Pub. 16 2021-2022 Issue 5

JANUARY/FEBRUARY 2022 Financial Literacy: Nebraska’s in-school savings banks

Would you like to transform the management of your information security program from a daunting chore to a process that fuels better decisions? SBS can help! SBS empowers financial institutions to make informed security decisions and trust the safety of their data based on a valuable information security program. To learn more, visit www.sbscybercom today! Reece Simpson reece.simpson@sbscyber.com 605-270-3916 CONSULTING | NETWORK SECURITY | IT AUDIT | EDUCATION

NEBANKERS.ORG 4 JANUARY/FEBRUARY 2022 EDITORIAL: Nebraska Banker seeks to provide news and information relevant to Nebraska and other news and information of direct interest to members of the Nebraska Bankers Association. Statement of fact and opinion are made on the responsibility of the authors alone and do not represent the opinion or endorsement of the NBA. Articles may be reproduced with written permission only. ADVERTISEMENTS: The publication of advertisements does not necessarily represent endorsement of those products or services by the NBA. The editor reserves the right to refuse any advertisement. SUBSCRIPTION: Subscription to the magazine, which began bimonthly publication in May 2006, is included in membership fees to the NBA. CONTENTS ©2022 NBA | The newsLINK Group, LLC. All rights reserved. Nebraska Banker is published six times each year by The newsLINK Group, LLC for the NBA and is the official publication for this association. The information contained in this publication is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney as to your circumstances. The statements and opinions expressed in this publ ication are those of the individual authors and do not necessari ly represent the views of the NBA, its board of directors, or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service advertised. Nebraska Banker is a collective work, and as such, some articles are submitted by authors who are independent of the NBA. While Nebraska Banker encourages a first-print policy, in cases where this is not possible, every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprintedwithout prior written permission. For further information, please contact the publisher at 855.747.4003. 12 8 PRESIDENT’S MESSAGE FINANCIAL LITERACY: NEBRASKA’S IN-SCHOOL SAVINGS BANKS Since arriving at the NBA in 2014, I have worked closely with the NBA Board of Directors and member banks to encourage and promote financial literacy. Richard Baier, President and CEO, Nebraska Bankers Association 12 WASHINGTON UPDATE CRYPTOCURRENCIES: UNLOCKING BANKING’S “NEW FRONTIER” In case you haven’t noticed, cryptocurrencies are an increasingly hot topic of conversation in this country. Rob Nichols, President and CEO, American Bankers Association 14 COUNSELOR'S CORNER: EMPLOYEE DATA THEFT IN THE AGE OF FDIC COMPLIANT INVESTIGATIONS Employee theft of customer data is always a concern and has become even more so as information can be condensed to digital assets, which are easily moved, copied, or downloaded. Robert Kardell, Baird Holm 18 TECH TALK: RANSOMWARE GUIDES AND HOW TO USE THEM Ransomware cyberattacks are one of the fastest-growing attack methods globally, causing many organizations to ask themselves a critical question. Have we done enough to secure our institution against a ransomware attack? Lynda Hartup, Senior Information Security Consultant, SBS CyberSecurity, LLC 22 COMPLIANCE ALLIANCE: FINCEN SEEKS COMMENTS ON CHANGES TO BENEFICIAL OWNERSHIP REPORTING In early December, the U.S. Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking implementing Section 6403 of the Corporate Transparency Act (CTA), which allowed the public until Feb. 7, 2022, to review and comment on the proposed rules. Roger Morris, Jr., JD, Hotline Advisor and Associate General Counsel 24 THE FED’S BALANCING ACT FOR 2022 On the first trading day of 2022, the U.S. 10-year Treasury Note yield jumped above 1.60%, then traded up another 10bps in the two subsequent sessions. Jeffrey F. Caughron, The Baker Group 25 EDUCATION CALENDAR 28 OVERDRAFT OVERHAUL Overdraft services are a standard banking product. Life happens, and thankfully, most banks offer an overdraft product to come to the rescue when you are on vacation and forgot to do a savings transfer, or transpose numbers when balancing your checkbook. Katie Harrison, J.D., CRCM Director

PMA Funding is a service of PMA Financial Network, LLC and PMA Securities, LLC (member FINRA, SIPC) (collectively “PMA”). PMA Securities, LLC is a broker-dealer and municipal advisor registered with the SEC and MSRB. ©2022 PMA Financial Network, LLC. All rights reserved. Funding Solutions That Meet Changing Times PMA Funding (PMA) is a leader in providing institutional funding options. One call gains access to: • Our experienced funding team (Over 100 years of combined experience) • Our large sources of political subdivision depositors (4,000+ public entities) The result: financial institutions have been able to diversify and manage their liquidity needs with greater flexibility by utilizing tailored funding solutions. PMA is more than just a depositor; we are your partner. Contact us today! 800.783.4273 | PMAFUNDING.COM Relax. We do the work.

NEBANKERS.ORG 6 233 South 13th Street, Suite 700 Lincoln, NE 68508 Phone: (402) 474-1555 • Fax: (402) 474-2946 nebankers.org NBA BOARD OF DIRECTORS RICHARD BAIER NBA President and CEO richard.baier@nebankers.org KARA HEIDEMAN Director of Communications and Marketing kara.heideman@nebankers.org NBA EDITORIAL STAFF More options for your customers, without more risk to your bank. Ag Resource Management offers an innovative solution to lenders by mitigating your risks with watch list and non-performing loans. We can help you take these assets off of your balance sheet and increase your lending ability. We achieve this with a blend of proprietary technology and data validation in valuing a growing crop, monitoring that crop, and keeping track of collateral as it approaches maturity. Loans are processed swiftly and we communicate with you throughout the process. Why Partner With Us? Bill Burton 20507 Nicholas Circle, Suite 106 Elkhorn, NE 68022 (402) 512-5166 wburton@armlend.com Jay Landell 2727 W 2nd Street, Suite 320 Hastings, NE 68901 (402) 902-4035 jlandell@armlend.com We’re just a call away. Get started today with our teams in Hastings or Elkhorn. NEBankers.org/Health An independent licensee of the Blue Cross and Blue Shield Association. for Here you KIRK RILEY NBA Chairman (308) 784-2515 Waypoint Bank Cozad STEPHEN STULL NBA Chairman-Elect (402) 792-2500 Farmers State Bank Dodge KATHRYN BARKER (402) 333-9100 Core Bank Omaha NICHOLAS BAXTER (402) 341-0500 First National Bank of Omaha Omaha CORY BERGT (402) 434-4321 Wells Fargo Bank, N.A., Lincoln JOHN BOTHOF (402) 334-0300 Northwest Bank Omaha JOHN DAUBERT (402) 323-8008 Security First Bank Lincoln DANIEL FULLNER (402) 454-1000 Madison County Bank Madison KARL GRAMANN (402) 988-2255 Adams State Bank Adams KIM HAMMES (402) 918-2332 Bank of the West Omaha REX HASKELL (402) 687-2640 First Northeast Bank of Nebraska Lyons CURTIS HEAPY (308) 367-4155 Western Nebraska Bank Curtis KRISTA HEISS (308) 534-2877 NebraskaLand Bank North Platte ZACHARY HOLOCH (402) 363-7411 Cornerstone Bank York DONALD JIVIDEN (402) 759-8113 Heartland Bank Geneva ZAC KARPF (308) 632-7004 Platte Valley Bank Scottsbluff JOHN KOTOUC (402) 399-5088 American National Bank Omaha STEVE KUNZMAN (308) 382-4000 Home Federal Bank Grand Island KAYE MONIE (308) 368-5555 Hershey State Bank Hershey RYNE SEAMAN (402) 643-3636 Cattle Bank & Trust Seward JOSEPH SULLIVAN III (402) 348-6000 U.S. Bank, N.A. Omaha TRAVIS SEARS (402) 323-1828 Union Bank & Trust Co. Lincoln SCOTT ZIMBELMAN (308) 784-2000 Homestead Bank Cozad CHRIS HOVE NBA Past Chairman (402) 423-2111 Nebraska Bank of Commerce Lincoln

TIRED OF BORROWING MONEY BEING MORE COMPLICATED AND DIFFICULT THAN IT NEEDS TO BE? Bank Stock and Bank Holding Company Stock Loans done the simple way Bank mergers, acquisition loans and refinances up to $50 million  Approval typically within 2 to 3 days and sometimes immediately  In many cases the loan can be started, closed and funded in less than 2 weeks  No Correspondent Bank Account relationship required  If the Federal Reserve approves it we can likely get the deal done for you  Standard Commercial Loan Documentation used in most cases  We won’t restrict you to unnecessary covenants  Limited or no reporting requirements  Limited or no origination costs  Low interest rates  Principal payments often determined with the borrower’s input on a year by year basis  In many circumstances we accept bank capital growth instead of loan principal reduction  We will come to you! Most loans initiated and closed at the borrowers home or office. Deal directly with a lender/owner who is a CPA who understands the bankin industry. Although we cannot give direct advice, we have 35 years of industr experience and can make your job far less stressful and time consuming. We will understand your transaction. You do not need to educate the lender. Our belief is to make the loan and then stay out of the banker’s way and let you do your job. You will only see us when you choose to. Call RyanGerber or Rick Gerber at 1.866.282.3501 or email ryang@chippewavalleybank.comor rickg@chippewavalleybank.com TIRED OF BORROWING MONEY BEING MORE COMPLICATED AND DIFFICULT THAN IT NEEDS TO BE? Bank Stock and Bank Holding Company Stock Loans done the simple way Bank mergers, acquisition loans and refinances up to $50 million  Approval typically within 2 to 3 days and sometimes immediately  In many cases the loan can be started, closed and funded in less than 2 weeks  No Correspondent Bank Account relationship required  If the Federal Reserve approves it we can likely get the deal done for you  Standard Commercial Loan Documentation used in most cases  We won’t restrict you to unnecessary covenants  Limited or no reporting requirements  Limited or no origination costs  Low interest rates  Principal payments often determined with the borrower’s input on a year by year basis  In many circumstances we accept bank capital growth instead of loan principal reduction  We will come to you! Most loans initiated and closed at the borrowers home or office. Deal directly with a lender/owner who is a CPA who understands the banking industry. Although we cannot give direct advice, we have 35 years of industry experience and can make your job far less stressful and time consuming. We will understand your transaction. You do not need to educate the lender. Our belief is to make the loan and then stay out of the banker’s way and let you do your job. You will only see us when you choose to. Call RyanGerber or Rick Gerber at 1.866.282.3501 or email ryang@chippewavalleybank.comor rickg@chippewavalleybank.com Bank mergers, a quisition loans nd re�inances up to $50 million ✓ Approval typically within 2 to 3 days and sometimes immediately ✓ In many cases the loan can be started, closed and funded in less than 2 weeks ✓ No Correspondent Bank Account relationship required ✓ If the Federal Reserve approves it we can likely get the deal done for you ✓ Standard Commercial Loan Documentation used in most cases ✓ We won’t restrict you to unnecessary covenants ✓ Limited or no reporting requirements ✓ Limited or no origination costs ✓ Low interest rates ✓ Principal payments often determined with the borrower’s input on a year by year basis ✓ In many circumstances we accept bank capital growth instead of loan principal reduction ✓ We will come to you! Most loans initiated and closed at the borrower’s home or of�ice. Deal directly with lender/owner who is a CPA and un erstands the banking industry. We hav 35 years of industry experience and can make your job far less stressful and time consuming. We understand transactions. ur belief is to ake the loan and stay out of the banker’s way and let you do o r job. Call Ryan Gerber or Rick Gerber at 1.866.282.3501 or email ryang@chippewavalleybank.comor rickg@chippewavalleybank.com IS BORROWING MONEY MORE COMPLICATED AND DIFFICULT THAN IT NEEDS TO B ? Bank Stock and Bank Holding Company Stock Loans Done the Simple Way TIRED F BORR WING M NEY BEING ORE COMPLICATED AND DIFFICULT THAN I NEEDS TO B ? Bank Stock and Bank Holding Company Stock Loans done the simple way Bank mergers, cquisition lo ns and refina ces up to $50 million  Approval typically within 2 to 3 days and s metime immediately  In many cases the lo can be started, losed and funded in less tha 2 weeks  No Correspondent Bank Account rel tionship required  If the Federal Reserve app oves it w can likely get the deal done for you  Standard Commercial Loan Documentatio used in most cases  We won’t restrict you to unnecessary covenant  Limited or no repor ing requi ments  Limited or no origination costs  Low interest rates  Principal payments ft n determined with the borrower’s input on a y ar by year b sis  In many circumstances we accept bank capital growth inste d of loan principal reduction  We will come to you! Most loans initiated and closed at the borr wers home o ffice. Deal directly with a lender/owner who is a CPA w o understands the banking industry. Although e cann t give direct advic , we have 35 years of industry experience and can m ke your job far less stressful and time consuming. We will und r tand your t ansaction. You do not need to educate the lender. Our belief is to make the loan and en stay out of the banker’s way and let you do your job. You will only see us when you choose to. Call RyanGerber or Rick Gerber at 1.866 282.3501 or ema l ryang@chippew valleybank.comor rickg@chippewavalleybank.com

NEBANKERS.ORG 8 PRESIDENT’S MESSAGE SINCE ARRIVING AT THE NBA IN 2014, I HAVE WORKED CLOSELY with the NBA Board of Directors and member banks to encourage and promote financial literacy. One fun, proven financial education strategy embraced by a growing number of NBA members is the creation and operation of in-school savings banks. Nebraska’s first in-school savings bank opened in 2002 at the Conestoga Magnet School in Omaha. Today, 19 NBA member banks operate 34 in-school bank branches. At the beginning of this year, Nebraska banks and credit unions operated 36 in-school savings banks. The NBA’s internal goal is for members to commit to 22 new in-school bank branches in 2022. In-school savings banks are deposit-only bank branches located inside elementary schools. They offer a fun, real-world experience and help students establish and reinforce a savings habit. Banks, local schools, the Nebraska Council on Economic Education and the Nebraska Department of Banking and Finance are partners in creating the in-school savings banks. The branch is open one day a week to accept student deposits. Student tellers, trained by the partnering financial institution, staff the branch alongside a representative from the bank. In lieu of earning interest on their deposits, students receive incentive prizes. Free shirts, pencils and other promotional materials branded with the school bank and school logo, for instance, are greatly coveted. The school has a non-interest-bearing custodial account with the partner financial institution to serve as the main account for all student deposits. Students receive their savings balance, in the form of a check, when they move or graduate from the school. The in-school bank branches not only educate students and increase their savings rates but also build positive relationships with their local bank. They also help to increase parental understanding and involvement in the financial system. The in-school branches have proven especially invaluable in higher-poverty schools. As a result of the COVID-19 pandemic, the importance of financial education has become increasingly clear. Currently, more than one-half of Americans cannot afford a $400 emergency expense. Similarly, one-third of Americans report having little to no savings for retirement. In addition, a growing student loan debt crisis is financially suffocating the next generation, resulting in less purchasing, investment and savings power for Millennials and Generation Z. Financial Literacy: Nebraska’s in-school savings banks Richard J. Baier, President and CEO, Nebraska Bankers Association

NEBRASKA BANKERS ASSOCIATION 9 Today, 19 NBA member banks operate 34 in-school bank branches. At the beginning of this year, Nebraska banks and credit unions operated 36 inschool savings banks. The NBA’s internal goal is for members to commit to 22 new in-school bank branches in 2022. Since 1857, Cline Williams has devoted attention to the unique needs of the banking and nancial services industries. Since then, we have provided our clients with the resources they need in the areas that are most important to them – from lending and collections, to regulatory compliance, to mergers and acquisitions, and so much more. We’re more than a law rm. We’re a partner for your bank. LINCOLN I OMAHA I AURORA I FORT COLLINS I HOLYOKE Research conducted by Jennifer Davidson, president of the Nebraska Council on Economic Education and an assistant professor at the University of Nebraska-Lincoln, found that students who participate in an in-school savings bank are much more likely to be banked as adults. In addition, student participants are also much more likely to be employed after high school. These students also make smarter choices about debt and student loans. Davidson’s research also found that financial institutions partners’ primary motivation for participation was to provide an opportunity for students to improve their financial literacy and support the community they serve. The research also indicated that financial institution partners believed the program is well worth the cost. An informal survey of NBA members who sponsor in-school savings banks also found high levels of satisfaction with the program. One NBA member described their in-school branches as one of the bank’s most cost-effective marketing, promotion, workforce recruitment and community reinvestment activity!  If you are interested in learning more about how your bank may benefit from an in-school savings bank, reach out to Kara Heideman (kara.heideman@nebankers.org) at the NBA or Dr. Jennifer Davidson at the Nebraska Council on Economic Education (jdavidson2@unl.edu).

Six-Month Free Trial To obtain the resources you need to maximize the performance of your financial institution, contact Ryan Hayhurst with our Financial Strategies Group at 800.937.2257, or Ryan@GoBaker.com. Sample National Bank - , Municipal Summary 03/31/2017 Page 1 of 2 635,461 GO+REV 9,896,680 GO 4,752,978 REV GO 64.7% REV 31.1% GO+REV 4.2% Total : 100.0% Municipal Type 689,324 TX PSF 10,199,393 AA 4,180,764 A 215,638 NR TX PSF 4.5% AA 66.7% A 27.4% NR 1.4% Total : 100.0% Moody/S&P Composite Rating AL CA CO IA IL IN KY NM OH OK TX WA WI AL 1.9% CA 2.3% CO 1.4% IA 3.9% IL 10.8% IN 10.2% KY 2.4% NM 1.7% OH 8.0% OK 9.9% TX 33.2% WA 4.7% WI 9.6% Total: 100.0% State of Issue Individual Municipal Ratings are as of 3/19/2017, unless recently purchased. weighting based on Book Value of 15,285,119 Insd-AGM Insd-BAM Insd-PSFG Insd-PSFG, Pre-ReFunded Insd-State Aid Not Insured Not Insured, Pre-ReFunded Insd-AGM 12.0% Insd-BAM 3.4% Insd-PSFG 3.1% Insd-PSFG, Pre-ReFunded 1.4% Insd-State Aid 11.9% Not Insured 58.2% Not Insured, Pre-ReFunded 10.0% Total: 100.0% Insurance 4/13/2017 6:43:55AM - FSG / SAMP The Baker Group Software Solutions, Inc. - APMTM Although the information in this report has been obtained from sources believed to be reliable, its accuracy cannot be guaranteed. ADVANCED PORTFOLIO MONITORTM 18 18 Sample National Bank - , Cusip Par Cpn Book Price Market Price Gn/(Ls) *Acctg Eff Dur Eff Cnvx Underlying Municipal Credit Detail 03/31/2017 Yield Description Page 6 of 7 Muni Insurer Muni Type Moody S&P Call Date Maturity ASC 320 Gn/(Ls)% State Underlying Ratings GO | REV *DA% | DC *Per Cap | Covnt Issue Date Tax Status Overlapping D/A - Debt/Pop Net Asset Ending Beginning Cnty Jobless Security Fiscal Year Report Date *Proj 944431BL8 220,000 5.500 103.90 105.18 2,816 4.34 4.39 (0.98) WAYNE SD #112-B-BABS IL 26 Not Insured N/A N/A GO N/A A+ 12/01/20 12/01/26 AFS 1.23 IL 5.58 | -- 507 | -- 12/08/10 Taxable 8.29 - 754 WAYNE - 8% 2016 Report AD VAL TAXES 2015 4.34 3 Items 4.19 4.19 3.91 (0.30) (458) 103.36 103.40 5.311 1,160,000 Taxable Municipal Totals 39 Items Portfolio Totals 3.25 3.25 3.91 (0.26) 3.392 104.59 101.78 (409,651) 14,615,000 6,385K AA 6,918K A 1,981K NR AA 41.8% A 45.3% NR 13.0% Total: 100.0% Moody/S&P Composite Underlying Rating 1,471K Aa2 213K Aa3 1,533K A1 768K A3 11,299K N/A Aa2 9.6% Aa3 1.4% A1 10.0% A3 5.0% N/A 73.9% Total: 100.0% Moody's Underlying Rating 695K A+ 635K A 232K A13,723K N/A A+ 4.5% A 4.2% A- 1.5% N/A 89.8% Total: 100.0% S&P Underlying Rating 689K AAA 10,415K AA 4,181K A AAA 4.5% AA 68.1% A 27.4% Total: 100.0% Moody/S&P Composite Rating weighting based on Book Value of 15,285,118 * Denotes Tax Equivalent Yield (TEY) where applicable. Individual Municipal Ratings are as of 2/28/2017, unless recently purchased. * D/A% = Debt to Assesed Ratio; DC = Debt Coverage | Per Cap = Per Captia Debt; Covnt = Rate Covenant 4/13/2017 6:43:56AM - FSG / SAMP The Baker Group Software Solutions, Inc. - APMTM Although the information in this report has been obtained from sources believed to be reliable, its accuracy cannot be guaranteed. ADVANCED PORTFOLIO MONITORTM 26 26 Balances ($000's) Page 1 of 1 12/31/2019 Book Value % of Book TA **Rate Sensitive < 1 Year *Book Yield/ Rate *Reinv. Rate *12 Mo. Proj. Yield/Rate Avg. Life Effective Duration Effective Convexity Full Indx. Rate / Total is % of Segment Fixed Var. Non Int. Summary ALCO - Asset/Liability Mix Sample Bank - Anywhere, US $20,414 4.16 46.55 53.45 46.55 0.97 0.04 0.01 0.00 Cash & Due 0.97 0.97 / 0.97 $172,210 35.10 100.65 (0.65) 14.56 2.81 4.60 3.55 (0.51) Investments j 2.81 2.64 / 0.00 (Includes MTM) $4,500 0.92 100.00 100.00 1.63 0.04 0.04 0.00 Funds Sold 2.13 2.13 / 2.13 $276,700 56.39 56.28 45.26 (1.53) 53.28 5.20 2.59 1.96 (0.22) Loans 5.37 5.47 / 5.76 $6,511 1.33 100.00 2.49 12.63 0.00 0.00 Other Earning 2.49 2.49 / 0.00 $10,358 2.11 100.00 Non-Earning $490,693 3.24 Total 68.38 28.37 100.00 38.01 4.17 3.27 2.36 (0.31) Assets 4.28 4.28 / 5.31 $276,064 56.26 66.70 33.30 12.02 0.53 7.66 4.48 0.54 Non-Maturing Deposits 0.53 0.53 / 0.53 $92,498 18.85 99.44 0.56 0.00 82.54 0.84 0.70 0.65 (0.04) Certificates of Deposit 0.84 0.81 / 0.70 $37,721 7.69 100.00 68.68 1.09 0.97 0.93 (0.02) Jumbo CDs 1.08 1.05 / 0.00 $28,250 5.76 95.58 4.42 46.90 2.06 1.95 1.89 0.03 Borrowed Funds 2.04 1.86 / 1.88 Other Paying $6,724 1.37 100.00 Non-Paying $441,257 22.36 Total 35.51 42.13 89.93 33.70 0.80 5.15 3.14 0.33 Liabilities 0.80 0.77 / 0.54 10.07 $49,436 (0.60) (0.46) Total Equity Capital 100.00 $490,693 Total Liab & Capital Liability Mix Asset Mix Liquidity Ratios Constant Benchmark ALCO Dependency Ratio Liquid Assets / TA Ratio is outside benchmark. P < 750.00% < 100.00% < 50.00% < 20.00% > 10.00% < 35.00% < 300.00% 42.39 68.11 559.71 48.04 6.31 10.19 7.69 Loans / Assets 56.39 Investments / Deposits Loans / Deposits Loans / Capital Net Borrowed Funds / Capital < 75.00% Available Line of Credit $90,500 56.39 Loan 35.10 Inv 4.16 Cash 2.11 Non-Earn 1.33 Other Earn 0.92 Others 56.26 NMD 18.85 CDs 10.07 Equity 7.69 J CDs 5.76 Borrow 1.37 Others Reliance on Wholesale Funding 9.14 < 30.00% The smallest 2% of all categories will be grouped into an 'Others' category. Jumbo CDs / TA Note: Values are rounded before printing, but full precision values are used in all calculations. * Yields/Rates are reported on EA & PL. Investments using Accounting yield. j (Ver 4.0 R7) Copyrighted 1994 - 2020 1/29/2020 3:39:46PM - SAMPLE / SMB1218 The Baker Group Software Solutions, Inc. - IRRMTM Although the information in this report has been obtained from sources believed to be reliable, its accuracy cannot be guaranteed. Interest Rate Risk Monitor ** Percentages based on maturing, repricing, and paydown balances. As American financial institutions—along with the rest of the world—face unprecedented times, The Baker Group is ready with tools and services to help maximize the performance of your institution. That’s why we’re offering new clients our Software Solutions* service package for a six-month free trial. Not only will you have access to our latest market research and insight from our Financial Strategies Group, you’ll be included in all of our webinars. There you’ll hear the latest Information on the economy and how it could impact your institution and its investment portfolio. Baker’s Software Solutions Service Package Includes: Asset/Liability Analysis – Interest Rate Risk Monitor (IRRM®) Your management team will find that The Baker Group’s quarterly review of the loan and deposit information outlined in the Interest Rate Risk Monitor and Asset Liability Analysis is an effective tool in managing your risk and performance. Bond Accounting – Baker Bond Accounting® (BBA) The Baker Group will provide you with accurate, easy-toread reports delivered electronically to you each month. Investment Analysis – Advanced Portfolio Monitor (APM®) The Advanced Portfolio Monitor is a key monthly report that we utilize to help you measure, monitor, and manage the overall risk and performance of your investments. Member: FINRA and SIPC www.GoBaker.com | 800.937.2257 Oklahoma City, OK | Austin, TX | Dallas, TX Indianapolis, IN | Long Island, NY | Salt Lake City, UT | Springfield, IL *The Baker Group LP is the sole authorized distributor for the products and services developed and provided by The Baker Group Software Solutions, Inc.

NEBRASKA BANKERS ASSOCIATION 11 B A NK E R S ’ B A NK • OF THE WEST • WE CHAMPION COMMUNITY BANKING MARLENE WADE TRACI OLIVER TARA KOESTER KELLY MALONE IN BUSINESS TO FURTHER YOUR BUSINESS YOUR ADVOCATES: Nebraska’s correspondent team BBWEST.COM 411 South 13th Sreet | Lincoln, Nebraska | 402-476-0400 You’re preapproved for trusted advice! Your bank works hard to make customer dreams become reality. Don’t let complex regulations delay your next big transaction. Our talented, supportive pros can help you stay compliant, manage risk and grow strategically, so you can focus on building equity in your community. Everyone needs a trusted advisor. Who’s yours? bkd.com/fs • @BKDFS

NEBANKERS.ORG 12 Cryptocurrencies: Unlocking Banking’s “New Frontier” Rob Nichols, President and CEO, American Bankers Association IN CASE YOU HAVEN’T NOTICED, CRYPTOCURRENCIES ARE AN increasingly hot topic of conversation in this country. According to a Pew Research Center survey fielded in November, 86% of Americans said they have heard about cryptocurrencies, and 16% said they have invested in, traded or used them. Cryptocurrency use is growing particularly rapidly among younger Americans, with 31% between 18 and 29 telling Pew they have participated in crypto transactions. More often than not, these trades are happening through financial intermediaries — and consumers are increasingly turning to banks to hold these digital assets. In fact, I’ve heard from a growing number of bank leaders that their customers want to buy, hold and use crypto — and they want to do it through their banks. Banks have already begun making inroads into the crypto services business — offering a responsible pathway for consumers to adopt these novel financial products. For example, Vast Bank, a community institution based in Oklahoma, recently launched a crypto custody account that bank customers can manage in their app alongside their FDIC-insured dollar account. Or Quontic Bank, which offers a checking product that provides rewards in bitcoin, offering consumers an opportunity to wade into the crypto space without buying it themselves. Large custody banks — such as the Bank of New York Mellon and Northern Trust — are also developing custody services for crypto. Bank customers know they can rely on their banks to steward their finances and keep their financial data safe. A recent Morning Consult poll highlighted that banks are the most trusted among all financial services providers. Given that, it’s no surprise that consumers want to receive cryptocurrency services from their bank. But don’t just take my word for it: a survey from NYDIG, a bitcoin services firm, confirmed that a whopping 81% of bitcoin holders would shift WASHINGTON UPDATE

NEBRASKA BANKERS ASSOCIATION 13 their bitcoin to a bank if it offered secure bitcoin storage. Undoubtedly, this “new frontier” of cryptocurrency represents a huge opportunity for banks. But for banks to successfully navigate this new frontier, the bank regulatory architecture needs to catch up – quickly. More clarity is needed from the banking agencies about how banks can offer these services in a safe and sound manner. Without this clarity, the unlevel playing field between banks and the rapidly growing cadre of firms seeking to operate as banks while evading the full scope of bank regulations will continue. There have been some positive developments, with the OCC issuing an interpretive letter clarifying its approach for approving crypto-related activities for national banks. Additionally, a report by the President’s Working Group on Financial Markets highlighted the risks of stablecoins, recommending they be issued by insured depository Email Rob Nichols at rnichols@aba.com. Bank customers know they can rely on their banks to steward their finances and keep their financial data safe. A recent Morning Consult poll highlighted that banks are the most trusted among all financial services providers. Given that, it’s no surprise that consumers want to receive cryptocurrency services from their bank. institutions subject to consolidated supervision. Any providers of custodial wallets should also be subject to appropriate federal oversight. For our part, ABA is taking a deep dive into what we can do to support banks’ participation in crypto and other digital assets through both our advocacy and technology partnerships. Additionally, in December, we invested in NYDIG, a leading provider of bitcoin services for banks. This investment will support banks’ ability to meet customer demand in this rapidly evolving market so that as we unlock this “new frontier” of cryptocurrencies and digital assets, consumers can continue to place their trust in America’s banks to meet their financial needs. We understand that expanding into cryptocurrency products and solutions won’t be for every bank, and that’s okay. We firmly stand with banks in their right to decide what products they will offer according to their own judgment and market strategy. However, even with mixed opinions on the value of cryptocurrency as an asset class or as a basis for a product set, ABA strongly believes banks should have access to the tools, partners and regulatory frameworks that allow them to meet their customers’ needs. 

NEBANKERS.ORG 14 COUNSELOR’S CORNER Employee Data Theft in the Age of FDIC Compliant Investigations EMPLOYEE THEFT OF CUSTOMER DATA IS ALWAYS A CONCERN and has become even more so as information can be condensed to digital assets, which are easily moved, copied, or downloaded. The issue can be especially troublesome for banks because of confidential customer data. The information is often easily identifiable to the customer and can include common data such as addresses, email addresses, and telephone numbers, but also often includes sensitive information such as social security numbers, bank account information, dates of birth, and credit card information. Banks often provide commissions to loan officers to compensate for the closings of mortgage, business, or agricultural loans. Because of the compensation structure, commissioned sales officers may believe the customers and their sensitive information belong to them rather than the bank for which they work. Sales officers may even attempt to take customer information with them when they leave one bank and seek employment elsewhere. Taking such information may lead to violations of noncompete or non-disclosure agreements. But the taking of such sensitive information may also cause violations of the Gramm-Leach-Bliley Act and even state data breach notification statutes that protect such personal information and may require customer notification. 1 Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act (“GLBA”) protects information that a customer gives to a bank, or an employee of a bank, to obtain a product or service. The act defines sensitive information as follows: Nonpublic personal information: “Nonpublic personal information” generally is any information that is not publicly available and that: • A consumer provides to a financial institution to obtain a financial product or service from the institution; • Results from a transaction between the consumer and the institution involving a financial product or service; or • A financial institution otherwise obtains about a consumer in connection with providing a financial product or service. 2 However, this language is very broad and could apply to almost any information provided by a customer to a bank for a product or service. The regulations, thankfully, are more specific: [S]ensitive customer information means a customer’s name, address, or telephone number, in conjunction with Robert Kardell, Baird Holm, LLP

NEBRASKA BANKERS ASSOCIATION 15 Counselor's Corner — continued on page 16 the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name or password or password and account number. 3 In combination with account numbers, social security numbers, a driver’s license number, and other information commonly collected by banks, the demographic information is “sensitive customer information” under GLBA. This sensitive information is not uncommon on internal sales or customer lists. Once that information is in possession of the bank, the bank has an affirmative obligation to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and 4. Ensure the proper disposal of customer information and consumer information. 4 And when the security or confidentiality of customer information is not protected: When an incident of unauthorized access to sensitive customer information involves customer information systems maintained by an institution’s service provider, it is the Financial Institution’s responsibility to notify its customers and regulator. 5 And the regulations state: Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution’s service providers, it is the financial institution’s responsibility to notify the institution’s customers and regulator.6 When an incident of unauthorized access to customer information is discovered — such as when an employee may download, save, print, email, or otherwise copy customer data to take with them to a new financial institution or to start a new business — the bank may have a duty to report this data breach to its regulator, law enforcement, and its customers. While no bank wishes to notify its customers of a breach, there may be options, such as using the threat of providing notification to regulators or law enforcement to elicit the former employee’s cooperation in an investigation to determine the risk of harm. The regulations require an investigation to occur: When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.7 The question then becomes, “What is a ‘reasonable investigation’ for the bank to determine the likelihood of harm?” Reasonable Investigation First, the bank must have a “Response Program” “appropriate to the size and complexity of the institution and the nature and scope of its activities, designed to address incidents of unauthorized access to customer information.”8 At a minimum, a response program should include: 1. Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused; 2. Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined later in the final guidance; 3. Immediately notifying law enforcement in situations involving federal criminal violations requiring immediate attention; 4. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, such as by monitoring, freezing, or closing affected accounts while preserving records and other evidence; and 5. Notifying customers when warranted.9 The provisions concerning the response program appear to leave little room for ambivalence as to whether notification needs to be made to federal regulators or law enforcement but do allow a measure of judgment when deciding as to whether to notify customers “when warranted.” The reading of the comments in the Federal Register can provide some further guidance regarding the notification

NEBANKERS.ORG 16 Notification to federal regulators should occur when the institution initiates its investigation10 involving unauthorized access or use. standard for federal regulators or law enforcement. Notification to federal regulators should occur when the institution initiates its investigation10 involving unauthorized access or use. But is the “unauthorized access or use” defined by law or an employment contract? “Unauthorized access or use” is discussed extensively under the customer notice requirements. The guidance states: Under the Security Guidelines, the proposed Guidance explained that an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information. This type of information is most likely to be misused, as in the commission of identity theft.11 The guidance then suggests that the definition of “unauthorized access or use” is related to the commission of crimes such as identity theft. Unauthorized access or use then is not defined by the employment contract. Furthermore, a properly conducted, well-planned investigation may allow the bank to determine whether there was an intent for an illegal purpose or if taking the data is a contractual issue that does not warrant notification to the federal regulators, law enforcement, or customers. Conducting the Investigation Conducting a well-planned investigation while leveraging the notification requirements under GLBA or state statutes to regulators, law enforcement, or customers may yield the answers as to the purpose for “unauthorized access or use.” Leveraging the threat of notification can be used to force cooperation from an ex-employee and cooperation from their new employer to investigate the incident fully. Suggested Counselor's Corner — continued from page 15 steps for the investigation with full cooperation from the exemployee and the new employer may look something like this: Former employee: • Interviewing the former employee to determine where the data was downloaded, emailed, saved, printed, etc., to determine what possible accesses others may have had to the data or whether there is a threat to the data. • If the ex-employee admits to downloading the data: ❒ Ask the employee for access to the devices; ❒ Hire a computer forensics expert to review any devices of the former employee on which the data had resided to determine the security of the data; and ❒ Hire a computer forensics expert to ensure the data is securely wiped from the devices on which the information had been located. • Ask the former employee to sign an affidavit attesting to the fact that the information was downloaded, the locations of the download, anyone who had access download location (e.g., if downloaded to a phone, who else has access to the phone), and that all other copies of the data have been destroyed. New Employer: • Consider interviewing representatives of the new employer to determine whether the data was transferred to or saved on the new employer’s network. • If the data is not on the network, consider asking for an affidavit or a letter from the organization stating so. • If the new employer has the data on their network,

NEBRASKA BANKERS ASSOCIATION 17 1 Although state data breach notification laws may apply, this article will limit the discussion to the applicability of GLBA, the definition of sensitive data under GLBA, and the investigation standards under GLBA. This article will also not address the notification requirements under GLBA or applicable state statute. 2 15 USC § 6809(4) 3 2 CFR Appendix B to Part 364 4 12 CFR Appendix B to Part 364 - Interagency Guidelines Establishing Information Security Standards 5 Financial Institution Letter, FIL-27-2005, April 1, 2005, https://www.fdic. gov/news/financial-institution-letters/2005/fil2705.html 6 Supplement A to Appendix B to Part 364 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. 7 Supplement A to Appendix B to Part 364 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. 8 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15739. 9Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15741. 10 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15741. 11 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15744 (emphasis added). • Consider asking for a computer forensics expert to wipe the data; or • Consider asking for an affidavit that the data has been securely wiped from the network device. The above steps, if well documented, may allow a bank to reasonably conclude that the information has been secured and was not accessed or used for any illegal purpose, such as for opening credit cards or obtaining a new line of credit and meet the requirements of an investigation under the FDIC guidance. Conclusion Financial institutions are in a unique position to possess sensitive and personal information of customers. That information must be protected from hackers and employees seeking to email, download, copy, or otherwise remove the information from the bank’s possession. The regulations and notification requirements allow a bank to investigate whether the access and use will require notification. The threat of notification of regulators and law enforcement may provide leverage for the cooperation and interview of former employees. The interviews, the investigation, and the resulting affidavits and reports may provide the evidence necessary for a bank to conclude the actions of the employee; while a violation of an employee agreement is not grounds for data breach notification required under GLBA.  For more information, please contact Robert (Bob) Kardell, at 402.636.8313, bkardell@bairdholm.com, or visit bairdholm.com.

NEBANKERS.ORG 18 Ransomware Guides and How to Use Them Lynda Hartup, Senior Information Security Consultant, SBS CyberSecurity, LLC

NEBRASKA BANKERS ASSOCIATION 19 RANSOMWARE cyberattacks are one of the fastestgrowing attack methods globally, causing many organizations to ask themselves a critical question. Have we done enough to secure our institution against a ransomware attack? Ransomware readiness is crucial in today’s cyber climate, but evaluating the processes and controls you have in place to prevent, recover from, and mitigate the effects of a ransomware attack can seem like a daunting task. Pair that with the abundance of ransomware readiness guidance available, and formulating a plan to assess your institution can make most of us want to turn around and go home. If you want to assess your institution’s ransomware readiness and aren’t sure where to start, or maybe you’ve reviewed some of these sources already and are confused about which one to put your time into, don’t panic! We will review several references to help get you started. In October 2020, the Conference of State Bank Supervisors released their Ransomware Self-Assessment Tool (R-SAT). The R-SAT was developed to help financial institutions assess their risk for ransomware and identify any gaps in their ransomware protection program. It was also designed to give executive management and the board of directors an overview of an institution’s preparedness in the event of a ransomware attack. Then, in December 2020, SBS CyberSecurity released Top Six Controls to Mitigate a Ransomware Attack. This resource lists specific controls that can be put in place to protect your institution’s network and data from a ransomware attack. Fast forward a year later, in August 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet titled, “Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches.” This fact sheet provides information on preventing and responding to ransomware-caused data breaches. Let’s dig into each of these resources to see how using them together can help you build a strong ransomware protection program. Who is the audience for each guide? Right off the bat, the R-SAT lets you know its audience. From executives to directors, the R-SAT promotes valuable insight into an institution’s preparedness. For example, it can be used by an information security officer (ISO) to: • Assess readiness • Report on programs • Identify gaps Tech Talk— continued on page 20 TECH TALK

NEBANKERS.ORG 20 Though the R-SAT can be used as a guide for mitigating gaps within protection programs, it’s also important to look elsewhere for additional guidance on best practices. The CISA fact sheet provides information on preventing and responding to ransomware-caused data breaches. It is not an assessment or reporting tool but a general guide for building baseline best practices. ISOs and IT Managers, or anyone responsible for implementing and developing policies, would benefit from reviewing this. The SBS CyberSecurity document is another fundamental guidebook, as it proves to be the most technical and granular of the three tools. It lists specific controls you can implement, along with an Incident Response Playbook on how to handle ransomware if you are attacked. Your in-house or outsourced network administrator would be responsible for implementing the controls in this guide. What is in each guide? The R-SAT addresses areas of ransomware risk utilizing the functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework; identify, protect, detect, respond, and recover. To assist in the reporting and reviewing process, it has a series of mostly yes or no questions and checklists for various controls. The CISA fact sheet is a high-level guide for preventing, detecting, and responding to ransomware attacks. It lists general controls for prevention and detection, best practices for responding, and many links for more detailed guidance. The SBS CyberSecurity guidance lists specific, granular controls. Rather than providing an overview of the types of controls that should be in place, it gives you detailed items to improve the security of your program and implement your policies. That’s all great, but which one do I use? All of them! To assess and report on your ransomware readiness, start with the R-SAT. It will help you determine: • Which controls your institution has implemented; • What policies and procedures you have in place; and • Any gaps that should be addressed. Once you have identified the gaps, working through the CISA fact sheet is the next step. As the fact sheet only lists general controls and best practices, while skipping over more detailed controls, it is a great guide to assist in developing Tech Talk— continued from page 19 policies for your program. It also has many links to more indepth information for building a robust prevention program, which leads us to step three. After that, take a look at the SBS CyberSecurity guide, which lists specific practices and controls you can implement. These are not general guidelines but real-world practices to help secure your network and protect your institution. This guide will help you implement the policies you developed from the CISA fact sheet. Building a solid prevention program requires more insight than each guidance can give us individually. When used in conjunction, however, the three guides discussed can help you build a robust Ransomware Prevention Program. Utilize the three as a step-by-step process: • R-SAT — used to assess the program and identify gaps • CISA fact sheet — assists in building policies and procedures with additional technical guidance provided by embedded links • SBS CyberSecurity guide — provides specific, realworld controls to implement, as well as an Incident Response Playbook Go forth and protect, my friends! It’s dangerous to go alone, so take this guide to help you along your way.  SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security, and education. Learn more at sbscyber.com. Building a solid prevention program requires more insight than each guidance can give us individually. When used in conjunction, however, the three guides discussed can help you build a robust Ransomware Prevention Program.

RkJQdWJsaXNoZXIy MTIyNDg2OA==