UNITY BANCORP INC /NJ/ 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

UNITY BANCORP INC /NJ/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 16:05:41 EST.

Filings

10-K filed on 2025-03-07

UNITY BANCORP INC /NJ/ filed a 10-K at 2025-03-07 16:05:41 EST
Accession Number: 0000920427-25-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C in this document. The Company’s business strategy could be adversely affected if it is not able to attract and retain skilled employees and manage expenses. The Company expects to continue to experience growth in the scope of its operations and, correspondingly, in the number of its employees and customers. The Company may not be able to successfully manage its business as a result of the strain on Management and operations that may result from this growth. The Company’s ability to manage this growth will depend upon its ability to continue to attract, hire and retain skilled employees. The Company’s success will also depend on the ability of its officers and key employees to continue to implement and improve operational and other systems, to manage multiple, concurrent customer relationships and to hire, train and manage employees. Further, given the rise of “remote” and “hybrid” working models, the Company is in competition with more companies and industries for employee retention. The Company’s potential inability to retain key employees could have a material adverse effect on its financial condition and results of operations. As a community banking organization, the Company is highly reliant on key employees, including its Chief Executive Officer, Chief Financial Officer, heads of key operational areas, area managers, business development officers and loan officers. The loss of these employees could have an adverse impact on the Company’s operating capacities and the ability to implement growth strategies and adversely impact the financial performance. Pandemic or other health related events may have a material adverse effect on operations and financial condition. The outbreak of disease or other health related events on a regional, national or global level and the government’s reaction to such events, may have a material adverse effect on commerce, which may, in turn impact the Company’s lines of business as well as the businesses of its customers. Climate change, hurricanes, flooding, earthquakes, terrorism or other adverse events could negatively affect local economies or disrupt operations, which would have an adverse effect on the Company’s business or results of operations. There is an increasing concern over the risks of climate change and related environmental sustainability matters. Climate change presents (i) physical risks from the direct impacts of changing climate patterns and acute weather events and (ii) transition risks from changes in regulations, disruptive technologies, and shifting market dynamics towards a lower carbon economy. The physical risks of climate change include discrete events such as hurricanes, flooding, earthquakes that can disrupt the Company’s operations, result in damage to its properties and negatively affect the local economies in which it operates. Ongoing legislative or regulatory uncertainties and changes regarding climate risk management and practices may result in higher regulatory, compliance, credit and reputational risks and costs. Climate change could also present incremental risks to the execution of the Company’s long-term strategy. Additionally, transitioning to a low-carbon economy may entail extensive policy, legal, technology and market initiatives. In addition, our reputation and client relationships may be damaged as a result of our practices related to climate change, including our involvement, or our clients’ involvement, in certain industries or projects, in the absence of mitigation and/or transition measures, associated with causing or exacerbating climate change, as well as any decisions we make to continue to conduct or change our activities in response to considerations relating to climate change. As climate risk is interconnected with all key risk types, the Company continues to embed climate risk considerations into risk management strategies. Furthermore, these weather events may result in a decline in value or destruction of properties securing loans and an increase in delinquencies, foreclosures and credit losses. The Company does maintain property insurance policies to cover certain costs associated with these events; however, it is possible that the expenses may exceed coverage, may not be covered at all or may ultimately increase costs associated with future insurance premiums. Additionally, New York City and New Jersey remain central targets for potential acts of terrorism against the United States. Such events could affect the stability of the Company’s deposit base, impair the ability of borrowers to repay outstanding loans, impair the value of collateral securing loans, cause significant property damage, result in loss of revenue and/or cause the Company to incur additional expenses. The occurrence of any such event in the future could have material adverse effect on the business, which in turn, could have a materially adverse impact on the financial condition and results of operations of the Company. The Company may be adversely affected by changes in U.S. federal tax laws and state and local tax laws. The Company’s business may be adversely affected by changes in tax laws if there are any increases in its federal income tax rates. Further, the Company’s business may be adversely affected by changes in tax laws if there are any increases in its state and local tax rates in markets where it has locations. The Company’s financial results and condition may be adversely impacted by banking failures or future similar events. Certain events impacting the banking industry, including the bank failures in March and April 2023, resulted in significant disruption and volatility in the capital markets, reduced valuation of bank securities, and decreased confidence in banks among certain depositors and counterparties. While the U.S. Department of Treasury, the Federal Reserve, and the FDIC took steps to ensure the depositors of the failed banks in early 2023 would have access to their insured and uninsured deposits, there is no assurance that these or similar actions will restore customer confidence in the baking system, and the Company may be further impacted by concerns regarding the soundness, real or perceived, of other financial institutions or other future bank failures or disruptions. Any loss in client deposits or changes in the Company’s perception could increase the cost of funding, limit access to capital markets or negatively impact the Company’s overall liquidity or capitalization. Further, the cost of resolving the bank failures also prompted the FDIC to issue a special assessment to recover costs to the DIF. The special assessment did not impact the Company; however, the FDIC maintains the ability to impose additional shortfall special assessments, which may adversely impact the Company, in the future. Claims and litigation could result in significant expenses, losses and damage to the Company’s reputation. From time to time, as a part of the Company’s normal course of business, customers, bankruptcy trustees, former customers, contractual counterparties, third parties and current and former employees may make claims and take legal action against the Company based on the actions or inactions of the Company. If such claims and legal actions are undertaken and are not resolved in a manner favorable to the Company, they may result in financial liability and/or adversely affect the market perception of the Company. Any financial liability could have a material impact on the Company’s financial condition and results of operations. Any reputational damages could have a material adverse effect on the Company’s business. Failure to successfully implement the Company’s growth strategies could cause it to incur substantial costs, which may not be recouped and adversely affect its future profitability. From time to time, the Company may implement new lines of business, open new branches or offer new products and services. There are substantial risks and uncertainties associated with these efforts. The Company may invest significant time and resources, which may not be fully recouped if profitability targets are not proven feasible. External factors such as compliance with regulations, competitive alternatives and shifting customer preferences may also impact successful implementation. Failure to successfully manage these risks may have a material adverse impact on the Company’s business, results of operations and financial condition. Further, in order to continue growth, the Company may need to seek additional capital. The Company will be required to maintain its regulatory capital levels at levels higher than the minimum set by its regulators. If the Company were required to raise capital to implement growth strategies, the Company can offer no assurances that it will be able to raise capital in the future or that the terms of the capital will be beneficial to its existing shareholders. In the event that the Company is unable to raise capital in the future, the Company may not be able to continue its growth strategy. A component of the Company’s growth strategies may include merger & acquisition opportunities. Attractive merger and acquisition opportunities may not be available to the Company in the future as other banking and financial service companies, many of which have greater resources, will compete with the Company in acquiring potential target companies. This competition could increase prices of potential acquisitions that may be attractive. Additionally mergers and acquisitions are subject to various regulatory approvals. If regulatory approvals are not obtained, the Company would not be able to consummate a merger or acquisition that may be in the Company’s best interests. Lastly, the Company has limited merger and acquisition experience, which may minimize the deals available or the ability to appropriately analyze and operationally execute a merger or acquisition. This may adversely impact the operating results. The Company may not be able to detect money laundering and other illegal or improper activities fully, or on a timely basis, which could expose the company to additional liability and could have a material adverse effect. The Company is required to comply with anti-money laundering, anti-terrorism and other laws and regulations in the United States. These laws and regulations require the Company to adopt and enforce “know-your-customer” policies and procedures and to report suspicious and larger transactions to applicable regulatory authorities. These laws and regulations have become increasingly complex and detailed, require improved systems, sophisticated monitoring and compliance personnel and have become the subject of enhanced government supervision. Although the Company has policies and procedures aimed at detecting and preventing the use of its banking network for money laundering and related activities, those policies and procedures may not eliminate instances in which the Company may be used by customers to engage in illegal or improper activities. To the extent that the Company fails to fully comply with the applicable laws and regulations, banking agencies may have the authority to impose fines, other penalties and sanctions on the Company. The Company’s ability to maintain its reputation is critical to the success of the business and the failure to do so may adversely impact its performance. The Company’s reputation is one of the most valuable components of its business. As such, the Company strives to conduct its business in a manner that maintains its reputation. If the Company’s reputation is negatively impacted by the actions of an employee, certain litigations, regulatory actions, or certain financial concerns, the business and therefore the operating results may be adversely impacted. In addition, stakeholder expectations regarding environmental, social, and governance matters continue to evolve and are not uniform. We have established, and may continue to establish, various goals and initiatives on these matters. We cannot guarantee that we will achieve these goals and initiatives. Any failure, or perceived failure, by us to achieve these goals and initiatives could adversely affect our reputation and results of operations. The Company’s controls and procedures may fail or be circumvented, which may result in a material adverse effect on its business, results of operations and financial condition. The Company’s Management periodically reviews and updates its internal controls, policies and procedures. Any system of controls is in part based on certain assumptions and can only provide reasonable, not absolute, assurances that the objectives of the system are met. Any failure or circumvention of the controls and procedures or failure to comply with regulations related to controls and procedures could have a material adverse effect on the Company and its results of operations and financial condition. Anti-takeover provisions in corporate documents and in New Jersey corporate law may make it difficult and expensive to remove current management. Anti-takeover provisions in corporate documents and in New Jersey law may render the removal of the existing Board of Directors and management more difficult. Consequently, it may be difficult and expensive for the shareholders to remove current management, even if current management is not performing adequately. Item 1B. Unresolved Staff Comments: None Item 1C. Cybersecurity Disclosures Risk Management and Governance Cybersecurity is a material part of Unity Bank’s business. As a technology forward financial institution offering products through multiple digital delivery channels, cybersecurity incidents could have a material effect on the Company, its results of operations and its reputation. To date, the Company has not experienced any cybersecurity incident which has had a material effect on the Company’s business strategy, results of operations or financial condition, although increased use of technology will expose us to greater risk of breaches in security and or service disruptions. Cybersecurity risk is initially overseen by the management Information Technology Steering Committee (the “ITSC”). The members of this committee include the Company’s Chief Information Officer, Chief Compliance Officer (who is also the Information Security Officer), Chief Executive Officer, Chief Financial officer and other critical executive management members. The ITSC also includes a non-voting member that is an outsourced cybersecurity expert. Over his 17-year career, the Company’s Chief Information Officer has served in multiple Information Technology and Cybersecurity roles, such as Senior Engineer, responsible for implementing hardened infrastructure for both physical and cloud applications; Solutions Architect, designing infrastructures for highly regulated industries including Financial Services, Local/State Government and Healthcare; Director of Service Delivery, overseeing engineering, solutions architecture and maintaining the System and Organization Controls (SOC) program prior to joining Unity Bank. During his tenure at Unity Bank, he is a member of various Risk and Cybersecurity Committees of the New Jersey Bankers Association, is a member of FS-ISAC, The Independent Community Bankers of America and our primary banking vendors advisory and risk management committees. The Company’s Chief Compliance Officer was appointed as the Company’s Information Security Officer in 2016. The Virtual Information Security Officer (vISO), an outsourced consultant, has an over 19-year career in Information Technology, Cybersecurity and both Internal/External Audit experience. He presently holds a position of Partner of Herbein, COA Advisor & Audit, where he’s held multiple positions within Information Technology and Cybersecurity. The Company’s Information Technology Manager has an over 26-year career in Information Technology, the prior 13-years of which have been in Information Technology, Security and Cybersecurity, working primarily in regulated industries. In order to ensure that cybersecurity risk management is integrated into the Company’s overall risk management plans, systems and processes, the ITSC and Chief Information Officer provide reports and updates to the Board of Directors , or a Committee thereof on a quarterly basis. The Company’s cybersecurity risk mitigation program involves a combination of internal resources and the use of third parties. The Company’s internal IT team performs monthly vulnerability scanning and performs an annual risk assessment based on the National Institute of Standards and Technology Cybersecurity Framework. The results are reported to the ITSC. The Company’s IT and compliance staff also review potential cybersecurity threats associated with the Company’s third party vendors , including performing a review of and obtaining a System of Organization Controls report from all vendors rated as “high risk” by the Company’s internal vendor management program. The Company also has an internal Incident Response Plan and Team, which is charged with overseeing the Company’s response to any cybersecurity incident. The team performs a table top exercise at least annually to prepare to respond in the event of any actual cybersecurity incident. In addition to these internal resources, the Company uses a third party vendor to complete annual penetration and vulnerability testing, with the results reported to the ITSC. Finally, the Company’s cybersecurity compliance program is audited by the Bank’s outsourced internal auditor. The Company also maintains insurance which may provide coverage for expenses and certain losses incurred in connection with a cybersecurity incident. Cybersecurity Incident Response Planning The Company has established a comprehensive cybersecurity incident response plan to ensure the swift and effective handling of any potential security breaches. This plan includes detailed procedures for identifying, assessing, and mitigating cybersecurity threats, as well as protocols for communication and coordination with relevant stakeholders. Regular training and simulations are conducted to keep the Company’s response team prepared for various scenarios, ensuring minimal disruption to its operations and safeguarding the Company’s customers’ data.
Item 1C. Cybersecurity Disclosures Risk Management and Governance Cybersecurity is a material part of Unity Bank’s business. As a technology forward financial institution offering products through multiple digital delivery channels, cybersecurity incidents could have a material effect on the Company, its results of operations and its reputation. To date, the Company has not experienced any cybersecurity incident which has had a material effect on the Company’s business strategy, results of operations or financial condition, although increased use of technology will expose us to greater risk of breaches in security and or service disruptions. Cybersecurity risk is initially overseen by the management Information Technology Steering Committee (the “ITSC”). The members of this committee include the Company’s Chief Information Officer, Chief Compliance Officer (who is also the Information Security Officer), Chief Executive Officer, Chief Financial officer and other critical executive management members. The ITSC also includes a non-voting member that is an outsourced cybersecurity expert. Over his 17-year career, the Company’s Chief Information Officer has served in multiple Information Technology and Cybersecurity roles, such as Senior Engineer, responsible for implementing hardened infrastructure for both physical and cloud applications; Solutions Architect, designing infrastructures for highly regulated industries including Financial Services, Local/State Government and Healthcare; Director of Service Delivery, overseeing engineering, solutions architecture and maintaining the System and Organization Controls (SOC) program prior to joining Unity Bank. During his tenure at Unity Bank, he is a member of various Risk and Cybersecurity Committees of the New Jersey Bankers Association, is a member of FS-ISAC, The Independent Community Bankers of America and our primary banking vendors advisory and risk management committees. The Company’s Chief Compliance Officer was appointed as the Company’s Information Security Officer in 2016. The Virtual Information Security Officer (vISO), an outsourced consultant, has an over 19-year career in Information Technology, Cybersecurity and both Internal/External Audit experience. He presently holds a position of Partner of Herbein, COA Advisor & Audit, where he’s held multiple positions within Information Technology and Cybersecurity. The Company’s Information Technology Manager has an over 26-year career in Information Technology, the prior 13-years of which have been in Information Technology, Security and Cybersecurity, working primarily in regulated industries. In order to ensure that cybersecurity risk management is integrated into the Company’s overall risk management plans, systems and processes, the ITSC and Chief Information Officer provide reports and updates to the Board of Directors , or a Committee thereof on a quarterly basis. The Company’s cybersecurity risk mitigation program involves a combination of internal resources and the use of third parties. The Company’s internal IT team performs monthly vulnerability scanning and performs an annual risk assessment based on the National Institute of Standards and Technology Cybersecurity Framework. The results are reported to the ITSC. The Company’s IT and compliance staff also review potential cybersecurity threats associated with the Company’s third party vendors , including performing a review of and obtaining a System of Organization Controls report from all vendors rated as “high risk” by the Company’s internal vendor management program. The Company also has an internal Incident Response Plan and Team, which is charged with overseeing the Company’s response to any cybersecurity incident. The team performs a table top exercise at least annually to prepare to respond in the event of any actual cybersecurity incident. In addition to these internal resources, the Company uses a third party vendor to complete annual penetration and vulnerability testing, with the results reported to the ITSC. Finally, the Company’s cybersecurity compliance program is audited by the Bank’s outsourced internal auditor. The Company also maintains insurance which may provide coverage for expenses and certain losses incurred in connection with a cybersecurity incident. Cybersecurity Incident Response Planning The Company has established a comprehensive cybersecurity incident response plan to ensure the swift and effective handling of any potential security breaches. This plan includes detailed procedures for identifying, assessing, and mitigating cybersecurity threats, as well as protocols for communication and coordination with relevant stakeholders. Regular training and simulations are conducted to keep the Company’s response team prepared for various scenarios, ensuring minimal disruption to its operations and safeguarding the Company’s customers’ data.

Company Information