Metropolitan Bank Holding Corp. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Metropolitan Bank Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 08:00:42 EST.

Filings

10-K filed on 2025-02-28

Metropolitan Bank Holding Corp. filed a 10-K at 2025-02-28 08:00:42 EST
Accession Number: 0001558370-25-001884

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company believes that a strong cybersecurity program is vital to effective cybersecurity risk management. The Company recognizes the importance of developing, implementing, and maintaining robust cybersecurity measures to help safeguard sensitive information and its business operations, and to protect the confidentiality, integrity, and availability of its information systems and the nonpublic information transmitted, processed and stored on its systems or those of third-party service providers. Managing Material Risks & Integrated Overall Risk Management The Company has integrated cybersecurity risk management into its broader risk management framework in order to promote a culture that values protecting sensitive information. This integration is intended to promote the inclusion of cybersecurity considerations in decision-making processes throughout the Company. The Bank’s general risk management personnel, including the Chief Risk Officer (“CRO”), work closely with their information technology and security counterparts to evaluate and address cybersecurity threats in alignment with our business objectives and operational needs. The Company also maintains a system-wide information security program that applies to all employees. All employees are expected to assist in safeguarding the Company’s information systems and to assist in the detection and reporting of cybersecurity incidents. This Company-wide program is intended to identify and assess internal and external cyber and information security risks that may threaten the security or integrity of nonpublic information stored on the Company’s information systems or those of third-party providers from unauthorized access, use or other malicious acts. The Board of Directors is responsible for overseeing the Company’s cybersecurity program. The Board of Directors has established oversight mechanisms that are intended to promote effective governance in managing risks associated with cybersecurity threats because it recognizes the significance of these threats to the Company’s operational integrity and the information stored on the Company’s information systems or those of third-party service providers. See “-Governance- Board of Directors Oversight .” Engage Third-parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts from time to time, including cybersecurity assessors, risk management professionals, and other consultants, in evaluating and testing our risk management systems. We also engage third-party services on an ongoing basis to conduct independent audits of our risk management systems. These engagements enable us to leverage specialized knowledge and insights and assist the Company with its goal of maintaining cybersecurity strategies and processes that are consistent with industry best practices. Our collaboration with these third-parties includes table top exercises, penetration testing and other cyber-support services. Oversee Third-party Risk Because the Company is aware of the risks associated with third-party service providers, the Company has implemented policies and processes to oversee and assist with managing these risks. The Company’s Third-Party Risk Management Officer (the “TPRM”) conducts security and risk assessments of all third-party providers before engagement and monitors these third-party providers on an ongoing basis to assess each provider’s compliance with the Company’s cybersecurity standards, which are intended to be commensurate with the level of risk and complexity of the relationship with, and the activities performed by, a given provider engaged by the Company. In addition, the TPRM conducts an annual risk assessment of any third-party provider that provides critical services to the Company or has access to customers’ protected data. This approach is designed to help identify and mitigate risks related to data breaches or other cybersecurity incidents originating from third-parties in order to better protect our customers’ personally identifiable information and the Company’s assets and data. Risks from Cybersecurity Threats We have not encountered cybersecurity threats or incidents that have materially and adversely affected, or are reasonably likely to materially and adversely affect, the Company’s business strategy, results of operations or financial condition. Notwithstanding the defensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats, incidents or disruptions may not be fully insured. For more information regarding the risks we face from cybersecurity threats, see Part I, Item 1A., “Risk Factors- Risks Related to the Company’s Operations-A failure in the Company’s operation and/or information systems or infrastructure, or those of third parties, including cyber-attacks, could impair the Company’s liquidity, disrupt its businesses, result in the unauthorized disclosure of confidential information, damage its reputation, and cause financial losses .” Governance Board of Directors Oversight Our information security program is designed to ensure adequate governance, and oversight is in place while evolving to meet changes in applicable laws and regulations, and industry best practices. Cybersecurity is a significant risk to the enterprise and matters related to information security are regularly featured as part of management’s enterprise risk profile updates to the Risk Committee of the Board of Directors (the " Risk Committee “), which occur at least on a quarterly basis. The Chair of the Risk Committee reports to the Board of Directors on the committee’s proceedings and activities, including in connection with the committee’s deliberation on information security matters, on a regular basis. In addition to regular touchpoints on cyber matters at the Risk Committee, the Board of Directors receives briefings from the Bank’s Chief Information Security Officer (the “CISO”) semi-annually. The Board of Directors directly, and through its standing committees (particularly the Risk Committee and the Audit Committee of the Board of Directors) also engage in broader discussions regarding existing and emerging operational and technology risks with members of management across all lines of defense. To supplement the Board of Directors’ regular engagement regarding the Company’s information security program, the director education program includes cybersecurity-related training opportunities, which assists the directors in staying current on developments and maintaining appropriate knowledge regarding the evolving cybersecurity and threat landscape. Reporting to Board of Directors The CISO provides management, the Risk Committee and the Board of Directors with information regarding the Company’s cybersecurity program and potential cybersecurity threats or incidents. In addition, the CISO is empowered to escalate material cybersecurity threats or incidents and strategic risk management decisions to the Board of Directors so that they can provide appropriate oversight and guidance on these critical cybersecurity issues within the context of the Company’s overall strategic objectives and business operations. Management, the Company’s Chief Digital Officer (the “CDO”), the CRO, and the Incident Management Team (the “IMT”) are also required to report cybersecurity threats and incidents to the Risk Committee and/or the Board of Directors , as applicable. Management’s Role Managing Risk The Company’s Enterprise Risk Management Committee (the “ERMC”) , an interdepartmental, management-level committee, meets at least quarterly and is responsible for ensuring that the Company has appropriate policies and procedures in place to help identify, measure, monitor and control potentially significant business risks. In connection with these responsibilities, the ERMC receives quarterly risk and control self-assessments and action plans for risk remediation, if required, to reduce residual risks. This includes information security action plans from the CISO, the CDO, and/or other key stakeholders. The incorporation of these reports into the ERMC’s meetings is intended to promote the inclusion of cybersecurity considerations in the risk management decision-making processes throughout the Company. The Information Technology/Information Security Steering Committee (the “IT Steering Committee”) reports directly into the ERMC and meets at least quarterly. The IT Steering Committee is composed of senior members of management, including the CDO, the CRO and the CISO. The IT Steering Committee oversees information technology matters at the Company, including the implementation of all cybersecurity policies, standards, guidelines and procedures. The responsibilities of the IT Steering Committee include, among other things, updating the Company’s information technology policies, reviewing the architecture of the Company’s information system infrastructure and monitoring the progress of any significant hardware or software updates or installation. In addition, the IT Steering Committee provides quarterly reports to the ERMC and the Risk Committee regarding any information-technology-related matters that, in the opinion of the IT Steering Committee, should be escalated. The CISO plays an important role in the prevention, detection, mitigation, and remediation of cybersecurity incidents and in informing management, the Risk Committee and the Board of Directors on cybersecurity risks and issues. The CISO provides quarterly briefings to the Risk Committee on any significant information security issues, relevant cybersecurity metrics and the status of the Company’s security-related strategic initiatives. As discussed above, the CISO also provides mid-year and annual reports to the full Board of Directors regarding the state of the Company’s information security program. The annual reports encompass a broad range of topics, including: ● Confidentiality of nonpublic information and the integrity and security of the Company’s information systems; ● Cybersecurity policies and procedures; ● Material cybersecurity risks; ● Effectiveness of our cybersecurity program; and ● Any material cybersecurity incidents. In addition to these scheduled meetings, the Risk Committee, the CISO, the CDO, the CRO, and other members of management maintain ongoing dialogues with respect to emerging or potential cybersecurity threats. The Risk Committee also receives reports and updates from management regarding significant cybersecurity developments so that the Board of Directors can be promptly notified, as and when appropriate, of any threats or incidents as well as management’s proposed responses. Risk Management Personnel The Company’s CISO has extensive experience in the field of cybersecurity and is responsible for managing the Company’s cybersecurity risks and ensuring that the Company’s security posture is aligned with its business objectives. Our CISO’s technical and business experience is helpful for developing and executing our cybersecurity strategies. The CISO helps to oversee the Company’s information security policies and programs, perform risk and vulnerability assessments of the Company’s information systems, and coordinate responses to cybersecurity incidents in conjunction with the CDO, the Company’s Incident Response Team (the “IRT”), the IMT and management. The Company’s CDO has extensive experience in establishing and maintaining scalable and secure technology systems and is responsible for maintaining the Company’s various digital platforms. Our CDO worked in various systems, information technology and digital managerial roles at a global financial and investment firm prior to joining the Company. Our CDO’s technical and managerial experience is helpful for developing and executing our cybersecurity strategies. The CDO helps to oversee the Company’s efforts to improve its system’s capabilities, reliability, scalability and security. The Company’s CRO is responsible for identifying, controlling and mitigating risks that could impact the Company’s operations. Our CRO’s decades of experience managing the various risks faced by financial institutions is helpful for developing and executing our cybersecurity strategies in a manner that is aligned with the overall risk management framework of the Company. If the Company is notified of a cybersecurity incident affecting the Company’s information systems, either by an employee, our defensive infrastructure, a regular system audit or another mechanism, the IRT, led by the CDO, will perform the technical functions required to analyze and contain such an incident, including, but not limited to, technical triage, in-depth analysis, technical mitigation and any necessary recovery actions. The IMT will be activated by the CISO, the CRO or another member of the team to assist in the response and evaluate the cybersecurity threat and coordinate the business decisions necessary to limit the impact of the cybersecurity incident during and after the response. The IMT will also perform similar functions if we detect or are alerted to a cybersecurity threat or incident involving a third-party service provider. The Company’s Network and Cloud Administration is led by the CDO and is also responsible for managing security infrastructure and deploying, configuring, and managing various security solutions, tools and products to assist in safeguarding the Company’s information system infrastructure and operations. Monitor Cybersecurity Incidents The IT Steering Committee, which is a subcommittee of the ERMC, established the Information Technology and Information Security Working Group (the “IT/IS Working Group”), which is comprised of the CDO, the Head of Information Technology Infrastructure, the CISO, the Information Security Officer, the Information Security Assurance Program Manager and certain other members of the Company’s information technology engineering staff. The mission of the IT/IS Working Group is to foster the sharing of information among departments regarding existing and emerging threats and risks related to cybersecurity and related compliance issues in order to better integrate cybersecurity risk management and increase awareness of cybersecurity threats throughout the Company. This group meets on a weekly basis to discuss, among other things, vulnerability management, threat and risk analysis and the status of our continued enhancements to the Company’s information security infrastructure that are intended to further manage and mitigate future risks. The CISO implements and oversees policies and processes for the regular monitoring of our information systems. This includes the deployment of additional security measures, including defensive infrastructure, and regular system audits to identify potential vulnerabilities. If the CISO, the IRT and/or management believe a cybersecurity incident is potentially material, the CISO, the CRO or another member of the team can convene the IMT to further assist in the Company’s remediation and response efforts. Following the remediation of the cybersecurity incident, the IRT and/or IMT will review the effectiveness and appropriateness of the Company’s response in order to identify and implement potential enhancements to the Company’s security infrastructure and the broader risk management framework.

Company Information