NORTHPOINTE BANCSHARES INC 10-K Cybersecurity GRC - 2025-03-28

Page last updated on March 28, 2025

NORTHPOINTE BANCSHARES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-28 17:06:10 EDT.

Filings

10-K filed on 2025-03-28

NORTHPOINTE BANCSHARES INC filed a 10-K at 2025-03-28 17:06:10 EDT
Accession Number: 0001628280-25-015483

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We maintain a number of processes to identify and respond to cybersecurity threats and incidents including regular and on-going education and training for employees, including information security awareness training, preparedness simulations and tabletop exercise, and recovery and resilience tests. Our information security and third-party risk management programs evaluate cybersecurity threats posed by internal and external factors and support daily operational functions that prevent unauthorized access or compromise. The third-party risk management programs report functionally to our overall risk management function, led by our Chief Risk Officer. The information security program, led by our Chief Information Security Officer and our Chief Information Officer, evaluates internal and external cybersecurity threat factors according to a written policy statement approved by the Board periodically. We maintain processes to evaluate third parties whose information systems support our critical operations. The third-party risk management program evaluates cybersecurity risks and information systems of third parties at onboarding and on an ongoing basis. Processes include evaluating reports and/or performing assessments of a third party’s information systems leveraging cybersecurity frameworks such as International Organization for Standardization (ISO) ISO 27001, Cybersecurity Framework (CSF) published by the US National Institute of Standards and Technology, as well as evaluating reports issued by a third party’s auditors developed under the attestation standards issued by the American Institute of Certified Public Accountants (AICPA). We integrate risk mitigation into additional onboarding requirements to address identified risk factors, such as developing service level agreements and minimum required information security performance expectations to enable cybersecurity threats and incidents to be managed within applicable industry or regulatory standards. We require contracts of third parties to incorporate industry and regulatory standard clauses requiring reporting to us of the occurrence and mitigation of cybersecurity threats and incidents as well as to maintain adequate levels of cybersecurity insurance coverage. The information security program performs periodic risk assessments of our information systems and cybersecurity threats using industry standard methodologies based on FFIEC Cybersecurity Assessment Tool (CAT), as well as regulatory guidance issued by the Federal Financial Institutions Examination Council (FFIEC) and state and federal regulators, including the Federal Deposit Insurance Corporation and the Michigan Department of Insurance and Financial Services. Based on risk, our information security program performs internal engagements to provide assurance to senior management and the Board that our information systems are able to identify, escalate and mitigate cybersecurity threats on a routine basis. We also engage external independent parties to perform independent audit engagements, as well as other assessments of our information security and third-party risk management program and information systems. We are exposed to cybersecurity threats and incidents that can range from uncoordinated individual attempts to gain unauthorized access to information systems to sophisticated and targeted measures known as advanced persistent threats, directed at the Company or its third-party service providers. While we have experienced, and expect to continue to experience, cybersecurity threats, we have not experienced a material cybersecurity incident in the two-year period ended December 31, 2024. The potential consequences of a material cybersecurity incident could include reputational damage, litigation with third parties, regulatory scrutiny or proceedings and increased cybersecurity protection and remediation costs, which in turn could materially adversely affect our results of operations. We evaluate the risks of data theft (including theft of sensitive, proprietary and other data categories, in addition to personal data), and harm to customer or third-party relationships or the possibility of litigation or regulatory investigation or actions that could materially adversely affect our results of operations and our reputation. Please see Part I, Item 1A Risk Factors for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure. Cybersecurity Governance An Information Technology Steering Committee was established to assist Management and the Board of Directors in the oversight and risk management of information security. This Committee is responsible for updates which summarize cybersecurity threats and incident monitoring activity, along with details of remediation to address threats and incidents. The summary considers both internal as well as external threat events and outlines management’s approach to enable the timely identification and notice of a material incident, should one occur, without unreasonable delay. The Board of Directors receives periodic training related to cyber security and is responsible for approval and oversight of management’s policies governing information system security and cybersecurity threats and incidents, as well as oversight of management’s approach to secure our information systems. The Board of Directors delegates the primary oversight of risk management to the Bank’s Audit Committee . The Audit Committee receives, and reviews reports on our risk management processes, which include assessments of management’s cybersecurity threats and incident management functions. The committee receives periodic reporting of certain cybersecurity risks from the Chief Information Security Officer, including reports related to social engineering, effectiveness of cyber security training, as well as vulnerability and penetration assessments performed on the Company’s information systems by internal and by external parties and audit reports of information systems and cybersecurity threat and incident monitoring. P otential cybersecurity incidents are reviewed by the Chief Information Security Officer and the Information Technology Steering Committee . The evaluation of reported events by the committee includes reporting of any mitigation or remediation determined necessary to address the threat posed by the reported event. If any event rose to the level of a material incident, management maintains an incident response plan to mitigate the impact, maintain business continuity and provide for internal and external communication, including required notifications. Our Chief Information Security Officer has over 25 years of relevant experience and formal training in the areas of cybersecurity, risk management, and data privacy in the financial services industry. The Chief Information Security Officer holds a Master of Science in Computer Information Systems and appropriate professional certifications. Our Chief Information Officer has over 20 years of executive level technology leadership experience in the financial services industry.

Company Information