ConnectOne Bancorp, Inc. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

ConnectOne Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:02:35 EST.

Filings

10-K filed on 2026-02-24

ConnectOne Bancorp, Inc. filed a 10-K at 2026-02-24 16:02:35 EST
Accession Number: 0001437749-26-005320

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management, Strategy and Governance Cybersecurity is a material part of ConnectOne's business. As a financial institution offering products through multiple digital delivery channels, cybersecurity incidents could have a material effect on the Company, its results of operations and its reputation, although to date the Company has not experienced any cybersecurity incident which has had a material effect on the Company's business strategy, results of operations or financial condition. See "Item 1A- Risk Factors - We cannot predict how changes in technology will impact our business; increased use of technology may expose us to service interruptions or breaches in security." Cybersecurity risk is initially overseen at ConnectOne by the management IT Committee (the "ITC"). The members of this committee include, as co-chairs, the Chief Compliance Officer and the Chief Data & Development Officer. Additional members are our Information Security Officer, Information Technology ("IT") Manager, Chief Risk Officer, Chairman & Chief Executive Officer, Chief Digital Officer and Chief Brand and Innovation Officer. Set forth below is certain background information regarding the senior members of the ITC: ● Sharif Alexandre, Chief Data & Development Officer - Mr. Alexandre leads the software development and data management teams at the Bank. He has over 20 years of industry experience, including managing information technology and software development teams for organizations ranging from technology startups to Fortune 500 companies. His prior experience at the Bank also includes the oversight of IT operations. ● Laura Criscione, Chief Compliance Officer - Ms. Criscione oversees the company's compliance and information security functions. She has more than 30 years of experience in the financial services industry, with an extensive background in overseeing compliance and IT operations. ● Mark Pappas, Chief Risk Officer - Mr. Pappas oversees entity-wide risk management, including cybersecurity-related risks. He previously served as Executive Vice President and Chief Risk Officer for Amalgamated Bank and as Director of Internal Audit for Alma Bank. ● Ali Mattera, Chief Digital Officer - Ms. Mattera has over 19 years of experience in the financial services industry, including 13 years in IT leadership. Throughout her career at various financial institutions, she has been responsible for technology and digital strategy, enterprise program management, data analytics, and IT service management. In addition to the members above, Frank Sorrentino III, Chairman & Chief Executive Officer and Siya Vansia, Chief Brand & Innovation Officer are also members of the ITC due to their roles in overseeing entity-wide management. - 35 - Table of Contents In order to ensure that cybersecurity risk management is integrated into the Company's overall risk management plans, systems and processes, members of the ITC, along with other lines of business heads, report to the management Enterprise Risk Management Committee (the "ERMC"), which in turn reports to the Board Risk Committee quarterly. The ERMC consists of the Company's Chief Risk Officer, Chairman & CEO, President, Chief Financial Officer, Treasurer & Chief Corporate Development Officer, Chief Compliance Officer, Chief Data & Development Officer , General Counsel and Chief Credit Officer. In addition, the Company's Chief Data & Development Officer attends Company Board of Directors meetings and provides an IT report at each meeting. The Company's cybersecurity risk mitigation program involves a combination of internal resources and the use of third parties. The Company's internal IT team performs monthly vulnerability scanning and performs an annual risk assessment based on the National Institute of Standards and Technology Cybersecurity Framework. The results are reported to the ITC. The Company's IT and compliance staff also review potential cybersecurity threats associated with the Company's third -party vendors, including performing a review of and obtaining a System of Organization Controls report from all vendors rated as "high risk" by the Company's internal vendor management program. The Company also has an internal Incident Response Plan and Team, which is charged with overseeing the Company's response to any cybersecurity incident. The team performs a table-top exercise at least annually to prepare to respond in the event of any actual cybersecurity incident. In addition to these internal resources, the Company uses a third -party vendor to undertake annual penetration and vulnerability testing, with the results reported to the ITC. Finally, the Company's cybersecurity compliance program is audited by the Bank's outsourced internal auditor. The Company also maintains insurance which may provide coverage for expenses and certain losses incurred in connection with a cybersecurity incident. -36- Table of Contents

Company Information