MERCANTILE BANK CORP 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

MERCANTILE BANK CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 11:34:21 EST.

Filings

10-K filed on 2025-03-03

MERCANTILE BANK CORP filed a 10-K at 2025-03-03 11:34:21 EST
Accession Number: 0001437749-25-005844

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program given the increasing reliance on technology and potential of cyber threats. Our Chief Information Security Officer (the “CISO”) is primarily responsible for this cybersecurity component and is a key member of the risk management organization, reporting directly to the Senior Management Team (“SMT”) and our Tech Oversight Committee. Our Tech Oversight Committee includes members of our Board and management. Our CISO has served in this capacity for more than a decade and maintains multiple certifications issued by the Information Systems Audit and Control Association (“ISACA”) and the SANS Institute. As part of our overall enterprise risk management program, we maintain both an Information & Cyber Security Program Policy (“ICSPP”) and Information & Cyber Security Incident Response Policy (“ICSIRP”). Our ICSPP is overseen by the SMT, which is responsible for designating the CISO. The CISO is responsible for leading company-wide cybersecurity strategy, policy, standards, architecture, and processes. The CISO is charged with all logical security related matters, which include but are not limited to, PC/server security, network security, internet security, and database and application security. Our ICSIRP is based on applicable federal and state laws as well as cybersecurity incident response best practices. The purpose of the ICSIRP is to define procedures for reporting and responding to cybersecurity incidents. It creates objectives for actionable procedures that can be measured, evaluated, scaled and revised as necessary for each specific incident. These objectives include maximizing the effectiveness of our company’s operations through an established plan of action and assigning responsibilities to appropriate personnel and/or third -party contractors. Our company has engaged a third -party managed detection and response company to monitor the security of our information systems around-the-clock, including intrusion detection and response, and to provide instantaneous alerting should a cybersecurity event occur. If a cybersecurity threat or cybersecurity incident is identified through our company’s information systems, the CISO and Incident Response Team (“IRT”) will take immediate steps to mitigate the threat and assess any damages. Upon report from the CISO, the SMT will evaluate the materiality of the cybersecurity threat or cybersecurity incident to determine if any public disclosures are required under the Security and Exchange Commission’s cybersecurity disclosure rule. If deemed necessary, third -party consultants, legal counsel, and assessors will be engaged to evaluate the materiality assessment. Our company has training and awareness programs designed to educate its employees about cybersecurity risks and how to protect our company, our customers and themselves from cyber-attacks and to keep its employees informed about cybersecurity threats and how to stay safe online, including secure access practice, phishing schemes, remote work and response to suspicious activities. Our cybersecurity program interfaces with other functional areas within our company, including but not limited to, our company’s business segments and information technology, legal, risk, human resources and internal audit departments, as well as external third -party partners, to identify and understand potential cybersecurity threats. We regularly assess and update our processes, procedures and management techniques in light of ongoing cybersecurity developments. Recognizing the complexity and evolving nature of cybersecurity threats, we also engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable our company to leverage specialized knowledge and insights, ensuring its cybersecurity strategies and processes remain at the forefront of industry best practices. Our company’s collaboration with these third parties includes regular audits, testing, threat assessments and consultation on security enhancements. To date , risks from cybersecurity threats or incidents have not materially affected our company. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and incidents and protect our systems and information may not successfully protect against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect our company’s business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors. Governance Our company recognizes the importance of safeguarding company and customer information. Therefore, the Board of Directors recognizes that the protection of this information ranks as one of our highest priorities. The Board of Directors is responsible for reviewing and approving the ICSPP and ICSIRP at least annually and monitoring material risks facing our company. The Board recently added a member who possesses specialized expertise in cybersecurity matters. Director Sara A. Schmidt currently serves as chief information security officer for US Foods and executive sponsor of the West Michigan Cyber Security Consortium. The Board has tasked the SMT with overseeing efforts to develop, implement and maintain an effective information and cybersecurity program. The SMT designates the CISO who also serves as the IRT leader. As part of its oversight responsibilities, the Board of Directors is responsible for discussing with the SMT our company’s major risk exposures, such as cybersecurity, and the steps management has taken to monitor and control those exposures, including our risk assessment and risk management policies. The Board of Directors also monitors our compliance with legal and regulatory requirements and the risks associated therewith. On a regular basis, our Tech Oversight Committee reviews with the SMT significant areas of risk exposure involving cybersecurity. At the direction of the SMT, the CISO and IRT monitor internal and external cybersecurity threats and review and revise our company’s cybersecurity defenses on an ongoing basis. The CISO, together with other members of the IRT, bring a wealth of expertise to their respective roles, including expertise in security technologies; designing and implementing security strategies; security standards such as NIST, ISO, COBIT and ITIL; and risk management and incident response. The CISO prepares reports on IT general controls and cybersecurity metrics for the SMT and Tech Oversight Committee periodically. The Board of Directors meets with the CISO periodically to discuss cybersecurity.

Company Information