NORTHRIM BANCORP INC 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

NORTHRIM BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 13:55:55 EST.

Filings

10-K filed on 2026-03-06

NORTHRIM BANCORP INC filed a 10-K at 2026-03-06 13:55:55 EST
Accession Number: 0001163370-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company recognizes that the security of our banking operations is critical to protecting our customers and maintaining our reputation. The cybersecurity landscape is constantly evolving and the advent of artificial intelligence has increased the risks. The Company maintains a cybersecurity risk management program designed to identify, assess, manage, and mitigate material risks from cybersecurity threats. The Company's process for identifying and assessing material risks from cybersecurity threats operates alongside the Company's broader overall risk assessment process. The Company's Computer Security Incident Response Team immediately investigates system alerts that may indicate the presence of a cybersecurity threat or incident and escalates information regarding the threat or incident as necessary to address it in a timely manner. The Company maintains a written incident response plan with defined escalation procedures and cross functional coordination designed to assess impact, contain threats, and remediate vulnerabilities. The incident response plan, among other things, provides for inter-departmental coordination and management of cybersecurity threats or incidents to quickly assess the impact, mitigate risks to information systems, and work to resolve vulnerabilities. We conduct periodic tabletop exercises and simulations to test preparedness and response capabilities. We also periodically engage external partners to conduct annual audits of our systems, test our systems infrastructure, and suggest improvements. Through these channels and others, we work to proactively identify potential vulnerabilities in our information security system. Senior management meets regularly with the Company's risk-management team and internal and external auditors to evaluate the effectiveness of the Company's systems, controls, and management processes with respect to cybersecurity risks. The results of key assessments are reported in summary to our Board of Directors periodically. 31 We also recognize that we are exposed to cybersecurity threats associated with our use of third-party service providers. To minimize the risk and vulnerabilities to our own systems stemming from such use, our Cybersecurity Program Manager and other subject matter experts monitor and identify known cybersecurity threats and incidents at third-party service providers on a regular basis. In addition, we strive to minimize cybersecurity risks when we first select or renew a vendor by including cybersecurity risk as part of our overall vendor evaluation and due diligence process. A vendor management policy is in place, which is approved by the Board of Directors annually. The vendor management policy calls for the evaluation of risk for each vendor based upon an assessment of the degree to which their relationship could expose the Company to risk in relation to the Company's reliance on the vendor's promise to perform and to protect customer privacy and based on the vendor's fiscal strength. The Company provides mandatory initial and annual training thereafter for personnel regarding security awareness as a means to equip the Company's personnel with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate the Company's information security policies, standards, processes and practices. We also work to educate our customers about the importance and understanding of their role in protecting their identities and the privacy of their information. We consider customer education regarding the use of electronic convenience products to be especially important due to the Bank's increased exposure to loss related to these products if procedures are not followed. Cybersecurity threats have not materially affected the Company's business strategy, results of operations, or financial condition. For additional information regarding cybersecurity risks, see Part I, Item 1A, Risk Factors. Governance The Board of Directors oversees cybersecurity risk, with assistance from the Audit Committee. The Board of Directors also devotes significant time and attention to the oversight of cybersecurity and information security risk and receives an operational risk update that includes a review of cybersecurity and information security risk. As part of its oversight of cybersecurity and informational security risk, on an annual basis, our Board of Directors reviews its Information Security Policy with its appointed Information Security Officer and frequently receives presentations on and discusses cybersecurity and information security risks, industry trends, and best practices from our Chief Information Officer and our Information Security Officer. We maintain relevant expertise within the Company's management team to manage cybersecurity risks. At the management level, the Chief Information Officer and Information Security Officer receive regular reports from the Company's systems department, both historical and real-time, about the Company's cybersecurity status. The Company maintains processes designed to identify, escalate, and report cybersecurity incidents in accordance with applicable law and regulation. If management determines a material cybersecurity incident has occurred, the Company's policies require management to promptly inform the Audit Committee with follow-up information to the full Board of Directors. The Information Security Officer leads the Company's cybersecurity program, including security operations, incident response, risk and compliance, and security awareness. The cybersecurity team includes professionals with relevant industry experience and certifications. 32

Company Information