Identifying and Managing Cybersecurity Threats

The Company has implemented processes for assessing, identifying, and managing material risks from Cybersecurity threats. These processes have been integrated into our overall risk management system or processes, by being evaluated and tested by the risk management team and overseen by the Chief Risk Officer.

We also engage with a third party consultant on an annual basis to review our Cybersecurity risk assessment program for adequacy and effectiveness. We routinely perform simulations and tabletop exercises, that incorporates third party consultants, to help strengthen Cybersecurity protection and information security procedures and safeguards. We have processes to oversee and identify any Cybersecurity risks identified by the third-party consultant. All employees are required to complete an annual Cybersecurity awareness training.

Cybersecurity Risk Oversight 

Our Board of Directors include a Cybersecurity Risk Committee that includes at least two members with either a risk or information technology background. The Chief Risk Office provides quarterly updates to the Cybersecurity Risk Committee related to Cybersecurity matters. A Cybersecurity Dashboard is presented each quarter which contains information on Cybersecurity controls; incidents and threats to the Company's information security; and ongoing prevention and mitigation efforts for such threats.

The Cybersecurity Risk Committee is responsible for the Cybersecurity oversight and outlines the strategic vision and associated goals for the Cybersecurity. The committee provides an assessment of existing and emerging Cybersecurity risks to the full Board on an annual basis.

The Chief Risk Officer is responsible for measuring and managing Cybersecurity risk. This is done by implementing controls and measures to monitor the prevention, mitigation, detection, and remediation of Cybersecurity threats. The Chief Risk Officer reports to the Cybersecurity Risk Committee.

Cybersecurity Risks are increasingly complex and can change frequently such that the Company may be unable to proactively address those threats or implement adequate preventive measures. With the increased use of technologies such as the internet to conduct business, the Company is susceptible to operational, information security and related risks. To the extent that a Cybersecurity breach results in a loss or damage to the Company's data, or in inappropriate disclosure of confidential or personal information, it could cause significant damage to the Company's reputation, affect its relationships with its customers, lead to violations of applicable privacy and other laws, regulatory fines, penalties, additional compliance costs, claims against the Company and ultimately materially adversely affect its business, results of operations or financial condition.