Data privacy and protection are a strategic priority at Sandy Spring Bank, and we have established strong governance measures to protect the privacy and security of customer information and help ensure compliance with all privacy and cybersecurity laws and regulation. As a regulated financial institution, we are subject to numerous laws and regulations regarding data privacy and cybersecurity.
We have put in place extensive corporate policies and operating procedures that govern how we collect, use, retain and protect data. We employ a layered approach to cybersecurity that utilizes multiple levels of preventative and detective tools, rigorous systems testing, software patch management, dedicated information security staff led by our Chief Information Security Officer, and a security awareness program for all employees.
Our Information Security team tracks key performance and risk indicators, which it reports quarterly to our board’s Risk Committee. We obtain independent audits of our information security program, engage third-party companies annually to conduct internal and external penetration testing, and conduct internal security risk assessments.
All employees are engaged in protecting and securing data. Employees receive annual training on cybersecurity risks, and we routinely conduct exercises to raise data security awareness. During 2021, with many employees continuing to work from home and many clients using email to communicate with us, we maintained greater emphasis on raising awareness of phishing scams.