INDEPENDENT BANK CORP /MI/ 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

INDEPENDENT BANK CORP /MI/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 12:40:03 EST.

Filings

10-K filed on 2024-03-08

INDEPENDENT BANK CORP /MI/ filed an 10-K at 2024-03-08 12:40:03 EST
Accession Number: 0000039311-24-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Assessment, Identification, and Management Processes Our cybersecurity processes have been integrated into our risk management system. We employ a comprehensive cybersecurity risk assessment program designed to evaluate threats, vulnerabilities, and the potential impact on our operations, data, and financial condition. This program is regularly reviewed and updated to address emerging risks. Our process for addressing risk is based on banking industry best practices outlined in FFIEC and National Institute of Standards and Technology ( NIST ) frameworks. We engage various third-party service providers in connection with our cybersecurity processes. We routinely engage consultants and other third parties to assist in the continued improvement and maintenance of our cybersecurity risk assessment program. These engagements are designed to enhance our cybersecurity posture, and we work closely with these experts to help us identify and address risks and vulnerabilities. Examples of these engagements include third party security assessments, security monitoring, and program review. We closely oversee and monitor third-party cybersecurity service providers. We maintain policies and procedures to oversee and identify cybersecurity risks associated with our third-party service providers, especially those with access to customer and employee data. Our selection and oversight of these providers incorporate cybersecurity considerations, including contractual and other mechanisms to mitigate risks. Our third-party oversight process follows published frameworks from NIST and FFIEC to account for risks throughout the entire engagement with our third-party vendors. We consistently engage in proactive measures aimed at preventing, detecting, and effectively minimizing the impact of cybersecurity incidents. We maintain an incident response plan to swiftly respond to breaches, protect customer data, and minimize disruption to our operations. The incident response process is consistently tested and reviewed through simulated incidents and tabletop exercises with key stakeholders. To bolster our incident response process, we have robust business continuity, contingency, and recovery plans to ensure operational resilience during a cybersecurity incident. We have not experienced a material cybersecurity breach, but risks from cybersecurity threats may impact our business strategy, results of operations, and financial condition. No risks from any current or previous cybersecurity threats have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition, except to the extent that such strategy, operations, and conditions are affected by our employment of the cybersecurity risk assessment programs and procedures discussed in 16 this Item. We have not, as of the date of this filing, experienced a cybersecurity breach that has materially affected our business or financial condition. However, because our business involves the collection, transmission, and storage of sensitive customer and employee data, we are susceptible to various cybersecurity threats, including cyberattacks, unauthorized access, and similar events. We employ ongoing processes and strategies to guard against those threats, as discussed in this Item. Cybersecurity Governance We recognize the value and importance of cybersecurity and data protection and understand the potential harm to our business from cybersecurity incidents. Accordingly, we place a high priority on mitigating risks associated with cybersecurity threats and any cybersecurity incidents. Our Board of Directors and Chief Executive Officer, in collaboration with our Chief Information Officer and Chief Risk Officer, oversee cybersecurity processes, risks, and threats. Rather than designate one specific board committee to cybersecurity risk management, our entire Board of Directors is responsible for overseeing our risk management. Our Chief Risk Officer is responsible for overseeing our risk management generally, working closely with our internal audit department. Our Chief Risk Officer regularly reports directly to the Board of Directors with respect to all areas of risk management. With regard to cybersecurity specifically, we have a Cyber Information Security Officer who reports to our Chief Information Officer, with a dotted-line reporting relationship to our Chief Executive Officer, and collaborates regularly with our Chief Risk Officer and Risk Team. Our Cyber Information Security Officer meets with the Chief Executive Officer on a standard cadence and chairs a committee focused on cybersecurity with monthly reports made to our Risk Committee. Minutes from these meetings as well as select materials are shared with the full Board of Directors, and our Cyber Information Security Officer delivers an annual report to our Board of Directors. In addition, our entire management team is actively engaged in assessing and managing material risks from cybersecurity threats. We have established a robust framework for identifying, preventing, mitigating, and remediating such risks. We have an extensive and experienced team responsible for cybersecurity risk management. Our current Cyber Information Security Officer has a comprehensive information technology background with over 20 years of experience in managing or assisting in managing cybersecurity risks. To support the Cyber Information Security Officer in managing cybersecurity and our Chief Risk Officer in managing cybersecurity risks, we have established a cross-functional cybersecurity team that includes experts in various aspects of information security. This team of employees includes individuals with many years of prior combined work experience in cybersecurity and data protection. These individuals are responsible for the day-to-day implementation of our cybersecurity program, including providing immediate notice to our Cyber Information Security Officer and our Chief Risk Officer of any potential cybersecurity incidents. We employ robust and comprehensive processes to respond to cybersecurity risks. We employ a comprehensive set of processes to monitor and mitigate cybersecurity risks. These processes include: a. 24x7x365 Security Alert Monitoring b. Network Monitoring c. Firewalls d. Vulnerability Assessment e. Internal and External Security Assessments f. Security Awareness Training Programs g. Identity Management h. Incident Response Plans i. Data Encryption These processes are regularly reviewed and updated to adapt to evolving cybersecurity threats. Our cybersecurity personnel provide regular reports to the Board of Directors. As noted above, our Chief Risk Officer, Cyber Information Security Officer, and cybersecurity team provide regular reports to the Board regarding cybersecurity risks, as well as a review of the processes described above. In particular, our Chief Risk Officer provides reports at every regularly scheduled Board meeting regarding our most material risks and the degree of exposure to these risks. Our management personnel are also required to provide more frequent updates to the Enterprise Risk Committee on major developments regarding cybersecurity matters. The Committee, in turn, provides regular updates to the Board on these matters. 17

Company Information