce and enhance its operational resilience and receives education to enhance their oversight efforts to accommodate for the ever-evolving information and cyber security threat landscape. The Information Security Officer (“ISO”) regularly updates these committees on the information and cyber security risks, threats, exposures, and mitigation measures. The Company’s incident response process is periodically tested and includes cybersecurity scenarios.

The Chief Operating Officer (COO) along with the ISO are responsible for developing and implementing our Program and reporting on cybersecurity matters to the Board. Our COO and ISO have over 25 years of combined related experience. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises and incorporate external resources and advisors as needed.

The Program is overseen by the Information Security Committee, Board of Directors, and Compliance Committee.

The Company’s Board of Directors monitors the Program including policies and practices. The Company’s Compliance Committee and Information Security Committee along with the company’s Board of Directors oversee areas

30

Table of Contents

of operational risk such as information technology activities; risks associated with development, infrastructure, and cybersecurity; oversight of information security risk assessments, strategies, policies, and programs; and disaster recovery, business continuity, and incident response process. The ISO also provides periodic cybersecurity updates to the Board of Directors.

We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations, or financial condition, to date. Disruptions in our information technology systems or a compromise of security with respect to our systems could adversely affect our operating results by limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, implement strategic initiatives or support our customer transactions and our business may be adversely affected by security breaches at third-parties.

​