Merchants Bancorp 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Merchants Bancorp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:06:19 EST.

Filings

10-K filed on 2025-02-28

Merchants Bancorp filed a 10-K at 2025-02-28 16:06:19 EST
Accession Number: 0001558370-25-001941

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Privacy and Cybersecurity Merchants Bank is subject to many U.S. federal and state laws and regulations governing requirements for maintaining policies and procedures to protect non-public confidential information of their customers. These laws require banks to periodically disclose their privacy policies and practices relating to sharing such information and permitting customers to opt out of their ability to share information with unaffiliated third parties under certain circumstances. They also impact a bank’s ability to share certain information with affiliates and non-affiliates for marketing and/or non-marketing purposes, or to contact customers with marketing offers. In addition, banks are required to implement a comprehensive information security program that includes administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information. Risk Management and Strategy To combat the ever-present cyber risks, the Company maintains a comprehensive ISP, which includes continuous risk assessments, an Incident Response Plan, and a multilayered control environment meant to protect, detect, respond to, and limit unauthorized or harmful actions across our information environment. The control environment is based off industry leading recommendations, including the Center for Internet Security (CIS) Critical Security Controls and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Our Information Security Officer (ISO) is primarily responsible for coordinating the various aspects of the ISP with cross-functional support teams across various teams within the Company. Standards over information security are Board-approved and various types of control testing is conducted throughout the year, by internal and external parties. Recommendations are implemented and reported to various committees. These security and privacy policies and procedures, aimed at protecting personal and confidential information, are in effect across all businesses and geographic locations. Board-approved policies are in place to effectively mitigate risks linked to third-party service providers, encompassing factors such as availability, confidentiality, and governance and compliance. As part of this risk mitigation, the Company actively monitors vendors’ cybersecurity practices through periodic assessments and contractual security requirements. This ensures that vendors adhere to our security standards and promptly address emerging threats or vulnerabilities. The Company employes a defense in depth posture, designed to safeguard information, prevent unauthorized access, detect, and respond to threats, and maintain the confidentiality, integrity, and availability of data. The ISP establishes controls across many domains including but not limited to: Information Security Governance, Inventory and Control of Enterprise Assets and Software, Data Protection, Secure Configuration of Enterprise Assets and Software, Account and Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Network Monitoring and Defense, Security Awareness and Skills Training, Service Provider Management, Application Software Security, Incident Response Management, and Penetration Testing. Recognizing people as a key component of an effective information security program, the Merchants Information Security Program strives to enhance education and awareness at all levels of the Company. One critical component of education and awareness is an internal cybersecurity committee, comprised of employees from all levels and departments, who act as embedded security representatives for their business units. However, it is difficult or impossible to defend against every risk being posed by evolving technologies as well as criminal intent on committing cyber-crime. Increasing sophistication of criminal organizations and advanced persistent threats makes staying ahead of new dangers difficult and could result in a security breach. Controls employed by our information technology department and cloud vendors could prove inadequate. A breach of our security that results in unauthorized access to our data could expose us to a disruption or challenges relating to our daily operations, as well as to data loss, litigation, damages, fines and penalties, significant increases in compliance costs and reputational damage, any of which could have an adverse effect on our business, financial condition, and results of operations. The Company has established conditions to quickly respond to a cyber incident, ensuring a resilient, information environment. Governance The Board established an IT Committee to assist executive management and the Board of Directors of the Bank in fulfilling their oversight responsibilities related to information security. The IT committee membership includes senior management from business units, as well as information security risk experts such as the Information Security Officer, experts from Enterprise Risk Management, Internal Audit, and Information Technology Leaders. At the IT Committee meetings, security-related policies and standards are reviewed and approved, annual risk assessment results and action plans are noted, annual penetration test reports shared, current security incidents discussed, emerging threats reported on, and relevant cyber risks and trends are presented. The IT Committee is responsible for governing the assessment and treatment of cyber risks. The Committee reports its activities, key conclusions, and recommendations to the Board on a quarterly basis. The Chief Administrative Officer is responsible for the appointment of the Information Security Officer. The Information Security Officer serves as the focal point for the information security program and is responsible and accountable for its implementation and monitoring, and management of the Information Security team. The current Information Security Officer has over a decade of experience in the cyber security field, including critical roles in security operations, security governance, risk, and compliance, and cyber threat intelligence. They have multiple industry leading certifications, including nine GIAC and CISSP from the ISC2 and a Master of Engineering in Cybersecurity Policy and Compliance. The Information Security Officer presents an Annual Information Security Review to the board which summarizes the previous year’s threat landscape, risk assessment, service provider, and audit testing activities, results of security incidents, information security program changes, and future strategies and recommendations.

Company Information