Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

The Company believes that a strong cybersecurity program is vital to effective cybersecurity risk management. The Company recognizes the importance of developing, implementing, and maintaining robust cybersecurity measures to help safeguard sensitive information and its business operations, and to protect the confidentiality, integrity, and availability of its information systems and the nonpublic information transmitted, processed and stored on its systems or those of third-party service providers.

Managing Material Risks & Integrated Overall Risk Management

The Company has integrated cybersecurity risk management into its broader risk management framework in order to promote a culture that values protecting sensitive information. This integration is intended to promote the inclusion of

cybersecurity considerations in decision-making processes throughout the Company. The Bank’s general risk management personnel, including the Chief Risk Officer (“CRO”), work closely with their information technology and security counterparts to evaluate and address cybersecurity threats in alignment with our business objectives and operational needs.

The Company also maintains a system-wide information security program that applies to all employees. All employees are expected to assist in safeguarding the Company’s information systems and to assist in the detection and reporting of cybersecurity incidents. This Company-wide program is intended to identify and assess internal and external cyber and information security risks that may threaten the security or integrity of nonpublic information stored on the Company’s information systems or those of third-party providers from unauthorized access, use or other malicious acts.

The Board of Directors is responsible for overseeing the Company’s cybersecurity program. The Board of Directors has established oversight mechanisms that are intended to promote effective governance in managing risks associated with cybersecurity threats because it recognizes the significance of these threats to the Company’s operational integrity and the information stored on the Company’s information systems or those of third-party service providers. See “—Governance—Board of Directors Oversight.”

Engage Third-parties on Risk Management

Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts from time to time, including cybersecurity assessors, risk management professionals, and other consultants, in evaluating and testing our risk management systems. We also engage third-party services on an ongoing basis to conduct independent audits of our risk management systems. These engagements enable us to leverage specialized knowledge and insights and assist the Company with its goal of maintaining cybersecurity strategies and processes that are consistent with industry best practices. Our collaboration with these third-parties includes table top exercises, penetration testing and other cyber-support services.

Oversee Third-party Risk

Because the Company is aware of the risks associated with third-party service providers, the Company has implemented policies and processes to oversee and assist with managing these risks. The Company’s Third-Party Risk Management Officer (the “TPRM”) conducts security and risk assessments of all third-party providers before engagement and monitors these third-party providers on an ongoing basis to assess each provider’s compliance with the Company’s cybersecurity standards, which are intended to be commensurate with the level of risk and complexity of the relationship with, and the activities performed by, a given provider engaged by the Company. In addition, the TPRM conducts an annual risk assessment of any third-party provider that provides critical services to the Company or has access to customers’ protected data. This approach is designed to help identify and mitigate risks related to data breaches or other cybersecurity incidents originating from third-parties in order to better protect our customers’ personally identifiable information and the Company’s assets and data.

Risks from Cybersecurity Threats

We have not encountered cybersecurity threats or incidents that have materially and adversely affected, or are reasonably likely to materially and adversely affect, the Company’s business strategy, results of operations or financial condition. Notwithstanding the defensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats, incidents or disruptions may not be fully insured. For more information regarding the risks we face from cybersecurity threats, see Part I, Item 1A., “Risk Factors—Risks Related to the Company’s Operations—A failure in the Company’s operation and/or information systems or infrastructure, or those of third parties, including cyber-attacks, could impair the Company’s liquidity, disrupt its businesses, result in the unauthorized disclosure of confidential information, damage its reputation, and cause financial losses.”

Cybersecurity Risk Management Processes Integrated [Text Block]

Managing Material Risks & Integrated Overall Risk Management

The Company has integrated cybersecurity risk management into its broader risk management framework in order to promote a culture that values protecting sensitive information. This integration is intended to promote the inclusion of

cybersecurity considerations in decision-making processes throughout the Company. The Bank’s general risk management personnel, including the Chief Risk Officer (“CRO”), work closely with their information technology and security counterparts to evaluate and address cybersecurity threats in alignment with our business objectives and operational needs.

The Company also maintains a system-wide information security program that applies to all employees. All employees are expected to assist in safeguarding the Company’s information systems and to assist in the detection and reporting of cybersecurity incidents. This Company-wide program is intended to identify and assess internal and external cyber and information security risks that may threaten the security or integrity of nonpublic information stored on the Company’s information systems or those of third-party providers from unauthorized access, use or other malicious acts.

The Board of Directors is responsible for overseeing the Company’s cybersecurity program. The Board of Directors has established oversight mechanisms that are intended to promote effective governance in managing risks associated with cybersecurity threats because it recognizes the significance of these threats to the Company’s operational integrity and the information stored on the Company’s information systems or those of third-party service providers. See “—Governance—Board of Directors Oversight.”

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Risks from Cybersecurity Threats

We have not encountered cybersecurity threats or incidents that have materially and adversely affected, or are reasonably likely to materially and adversely affect, the Company’s business strategy, results of operations or financial condition. Notwithstanding the defensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats, incidents or disruptions may not be fully insured. For more information regarding the risks we face from cybersecurity threats, see Part I, Item 1A., “Risk Factors—Risks Related to the Company’s Operations—A failure in the Company’s operation and/or information systems or infrastructure, or those of third parties, including cyber-attacks, could impair the Company’s liquidity, disrupt its businesses, result in the unauthorized disclosure of confidential information, damage its reputation, and cause financial losses.”

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Risk Committee

Cybersecurity Risk Role of Management [Text Block]

Management’s Role Managing Risk

The Company’s Enterprise Risk Management Committee (the “ERMC”), an interdepartmental, management-level committee, meets at least quarterly and is responsible for ensuring that the Company has appropriate policies and procedures in place to help identify, measure, monitor and control potentially significant business risks. In connection with these responsibilities, the ERMC receives quarterly risk and control self-assessments and action plans for risk remediation, if required, to reduce residual risks. This includes information security action plans from the CISO, the CDO, and/or other key stakeholders. The incorporation of these reports into the ERMC’s meetings is intended to promote the inclusion of cybersecurity considerations in the risk management decision-making processes throughout the Company.

The Information Technology/Information Security Steering Committee (the “IT Steering Committee”) reports directly into the ERMC and meets at least quarterly. The IT Steering Committee is composed of senior members of management, including the CDO, the CRO and the CISO. The IT Steering Committee oversees information technology matters at the Company, including the implementation of all cybersecurity policies, standards, guidelines and procedures. The responsibilities of the IT Steering Committee include, among other things, updating the Company’s information technology policies, reviewing the architecture of the Company’s information system infrastructure and monitoring the progress of any significant hardware or software updates or installation. In addition, the IT Steering Committee provides quarterly reports to the ERMC and the Risk Committee regarding any information-technology-related matters that, in the opinion of the IT Steering Committee, should be escalated.

The CISO plays an important role in the prevention, detection, mitigation, and remediation of cybersecurity incidents and in informing management, the Risk Committee and the Board of Directors on cybersecurity risks and issues. The CISO provides quarterly briefings to the Risk Committee on any significant information security issues, relevant cybersecurity metrics and the status of the Company’s security-related strategic initiatives. As discussed above, the CISO also provides

mid-year and annual reports to the full Board of Directors regarding the state of the Company’s information security program. The annual reports encompass a broad range of topics, including:

●

Confidentiality of nonpublic information and the integrity and security of the Company’s information systems;

●

Cybersecurity policies and procedures;

●

Material cybersecurity risks;

●

Effectiveness of our cybersecurity program; and

●

Any material cybersecurity incidents.

In addition to these scheduled meetings, the Risk Committee, the CISO, the CDO, the CRO, and other members of management maintain ongoing dialogues with respect to emerging or potential cybersecurity threats. The Risk Committee also receives reports and updates from management regarding significant cybersecurity developments so that the Board of Directors can be promptly notified, as and when appropriate, of any threats or incidents as well as management’s proposed responses.

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

The Company’s Enterprise Risk Management Committee (the “ERMC”), an interdepartmental, management-level committee, meets at least quarterly and is responsible for ensuring that the Company has appropriate policies and procedures in place to help identify, measure, monitor and control potentially significant business risks. In connection with these responsibilities, the ERMC receives quarterly risk and control self-assessments and action plans for risk remediation, if required, to reduce residual risks. This includes information security action plans from the CISO, the CDO, and/or other key stakeholders. The incorporation of these reports into the ERMC’s meetings is intended to promote the inclusion of cybersecurity considerations in the risk management decision-making processes throughout the Company.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The Company’s CRO is responsible for identifying, controlling and mitigating risks that could impact the Company’s operations. Our CRO’s decades of experience managing the various risks faced by financial institutions is helpful for developing and executing our cybersecurity strategies in a manner that is aligned with the overall risk management framework of the Company.