Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

Rhinebeck Bank recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Cybersecurity risk management is an integral part of our overall enterprise risk management program. As a financial services company, cyber threats are ever present and growing, and the potential exists for a cybersecurity incident disrupting business operations and compromising sensitive data. Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and the potential of cyber threats. Our objective for managing cybersecurity risk is to avoid or minimize the impact of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the Federal Financial Institutions Examination Council Cybersecurity Guidelines, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits and threat intelligence feeds to facilitate and promote program effectiveness. We continuously monitor evolving regulatory requirements related to cybersecurity and ensure that our cybersecurity program fully complies with all applicable laws and standards.

Managing Material Risks and Integrated Overall Risk Management

Rhinebeck Bank has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our internal risk management team works closely with our IT department to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent

threats. We have established processes and systems designed to mitigate cyber risk, including ongoing education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests.

Engaging Third Parties on Risk Management

Recognizing the complexity and evolving nature of cybersecurity threats, Rhinebeck Bank engages with a range of independent external data security professionals, including cybersecurity risk assessors, consultants, internal and external auditors, and insurance professionals to obtain a holistic view of our cybersecurity landscape. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third parties includes regular audits, threat assessments, and consultations on cybersecurity enhancements to proactively address new and evolving risks and strengthen our cyber security program.

Mitigating Third-Party Risk

Because we are aware of the risks associated with third-party service providers, Rhinebeck Bank implements stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers with access to Customer Non-Public Information before engagement and maintain ongoing monitoring to ensure compliance with strict cybersecurity standards.

Risks from Cybersecurity Threats

We have not encountered any cybersecurity incidents, directly or indirectly, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.

Cybersecurity Risk Management Processes Integrated [Text Block]

Managing Material Risks and Integrated Overall Risk Management

Rhinebeck Bank has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our internal risk management team works closely with our IT department to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent

threats. We have established processes and systems designed to mitigate cyber risk, including ongoing education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Board of Directors Oversight

The Board is responsible for the oversight of cybersecurity risk management and is composed of members with diverse expertise in risk management, technology, and finance, thereby equipping them to manage and prevent cybersecurity risks effectively.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

●

The current cybersecurity landscape and emerging threats;

●

The status of ongoing cybersecurity initiatives and strategies;

●

Incident reports and issues identified from any cybersecurity events; and

●

Compliance with regulatory requirements and industry standards.

●

Vulnerability/patch reporting for end points on the Bank’s network

In addition to our regularly scheduled Board meetings, the General Counsel and CRO, the SVP, Information Technology, the vCISO and the CEO regularly communicate regarding emerging or potential cybersecurity risks. They discuss any significant developments in the cybersecurity domain, which when reported to the Board, ensures the Board’s oversight is proactive and responsive. The Board of Directors actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of Rhinebeck Bank. The Board of Directors closely reviews the annual vCISO report of the Bank’s cybersecurity posture and the effectiveness of its risk management strategies prior to approval. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

With over 20 years of global leadership and management experience in the field of cybersecurity, our vCISO brings a wealth of expertise to his role. His experience includes prior CISO leadership roles in the fintech sector, where he developed an expert level of understanding of the intersection between financial regulations and cloud-based technologies. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true