GERMAN AMERICAN BANCORP, INC. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 27, 2026

GERMAN AMERICAN BANCORP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:50:58 EST.

Filings

10-K filed on 2026-02-26

GERMAN AMERICAN BANCORP, INC. filed a 10-K at 2026-02-26 17:50:58 EST
Accession Number: 0000714395-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our processes and policies related to cybersecurity are focused on: (i) developing organizational understanding to manage cybersecurity risks, (ii) applying safeguards to protect our systems, (iii) detecting the occurrence of a cybersecurity incident, (iv) responding to a cybersecurity incident, and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall enterprise risk management systems and processes. For example, all of our employees with network access are required to complete information security and privacy training on an annual basis. We are continuously working to improve our information technology systems and provide employee awareness training around phishing, malware, and other cyber risks to enhance our levels of protection. Other aspects of our cyber and information security risk management program include: - Monitoring external and internal threats and events, managing access, facilitating use of appropriate authentication options, validating controls and programs by internal teams and independent third parties and testing various compromise scenarios that are overseen by our information security team; - Investing in threat intelligence platforms and participating in financial services industry and government forums which track and report on cyber and other information security threats; - Identifying those third-party relationships that have the greatest potential to expose the Company to cybersecurity threats and, upon identification, conducting additional due diligence as a part of establishing those relationships ; - Routinely performing vulnerability tests; - Engaging independent consultants and other third-parties to assist the Company in establishing and improving its policies; and - Conducting "tabletop" exercises with outside consultants at least annually to test the Company's processes and policies and using feedback from those exercises to further improve our processes. The Company also maintains insurance coverage for cybersecurity incidents as part of its overall insurance portfolio. In the event of a cybersecurity incident, the Company maintains incident response plans to investigate, classify, respond to, and manage cybersecurity incidents that may compromise the availability or integrity of our information systems, network resources, or data. In accordance with the incident response plans, cross-functional management teams assess and assign a threat level to each cybersecurity incident. A cybersecurity incident (or incidents, if aggregated together) assigned a critical threat level is escalated to the Board's Risk Committee as described below in more detail. 27 The Company has not experienced any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, including its business strategy, results of operations, or financial condition. However, cybersecurity attacks and other threats to the systems, networks, products and services of the Company, its customers and vendors, and other third parties could materially affect the Company in the future. See Item 1A. Risk Factors - Unauthorized disclosure of sensitive or confidential client or customer information, whether through a cyber-attack, other breach of our computer systems or otherwise, could harm our business. Governance In exercising oversight over the Company's information technology risks, including its cyber and information security program, the Company's Enterprise Risk Management Committee (the "ERM Committee") has established a Technology Committee that is led by the Company's Chief Digital and Information Officer ("CDIO") and is comprised of the Company's executive officers, the Company's Information Security Officer ("ISO") and the Company's Chief Risk Officer. The Technology Committee receives materials on a quarterly basis to address the identification and status of information technology cybersecurity risks. Each year, the full Board of Directors also receives a comprehensive update on the Company's cyber and information security program. Our CDIO leads the Company's digital optimization and information technology initiatives. He is also responsible for driving the strategy, execution and integration of all banking and nonbanking technology, information and digital initiatives in alignment with the Company's corporate business strategy. Our CDIO assumed his current role in January 2026. Prior to that, he served as the Senior Vice President and Chief Enterprise Architect for a bank with over $30 billion in assets. In his over 25 years of technology experience in regulated industries, including banking, our CDIO has held leadership positions responsible for developing digital banking solutions, launching and integrating business enablement tools, artificial intelligence integration, and oversight of the technology framework. Our ISO oversees a team of employees dedicated to the prevention, detection, mitigation, and remediation of cybersecurity incidents. He joined the Company in November 2025 with more than 25 years of technology and information security experience, specifically in the banking sector. His most recent roles included Information Security Officer and Director of Information Technology, along with various cybersecurity consulting engagements. In addition, the Company utilizes a specialized managed security provider to consult, monitor, alert and remediate issues related to cybersecurity. This oversight includes endpoint protection, firewall alerting, vulnerability detection and oversight over the Company's system information and event management (SIEM) platform. The Company's Incident Response Team (a sub-committee of the Technology Committee) has been established to evaluate the materiality of cybersecurity incidents based upon criteria that have been reviewed with the ERM Committee and the Board's Risk Committee, and is responsible for determining whether there are disclosure obligations under applicable securities laws. In the event that the Incident Response Team determines that a critical cybersecurity incident (or incidents, if aggregated together) is deemed to be material, the Incident Response Team will brief the Risk Committee and oversee the disclosure process. For all critical cybersecurity incidents that are not deemed to be material, the Incident Response Team will report such incidents to the Technology Committee, which will further report such critical incidents to the ERM Committee and the Risk Committee, as part of the next regularly-scheduled cybersecurity updates, or sooner as circumstances warrant.

Company Information