SHORE BANCSHARES INC 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

SHORE BANCSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:04:11 EST.

Filings

10-K filed on 2026-03-02

SHORE BANCSHARES INC filed a 10-K at 2026-03-02 16:04:11 EST
Accession Number: 0001035092-26-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company recognizes that the security of our banking operations is essential to protecting our customers, maintaining our reputation, and preserving the value of the Company. The Board of Directors, through the Board Risk Oversight Committee, provides direction and oversight of our enterprise-wide risk management framework, and cybersecurity represents a component of our overall approach to enterprise-wide risk management . The Enterprise Risk Management Program establishes policies and procedures for assessing the effectiveness and efficiency of information security controls related to both design and operations. We use a variety of tools, including the Federal Financial Institutions Examination Council Cybersecurity Assessment Tools, to help us identify our cybersecurity risks and determine our cybersecurity preparedness. This assessment tool incorporates regulatory guidance. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach focused on the confidentiality, security and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents that may occur. As one of the elements of our overall enterprise-wide risk management approach, the Enterprise Risk Management Program is focused on the following key areas: - Security Operation and Governance : As discussed in more detail under the section titled "Cybersecurity Governance," the Board Risk Oversight Committee oversees our information security and cybersecurity risk management. - Collaborative Approach : We have implemented a cross-functional approach to identifying, assessing, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management. 25 - Security Competencies : We have security competencies and tools designed to evaluate security risks and to protect the confidentiality, integrity and availability of our information systems and data. These assets represent a blend of various management (e.g., policies), operational (e.g., standards and processes), and technical controls (e.g., tools and configurations). - Cyber Defense and Incident Response Plan : We utilize sophisticated security monitoring and detection tools for continuous monitoring of our information systems at all times. We utilize third-party tools and solutions to actively deliver threat analysis, vulnerability management, intrusion detection, intrusion hunting and red team exercises. We also receive the latest cybersecurity alerts and threat intelligence from government agencies and information sharing and analysis centers. Our Incident Response Plan reduces the risks related to security incidents by providing guidance on our response to incidents by focusing on the coordination of personnel, policies and procedures to ensure incidents are detected, analyzed and managed. - Third-Party Risk Management : Management of third parties, including vendors and service providers, is conducted through a risk-based approach, with the level of due diligence driven by risk factors established by the Third-Party Risk Management Program. The process provides awareness and collaboration across all internal teams including Information Technology and Risk Management. A review process is conducted on new or significantly changed key third parties to ensure certain cybersecurity baseline requirements are met and cybersecurity incidents are appropriately disclosed. This process advocates for appropriate standards and controls, based on risk factors, to secure the third parties' information systems, and to ensure the third parties have recovery plans in place. - Security Awareness and Education : We provide annual, mandatory training for employees regarding security awareness to better equip them with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate our information security policies, standards, processes and practices. Additionally, we conduct monthly email security awareness testing, with follow-up training assigned when deemed necessary. We leverage continuous monitoring and regular risks assessments to identify current and potential cybersecurity risks. Technical vulnerabilities are identified using automated vulnerability scanning tools, penetration testing, and system management tools, whereas non-technical vulnerabilities are identified via process or procedural reviews. We conduct a variety of assessments throughout the year, both internally and through third parties. Vulnerability assessment and penetration tests are performed on a regular basis to provide us with an unbiased view of our environment and controls. Vulnerabilities identified during these assessments are inventoried in a centralized tracking system and reported to management on a regular basis. A multi-step approach is applied to identify, report and remediate these vulnerabilities, and we adjust our information security policies, standards, processes and practices as necessary based on the information provided by these assessments. Summarized results of key assessments are reported to the Board Risk Oversight Committee. We engage third parties on a regular basis to assess, test and assist with the implementation of our cybersecurity program to detect and manage cybersecurity risks, including but not limited to third parties who assist with monitoring our information security systems and auditors who assist with conducting penetration tests. Cybersecurity Governance The Board of Directors, through the Board Risk Oversight Committee , provides direction and oversight of the enterprise-wide risk management framework of the Company, including the management of risks arising from cybersecurity threats. The Board Risk Oversight Committee reviews and approves the Information Security Policy, which includes our cybersecurity risk management program. The Board of Directors receives regular presentations and updates on cybersecurity risks, including the threat environment, evolving standards, projects and initiatives, risk and vulnerability assessments, independent audit reviews, and technological trends. The Board of Directors also receives information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the full Board of Directors discusses our approach to cybersecurity risk management. The Information Security Officer, under the guidance of our Chief Risk Officer and Director of Operational Risk , works collaboratively across the Company to implement a program designed to protect our information systems and data from cybersecurity risks. The Information Security Officer is responsible for assessing and managing cybersecurity risks, responding to any cybersecurity incidents in accordance with our Incident Response Plan and Business Continuity Plan, and reporting incidents to appropriate individuals in accordance with the Incident Response Plan. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. The Information Technology and the Operational Risk Management teams monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report such threats and incidents to the Information Security Officer and Chief Information Officer and ultimately the Board Risk Oversight Committee, when appropriate. The Information Security Officer holds the Certified Information Security Manager Certification and is supported by additional team members with extensive backgrounds in cybersecurity and related fields. 26

Company Information