Risk Management and Strategy

Our risk management program is designed to identify, assess, and mitigate risks across all aspects of our organization. Given the increasing reliance on technology and increasing risk of cyber threats, cybersecurity is a critical component of our overall risk management program. Our Information Security Officer (“ISO”) is primarily responsible for the development, management, and monitoring of our information security program, which includes a cybersecurity component.  The ISO is a key member of the risk management team, reporting directly to the Chief Risk Officer and provides reporting on the information security program to the Information Technology Steering Committee, Audit Committee and our board of directors.  

Our information security program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and the Federal Financial Institutions Examination Council (“FFIEC”) guidelines. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness.  Our ISO and Chief Technology Officer (“CTO”) and other key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues to ensure the program’s effectiveness.  We employ an in-depth, layered, defensive strategy focused on prevention, identification, response and rapid remediation. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture.  We maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers. We actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections because a significant portion of our workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and to make recommendations to strengthen our risk management program.

We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management

committees. The Incident Response Plan is coordinated through the ISO and key members of management are embedded into the plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated and tested at least annually.

Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is potentially severe. Our internal systems, processes, and controls are designed to prevent and mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected, or are not reasonably likely to materially affect, our business strategy, results of operations, or financial condition.  Please see Part I, Item 1A Risk Factors for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure.

​

Our risk management program is designed to identify, assess, and mitigate risks across all aspects of our organization. Given the increasing reliance on technology and increasing risk of cyber threats, cybersecurity is a critical component of our overall risk management program. Our Information Security Officer (“ISO”) is primarily responsible for the development, management, and monitoring of our information security program, which includes a cybersecurity component.  The ISO is a key member of the risk management team, reporting directly to the Chief Risk Officer and provides reporting on the information security program to the Information Technology Steering Committee, Audit Committee and our board of directors.  

Our information security program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and the Federal Financial Institutions Examination Council (“FFIEC”) guidelines. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness.  Our ISO and Chief Technology Officer (“CTO”) and other key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues to ensure the program’s effectiveness.  We employ an in-depth, layered, defensive strategy focused on prevention, identification, response and rapid remediation. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture.  We maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers. We actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections because a significant portion of our workforce has the option to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and to make recommendations to strengthen our risk management program.

We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management

committees. The Incident Response Plan is coordinated through the ISO and key members of management are embedded into the plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated and tested at least annually.

Our board of directors has approved management committees including the Information Technology Steering Committee, which focuses on technology impact, and the Risk Management Committee, which focuses on business impact and cyber security awareness. These management committees provide oversight and governance of the technology program and the information security program. These management committees are chaired by department managers and include the ISO and CTO and other key departmental managers from throughout the organization. These management committees generally meet quarterly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings occur, as needed, if and when the Incident Response Plan is activated.

The ISO reports summaries of key issues, including significant cybersecurity and/or privacy incidents discussed at management committee meetings and the actions taken in the quarterly Information Technology Steering Committee meetings (or more frequently as may be required by the Incident Response Plan). The Information Technology Steering Committee and Audit Committee of the board of directors are responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our ISO and CTO provide quarterly reports to the Information Technology Steering Committee regarding the information security and technology programs, including key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes and systems.  The Information Technology Steering Committee reviews and approves our information security and technology budgets and strategies annually. Additionally, the Risk Management Committee and Audit Committee of our board of directors review our cyber security risk profile on a quarterly basis. The Information Technology Steering Committee and Risk Management Committee each provide a report of their activities to the full board of directors at least quarterly.

Our board of directors has approved management committees including the Information Technology Steering Committee, which focuses on technology impact, and the Risk Management Committee, which focuses on business impact and cyber security awareness. These management committees provide oversight and governance of the technology program and the information security program. These management committees are chaired by department managers and include the ISO and CTO and other key departmental managers from throughout the organization. These management committees generally meet quarterly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings occur, as needed, if and when the Incident Response Plan is activated.

The ISO reports summaries of key issues, including significant cybersecurity and/or privacy incidents discussed at management committee meetings and the actions taken in the quarterly Information Technology Steering Committee meetings (or more frequently as may be required by the Incident Response Plan). The Information Technology Steering Committee and Audit Committee of the board of directors are responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our ISO and CTO provide quarterly reports to the Information Technology Steering Committee regarding the information security and technology programs, including key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes and systems.  The Information Technology Steering Committee reviews and approves our information security and technology budgets and strategies annually. Additionally, the Risk Management Committee and Audit Committee of our board of directors review our cyber security risk profile on a quarterly basis. The Information Technology Steering Committee and Risk Management Committee each provide a report of their activities to the full board of directors at least quarterly.

Our ISO has 18 years of experience in the financial services industry with a strong emphasis on technology-driven environments. His background spans all major areas of the banking sector, giving him broad operational and strategic insight into cybersecurity risks unique to financial institutions. He holds an MBA in Financial Services and is a Certified Information Security Manager (“CISM”) professional.