Governance.

The Finance and Risk Management Committee is a standing committee of the Board formed in January 2014 to assist the Board and the Executive Committee of the Board in fulfilling their responsibility with respect to the oversight of the Company’s (1) enterprise risk management and financial framework, including all risks associated therewith, including risks related to cyber incidents and (2) policies and practices relating to financial matters, including but not limited to, capital, liquidity and financing, as well as to merger, acquisition and divestiture activity. The Finance and Risk Management Committee reports to the Board regarding the Company’s risk profile, as well as its enterprise risk management framework, including the significant policies and practices employed to manage such risks, as well as the overall adequacy of the enterprise risk management function.

Material risks and results from any industry standard risk assessments parties, including any recommendations to further mitigate, transfer or eliminate risks, if applicable, are reported annually to the TOC, as well as to the Board’s Finance and Risk Management Committee, who then reports the results to the Bank’s Board. Further, these results are included in the Board’s annual Information Security Program Report.

Technology and cybersecurity risk metrics are two of the Bank’s primary categorical risks defined in the Bank’s enterprise risk management framework. The Enterprise Risk Management Dashboard, which includes ongoing monitoring of current and emerging technology and cybersecurity risks, is presented to the Finance and Risk Management Committee and to the Bank’s Board on a tri-annual basis. In addition, reports on the monitoring of third-party relationships, particularly critical relationships, are presented to the Finance and Risk Management Committee.

The Bank’s Board, through the Finance and Risk Management Committee, has oversight of cybersecurity incident disclosures, if applicable. The Finance and Risk Management Committee shall annually review with Management the Company’s Business Continuity Plan (the “BCP”), the BCP Policy, BCP testing results and the Company’s Pandemic Plan and Cyber Incident Response Plan and programs, including materiality determination criteria and escalation protocols with respect to the prompt reporting of material cyber incidents to the Finance and Risk Management Committee and the Bank’s Board. The Finance and Risk Management Committee shall further review with Management and report to the Bank’s Board any cyber incident disclosure reports to or from regulators with respect thereto, and the root cause and remediation and enhancement efforts with respect thereto.

The Bank’s Information Technology team (the “IT Team”) is comprised of professionals with technology certifications, or Associate, Bachelor’s or Master’s degrees across business, technology and cybersecurity disciplines. The IT Team maintains and enhances its technical expertise through ongoing participation in business, technology, and cybersecurity training programs, including certifications focused on emerging technologies and evolving cyber-risk practices. 

The IT leadership team, consisting of Assistant Vice Presidents and above, bring extensive technical experience primarily aligned with the financial services industry. The Bank’s ISO holds the Certified Cyber Crimes Investigator designation from the International Association of Financial Crimes Investigators and completes ongoing cybersecurity-related continuing education to support improving the Bank’s information security posture.