Item 1C. Cybersecurity

Cybersecurity Risk, Management, and Strategy

As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident disrupting business operations and compromising sensitive data. To manage cybersecurity risk, the Company has implemented a multi-layered “defense-in-depth” cybersecurity strategy, integrating people, technology, and processes. The cybersecurity strategy is memorialized within the Company’s information security program. The program incorporates regulatory guidance and industry standards while leveraging information from industry associations, third-party benchmarking, audits, threat intelligence and peer industry groups. The information security program is reviewed by the Chief Risk Officer

and presented to the Risk, Compliance and Planning Committee to periodically account for the changes in the cyber threat landscape. It is also periodically assessed by the Internal Audit department.

The Company has deployed an in-depth cybersecurity strategy to protect its assets, which includes a diverse preventive and detective tool set to stop, monitor, and alert management of suspicious activities and potential advanced persistent threats. We have implemented other preventive technologies and mitigating processes that include on-going education and training for employees, periodic tabletop exercises and recovery tests, and regular infrastructure penetration tests conducted by cybersecurity professionals and third-party specialists. Our internal and external auditors, along with independent external partners, periodically assess our processes, systems and controls for design and operating effectiveness, and provide recommendations to bolster our cybersecurity program. In addition, employees are subjected to regular simulated phishing assessments designed to sharpen threat detection and reporting capabilities. We also monitor our email gateways for malicious phishing emails and monitor remote connections through a secure virtual private network. Like many companies, we rely on third-party vendor solutions to support our operations. Notable services include 24/7 security monitoring and response, continuous vulnerability scanning, third-party monitoring, and threat intelligence. We have a vendor management program in place to assess and manage risks associated with third-party service providers.

To prepare to respond to incidents, the Enterprise Risk Management Committee periodically reviews and updates our cyber Incident Response Plan (“IRP”). The IRP provides a framework to address potential and actual cybersecurity incidents to include assessment to recovery by our Incident Response Team and notification to the appropriate management and board committees and regulatory agencies. The Incident Response Team is comprised of representatives from various departments including Information Security, Information Technology, Risk Management, Legal, Operations, Marketing and Accounting. Our Information Security Officer manages the IRP and coordinates with senior level management and multiple areas of the company in execution of the plan. While we have experienced cybersecurity incidents, we have not, to our knowledge, experienced an incident materially affecting, or reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.

Cybersecurity is a significant and integrated component of the Company’s risk management strategy, designed to protect the confidentiality, integrity, and availability of sensitive information contained within the Company’s information systems. The Information Security Officer is primarily responsible for administering, updating and enforcing the cybersecurity components of the risk management strategy and reports to the Chief Risk Officer. The Information Security Officer periodically collaborates with third-party service providers and industry groups to discuss cybersecurity trends and best practices. The Information Security Officer is supported by the Chief Technology Officer, who reports directly to the Chief Financial Officer. The Chief Technology Officer oversees our Information Technology department, comprising our first line of defense.

Cybersecurity Governance

Our Information Security Officer is accountable for managing the information security department and executing the information security program. The information security department is responsible for cybersecurity risk assessments, alert monitoring, incident response, vulnerability assessment, threat intelligence, identity access governance, and third-party information security risk management. The department consists of information security professionals with varying levels of education, experience and certifications. Our information security department is further supported by our first line of defense, the Information Technology department and a third-party managed service security provider. The information technology department is responsible for the patch and vulnerability management, identity and access management, endpoint and network security, IT asset management program, and backups and recovery operations.