The Board of Directors oversees the IS Program in the following ways: (a) monitors and oversees the Company’s business and information technology operations necessary for its business plan, including projected growth, technology capacity, planning, operational execution, product development and management capacity, (b) reviews the Company’s framework(s) to prevent, detect, and respond to cyberattacks or breaches, as well as identifying areas of concern regarding possible vulnerabilities, and reviews policies pertaining to information security and cyber threats, taking into account the potential for external threats, internal threats, and threats arising from transaction and contractual relationships with trusted third party vendors, and (c) reviews the Company’s incident response, business continuity and disaster recovery planning and preparedness including processes, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to the Company. As part of the Board’s oversight, the Board receives frequent reports from the CIO and ISO including the summarization of new and emerging cybersecurity threats and trends and the effectiveness of our IS Program in mitigating cybersecurity threats among other items. In the event of an information security incident, our Incident Response Plan clarifies the steps for escalation according to the severity of the event.

The IS team is staffed primarily with internal associates, and we utilize third party service providers for extended coverage. We hire IS team members that have relevant information security experience or technology certifications and knowledge to implement and oversee the procedures and processes of our IS Program and to adequately manage and enforce our policies and procedures. Further, management involved in the cybersecurity process, possess the necessary skills and expertise to adequately manage and enforce our policies and procedures.

While all vendors are subject to our vendor management process, those with access to our data and data centers are subject to more rigorous initial and ongoing due diligence. This includes the reviews of Service Organization Control 2 ("SOC 2") reports, financial information, and other policies and procedures related to such third-party vendors and their various programs, including vendor management.

Risk Management and Strategy

As part of the ongoing maintenance and development of our IS Program, we assess the various risks associated with the unauthorized access or loss of client information and the quality of security controls as prescribed by the Federal Financial Institutions Examinations Council and several other frameworks. The frameworks and our IS risk assessments are utilized to monitor and develop strategies to minimize risk to our information assets.

Our systems are monitored 24/7 for cybersecurity threats, and we utilize a variety of tools to reduce the risk of data breaches and cybersecurity events. We maintain an Incident Response Plan that outlines the steps to be taken in the event of an incident, which could include a potential or actual data breach. The plan identifies a designated team, including associates and third-party experts, responsible for incident response and summarizes the steps, including escalation protocol, for determining whether an event has occurred and the nature and scope of the event (if applicable). The plan also summarizes protocol for notifying impacted persons, which may include customers as well as other applicable agencies or persons, including law enforcement and regulatory authorities.

At least annually, we conduct a third-party information security audit focusing on internal and external network security protocols and penetration testing, as well as internally managed ad hoc testing as needed. Simulations and tabletop testing of our business continuity and Incident Response Plans are performed on a routine basis and assist with our associates’ familiarity and preparedness for an event. Any gaps or improvement areas identified by routine testing are addressed in a timely manner to help improve future testing and response.

The processes and controls related to data security are regularly tested by the IS department and Internal Audit. Additional internal security assessments may be performed at the request of the CISO, CIO, the Internal Auditor, Management or our Board. Audit and assessment results are presented to the Audit Committee of the Board, and to the IT Steering Committee.

At least annually, the IS Program, including its effectiveness, is reviewed by the Board. Annually, all associates participate in mandatory training related to the IS Program, including information security and its importance with respect to customer and associate privacy. All associates are required to participate in monthly bank wide phishing tests. Results from these tests are delivered to our Audit Committee of the Board of Directors.