Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

Bancorp has established an Information Security program, which is overseen by the Director of Information Security and the Information Security Officer. This role reports to the Chief Risk Officer. The Information Security program is structured upon and informed by the Center for Internet Security, which aligns with the National Institute of Standards and Technology Cybersecurity Framework. The primary objectives of the Information Security program are to protect the confidentiality, integrity and availability of our information assets, comply with applicable laws, regulations, contractual obligations and manage significant risks arising from cybersecurity threats. These processes are integrated into the institution’s overall risk management system, ensuring a unified approach to risk mitigation.

The Information Security program includes several key processes and functions such as access control monitoring, threat detection, vulnerability management, understanding the implications of technological changes, managing third-party relationships, and mandating employee awareness and education among other components. These activities aim to prevent avoidable errors, raise awareness, identify potential vulnerabilities, protect systems, detect security incidents and recover from any incidents that occur. These processes are continually updated and enhanced to keep pace with the evolving cybersecurity landscape.

To ensure effective risk management, Bancorp adopts the three lines of defense model, which consists of the following elements:

●

The first line of defense is operational management, which is responsible for implementing and maintaining the Information Security program, as well as identifying and mitigating cybersecurity risks on a day-to-day basis.

●

The second line of defense consists of the risk management and compliance functions, which provide oversight, guidance, and support to the first line of defense, as well as monitoring and reporting on the institution’s cybersecurity posture and performance.

●

The third line of defense is the internal audit function, which provides independent assurance of the effectiveness and adequacy of the Information Security program, as well as compliance with relevant policies, standards and regulations.

When necessary, the institution engages external assessors, consultants, and auditors with expertise in cybersecurity to evaluate and enhance its systems, policies and procedures. These external parties provide valuable insights into emerging threats and best practices, enhancing Bancorp’s ability to adapt and respond effectively. Bancorp also undergoes reoccurring regulatory examinations, and identified issues are actively tracked and monitored for remediation.

In addition to external entities, Bancorp has internal oversight mechanisms to identify cybersecurity risks, including those associated with its use of third-party service providers and related downstream service providers. This includes thorough due diligence during vendor selection, ongoing monitoring, setting clear contractual obligations to uphold cybersecurity standards and other interventions necessary to address risk such as those addressed in Part I Item 1A “Risk Factors.”

In the event of a security incident, Bancorp has developed an Incident Response Plan to guide necessary actions. The Incident Response Plan is a well-established document that is updated at least annually. It provides guidance before, during and after a confirmed or suspected security incident, outlining how to minimize the duration and damage of an incident, identifying a response team and streamlining actions to improve recovery time.

While Bancorp has not experienced any cybersecurity incidents that have materially affected its operations, it acknowledges the potential impact such risks could have on business strategy, financial condition and operational resilience. The institution remains vigilant, continuously evaluating and enhancing its cybersecurity measures to preemptively address any potential risks that could impact its operations or financial condition. This approach aligns with the institution’s commitment to maintaining the trust and security of its stakeholders in an increasingly digital world.

Cybersecurity Risk Management Processes Integrated [Text Block]

The Information Security program includes several key processes and functions such as access control monitoring, threat detection, vulnerability management, understanding the implications of technological changes, managing third-party relationships, and mandating employee awareness and education among other components. These activities aim to prevent avoidable errors, raise awareness, identify potential vulnerabilities, protect systems, detect security incidents and recover from any incidents that occur. These processes are continually updated and enhanced to keep pace with the evolving cybersecurity landscape.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Bancorp’s Credit and Risk Committee, which includes board of director representation, maintains a robust oversight framework for evaluating and managing risks associated with cybersecurity threats. The committee convened four times during the year ended December 31, 2024 in order carry out its oversight responsibilities, engaging directly in discussions about cybersecurity risks to ensure they are comprehensively addressed within the institution’s risk management framework. This included, but was not limited to, vulnerability trends, identified or potential third-party risks, risks precipitated by technological changes, confirmed or potential security incidents, policy and procedure changes, the organization’s risk appetite, the FFIEC’s Cybersecurity Assessment Tool, conclusions from the risk assessment, audit and regulatory reports, routine quarterly and annual reporting, as well as other notable key risk indicators.

The entire board of directors of Bancorp is actively involved in the oversight of the institution’s cybersecurity risks. The Chair of the Credit and Risk Committee regularly reports the committee’s activities to the board of directors. In addition, management reports to the board of directors on an as-needed basis concerning high-priority information security-related topics, such as cybersecurity incidents. This ensures that the board of directors is always informed and can provide strategic direction on significant cybersecurity matters.

A dedicated committee, the Information Security Risk Committee, is specifically responsible for overseeing cybersecurity threats and informing the decisions of the Credit and Risk Committee. The Information Security Risk Committee, comprising individuals with diverse expertise in technology, risk management and cybersecurity, meets monthly. They discuss a range of strategic topics, including vulnerability trends, identified or potential third-party risks, risks precipitated by technological changes, confirmed or potential security incidents and other items related to the institution’s preparedness measures. The Information Security Risk Committee’s purpose is to provide strategic direction for the Information Security program and to evaluate known risks based on Bancorp’s existing controls and risk appetite.

Management also plays a crucial role in assessing and managing Bancorp’s cybersecurity risks. Specific roles, such as the Information Security Officer and Director of Information Security, are tasked with monitoring, evaluating, and mitigating these risks in coordination with the Information Security Risk Committee. Both the Information Security Officer and Director of Information Security possess relevant expertise and experience in cybersecurity, enabling them to effectively navigate and respond to emerging threats. The Information Security Officer, who holds a Bachelor’s degree in Computer Science and a Master’s degree in Information Systems Security, along with several relevant industry certifications, has been with Bancorp for four years and has additional experience working in technology outside of the organization. The Director of Information Security, who also holds several relevant certifications, has been with Bancorp’s Information Security department for 20 years and brings extensive experience with technology.

To keep the Information Security Risk Committee and Credit and Risk Committee informed, management ensures consistent and structured reporting mechanisms are in place. They regularly update these governing bodies on the prevention, detection and mitigation of cybersecurity incidents. This reporting includes detailed insights into the institution’s cybersecurity posture, ongoing initiatives and any necessary adjustments or enhancements to existing measures.

The communication between management, the Information Security Risk Committee, and the Credit and Risk Committee facilitates a holistic understanding of cybersecurity risks, ensuring proactive measures are in place to safeguard Bancorp's operations, preserve its financial stability, and maintain the trust of its stakeholders.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

A dedicated committee, the Information Security Risk Committee, is specifically responsible for overseeing cybersecurity threats and informing the decisions of the Credit and Risk Committee. The Information Security Risk Committee, comprising individuals with diverse expertise in technology, risk management and cybersecurity, meets monthly. They discuss a range of strategic topics, including vulnerability trends, identified or potential third-party risks, risks precipitated by technological changes, confirmed or potential security incidents and other items related to the institution’s preparedness measures. The Information Security Risk Committee’s purpose is to provide strategic direction for the Information Security program and to evaluate known risks based on Bancorp’s existing controls and risk appetite.

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Management also plays a crucial role in assessing and managing Bancorp’s cybersecurity risks. Specific roles, such as the Information Security Officer and Director of Information Security, are tasked with monitoring, evaluating, and mitigating these risks in coordination with the Information Security Risk Committee. Both the Information Security Officer and Director of Information Security possess relevant expertise and experience in cybersecurity, enabling them to effectively navigate and respond to emerging threats. The Information Security Officer, who holds a Bachelor’s degree in Computer Science and a Master’s degree in Information Systems Security, along with several relevant industry certifications, has been with Bancorp for four years and has additional experience working in technology outside of the organization. The Director of Information Security, who also holds several relevant certifications, has been with Bancorp’s Information Security department for 20 years and brings extensive experience with technology.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

To keep the Information Security Risk Committee and Credit and Risk Committee informed, management ensures consistent and structured reporting mechanisms are in place. They regularly update these governing bodies on the prevention, detection and mitigation of cybersecurity incidents. This reporting includes detailed insights into the institution’s cybersecurity posture, ongoing initiatives and any necessary adjustments or enhancements to existing measures.