FARMERS & MERCHANTS BANCORP 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

FARMERS & MERCHANTS BANCORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:20:52 EDT.

Filings

10-K filed on 2024-03-14

FARMERS & MERCHANTS BANCORP filed an 10-K at 2024-03-14 17:20:52 EDT
Accession Number: 0001140361-24-013280

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The federal banking regulators regularly issue new guidance and standards, and update existing guidance and standards, regarding cybersecurity intended to enhance cyber risk management among financial institutions. Financial institutions are expected to comply with such guidance and standards and to accordingly develop appropriate security controls and risk management processes. If we fail to observe such regulatory guidance or standards, we could be subject to various regulatory sanctions, including financial penalties. In 2023, the SEC issued a final rule that requires disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy and governance. Under this rule, banking organizations that are SEC registrants must generally disclose information about a material cybersecurity incident within four business days of determining it is material with periodic updates as to the status of the incident in subsequent filings as necessary. Under a final rule adopted by federal banking agencies in 2021, banking organizations are required to notify their primary banking regulator within 36 hours of determining that a computer-security incident has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the banking organization s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base, its businesses and operations that would result in material loss, or its operations that would impact the stability of the United States. The federal banking agencies have also adopted guidelines for establishing information security standards and cybersecurity programs for implementing safeguards under the supervision of the Board of Directors. These guidelines, along with related regulatory materials, increasingly focus on risk management and processes related to information technology and the use of third parties in the provision of financial services. Moreover, recent cyberattacks against banks and other financial institutions that resulted in unauthorized access to confidential customer information have prompted the federal banking regulators to issue more extensive guidance on cybersecurity risk management. Among other things, financial institutions are expected to design multiple layers of security controls to establish lines of defense and ensure that their risk management processes address the risks posed by compromised customer credentials, including security measures to authenticate customers accessing internet-based services. A financial institution also should have a robust business continuity program to recover from a cyberattack and procedures for monitoring the security of third-party service providers that may have access to nonpublic data at the institution. State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted regulations requiring certain financial institutions to implement cybersecurity programs and many states, have also recently implemented or modified their data breach notification, information security and data privacy requirements. We expect this trend of state-level activity in those areas to continue and are continually monitoring developments in the states in which our customers are located. Risks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to be elevated for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers. See Item 1A. Risk Factors for a further discussion of risks related to cybersecurity. Risk Management and Strategy Information security and cybersecurity risk is the risk that the security, confidentiality, integrity or availability of our information and critical information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Cybersecurity attacks and other security breaches can have material adverse impacts on our business. While no organization can eliminate cybersecurity risk entirely, we devote significant resources to our security program that we believe is reasonably designed to mitigate our cybersecurity and information technology risk. The Bank devotes significant resources and management focus to ensuring the integrity of our systems through information security and business continuity programs. However, our facilities and systems, and those of third-party service providers, are still vulnerable to external or internal security breaches, acts of vandalism, computer viruses, misplaced or lost data, programming or human errors, or other similar events. The Company seeks to address cybersecurity risks through the implementation of a governance structure and processes to assess, identify, manage, remediate, and report cybersecurity risks. 36 Table of Contents Identifying and assessing cybersecurity risks is integrated into our overall risk management program and processes. Cybersecurity risks related to our business, technical operations, data, and privacy, along with cybersecurity risk-related compliance issues, are identified and addressed through a framework consisting of third-party assessments, internal information technology audits, information security assessments, and risk and compliance reviews. We conduct regular privacy and cybersecurity reviews of systems, audit applicable data and information policies, perform penetration and vulnerability testing using third-party tools to test security controls, perform regular training and assessments for the Board of Directors and employees, monitor emerging data privacy and information security laws and regulations, and implement applicable changes to improve our overall security posture. We regularly engage third-party auditors to assess our cybersecurity program and compliance with all applicable best practices and regulations. The Company adjusts its information security policies, standards, processes and practices as necessary based on the information provided by these assessments and to remediate material identified vulnerabilities. We have in place a robust incident response process that helps ensure our preparedness for a cybersecurity incident including our ability to detect, analyze, contain, remediate, and recover from a security incident as well as conduct post-incident analysis to avoid future incidents. Incident response process activities are overseen by cross-functional leadership in Risk Management, Operations, Information Security, Compliance, and Information Systems. Security events and incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality and operational, business, and overall privacy impacts. We conduct regular exercises and drills to simulate responses to various cybersecurity incidents. The incident response team, including management, coordinates with technical and business stakeholders to further analyze risks and enhance detection, mitigation, and remediation strategies incorporated in the incident response program. Our risk management program regularly assesses third-party risks (inclusive of fourth-party risk) by conducting activities to identify and mitigate risks from third-parties (e.g., vendors, suppliers, and other business partners). Cybersecurity risks are evaluated when selecting and managing applicable third-parties that handle or process employee, business, or customer data, and a review process that includes due diligence over a third-party s information security and technology control environment is conducted at onboarding and periodically throughout the lifecycle of the relationship to ensure that systems of third- parties meet certain security baseline requirements. We maintain procedures to respond to, manage and mitigate third-party cybersecurity events and vulnerabilities when identified. Cybersecurity Gover nance Given the importance of information security, privacy and data protection to our stakeholders, cybersecurity is a critical part of our risk management program and a key focus area for our Board and Executive Management. The Board of Directors oversees management s processes for identifying and mitigating risks, including cybersecurity risks, to help manage our risk exposure to meet our strategic objectives. Executive Management and our Information Security Officer ( ISO ) regularly brief the Board of Directors on our cybersecurity and information security posture and ensure the Board is apprised of emerging risks and cybersecurity incidents deemed to have a direct or indirect business impact. The Audit & Risk Committee meets on a monthly basis to receive updates from management, including leaders from Information Systems, Information Security, Risk Management, and Compliance, on matters of cybersecurity risks and mitigation initiatives. The leaders from these areas each bring over 20 years of professional experience and certifications in information technology, information security, information systems audit, compliance, and risk management. This group of leaders provides updates on existing and new cybersecurity risks, status updates on how management is addressing or mitigating cyber risks and cybersecurity or privacy incidents, and progress on key cybersecurity initiatives. 37 Table of Contents The Electronic Data Processing ( EDP ) Steering Committee is a senior management level committee that meets at least quarterly to discuss a variety of information technology and cybersecurity matters, which form the basis for providing status reports to the Board of Directors. The committee is responsible for monitoring all Information Systems-related projects and initiatives, facilitating the remediation of issues that could adversely impact the ability of the Information Systems Department to perform its function, and allocating available resources to the highest priority projects and initiatives. The Chief Administrative Officer chairs the EDP Steering Committee and members of Executive Management, Information Systems, Information Security, Treasury Management, Retail and Wholesale Banking departments are represented in the meetings. In addition to project management guidance, the committee provides oversight of and direction for the Information Security Program, monitors cybersecurity risks, and helps ensure prompt remediation of cybersecurity incidents. In 2023, we did not identify any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition however, cybersecurity threats are pervasive. Despite the capabilities, processes and security measures we employ that we believe are designed to detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. Moreover, cybersecurity threats are continuously evolving, which may cause cybersecurity threats to be more difficult to detect in the future. See Risk Factors - Risks Related to Cybersecurity and Information Technology in Part I, Item 1A of this Form 10-K, for additional information about these and other risks related to cybersecurity and information technology.

Company Information