ITEM 1C.         CYBERSECURITY

The Company’s cybersecurity risk program was developed and is maintained to identify, analyze, and remediate the associated risks that cyber threats pose to our organization, particularly in light of our continually increasing reliance on technology in delivering electronic banking solutions and supporting our computer network. The program is overseen and executed by a team of experienced, certified cybersecurity professionals.

The objective of our program is to avoid or minimize the impact of external threats and efforts to disrupt and/or gain unauthorized access to our computer systems and the secure customer data information stored on these systems. Our computer environment is aligned with the National Institute of Standards and Technology Cybersecurity framework (the “NIST”), banking regulations, and other applicable security industry standards and protocols. We use industry expert vendors to provide 24/7/365 threat intelligence and network security monitoring and to provide periodic risk assessment audits, in addition to the periodic information technology audit examinations conducted by the FDIC and Maryland Commissioner. Our President and our Information Technology Security/Compliance Officer provide periodic reports, recommendations and information about industry best practices to the Board of Directors, the Board’s Audit Committee, and the Bank’s Information Technology Strategic Planning Committee.

Our Information Technology Security/Compliance Officer is primarily responsible for the ongoing review and management of our cybersecurity risk program and provides quarterly reports and other information throughout the year to our President, our Board of Directors, the Board’s Audit Committee and its Executive Committee, and the Bank’s Information Technology Strategic Planning Committee for the purpose of providing them with an understanding of our ongoing monitoring activities and preparedness with respect to our cybersecurity risks so that they can engage in an informed review of our program and direct the implementation of our ongoing monitoring activities and preparedness with respect to our cybersecurity risks so that they can engage in an informed review of our program and direct the implementation of appropriate changes as and when needed.

IT Security/Compliance – Annual Cybersecurity Risk Assessment (Board Review/Approval)

Our Information Technology Security/Compliance Officer completes an annual cybersecurity risk assessment designed to identify, evaluate, and manage the Company’s cybersecurity risks and preparedness. This assessment is aligned with applicable regulatory guidance, including the Federal Financial Institutions Examination Council (“FFIEC”) Information Technology Examination Handbook and recognized industry standards such as the NIST. These assessments take into account our organizational characteristics and the evolving external threat landscape and evaluate, among other things, how cybersecurity threats could impact and be impacted by our technologies, connection types, delivery channels, online and mobile banking products, and other electronic banking services. The assessment also considers the effectiveness of our risk management oversight and internal controls, our dependence on third-party service providers, our vendor risk management practices, and our cybersecurity incident response and recovery capabilities. The Company’s third-party information technology network security consultant reviews the completed annual cybersecurity risk assessment, along with the results of independent information technology risk assessment and audit activities, and reports relevant findings to management and the Board of Directors as part of the Company’s ongoing cybersecurity governance and oversight process.

Cybersecurity Defense Approach

We deploy and maintain a layered cybersecurity defense approach to securely protect our network computer systems, software applications, and stored data/information resources. As a first layer of defense, we employ a multi-faceted firewall and replication of primary and backup servers in our computer network. The Company receives daily and weekly reports and cybersecurity activity alerts, which are reviewed by our network administration management team. Our President and our Information Technology Security/Compliance Officer present quarterly Customer Data & Information Systems Security Program report updates to our boards of directors and their joint Executive Committee.

Third-Party Vendor Management

In accordance with the FDIC’s information technology compliance requirement for an annual vendor risk management program, the Bank developed a vendor management policy and performs an annual risk assessment review. This comprehensive review of mission-critical bank industry and network security vendors includes annual review of vendor compliance reports performed by accounting and audit firms, reviews of annual financial reports for vendors, and risk assessment reviews encompassing vendor performance, information technology compliance, operations, quality of service and support, contractual compliance, and business resumption contingency plans. These annual vendor management risk assessments are evaluated by the bank’s designated Information Technology Security/Compliance Officer for review and authorization by the bank’s President and senior information technology management, with final presentation, review, and approval by the Board of Directors. Complementing the Bank’s vendor risk assessment review and program, are additional risk assessment evaluations including the FDIC Risk Assessment, inclusive of network systems risk assessment, customer information systems risk assessment, and electronic banking vendor management risk assessment. Additionally, the Bank maintains a disaster recovery policy and conducts annual disaster recovery testing with respect to its mission-critical software vendor applications, as well as performs an annual business impact analysis that evaluates each mission-critical vendor in a prioritized hierarchy of hardware and software restoration relative to specified recovery time objectives and recovery time objectives in accordance with the FDIC’s information technology compliance requirements.

Incident Response Program

In accordance with the FDIC’s requirement for development of an annual information technology incident response policy, the Bank maintains an incident response and computer forensics policy. This policy is reviewed on an annual basis and updated as necessary by the Bank’s President and its Information Technology Security/Compliance Officer and then presented for review and approval by the Bank’s Board of Directors. The policy is also reviewed as part of an annual network security risk assessment audit conducted by the Bank’s information technology security consultant and by the FDIC and the Maryland Commissioner when they conduct their information technology examinations. The Bank has established incident alert levels, response and recovery timeframes, and computer forensics procedures for cybersecurity attack events, data breaches of sensitive information, systems failures and alerts, and corresponding customer and key contact notification including regulatory, vendors, local authorities, and bank directors/employees. The Bank annually contracts with a third-party industry expert vendor to provide computer forensics guidance and escalated support in the event of a cybersecurity incident when such vendor’s expertise and resources are needed.

Security Awareness and Training

The Bank maintains a program led by our Information Technology Security/Compliance Officer that is intended to comply with the FDIC’s requirement for annual network security training of all employees. This training program includes a comprehensive network security overview, including phishing and ransomware awareness training, a summary review of the Bank’s disaster recovery and pandemic plans, and an annual renewal and authorization of an employee network acceptable use policy. In addition, the Bank’s information technology management and network administrators attend periodic training programs and certifications, review regulatory compliance and industry information technology security briefs, and participate in vendor application quality assurance reviews. Finally, we provide our customers with information about cybersecurity awareness and electronic banking security practices, phishing and malware awareness, and fraudulent scams targeting customers on our dedicated website.