UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

WASHINGTON, DC 20549

FORM 8-K

CURRENT REPORT

PURSUANT TO SECTION 13 OR 15(d)

OF THE SECURITIES EXCHANGE ACT OF 1934

December 21, 2023

(Date of Report: Date of earliest event reported)

Middlefield Banc Corp.

(Exact name of registrant as specified in its charter)

Ohio

(State or other jurisdiction of incorporation)

001-36613

(Commission File Number)

34-1585111

(I.R.S. Employer Identification Number)

15985 East High Street

Middlefield, Ohio 44062

(Address of principal executive offices, including zip code)

(440) 632-1666

(Registrant’s telephone number, including area code)

(not applicable)

(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (17 CFR §230.405) or Rule 12b-2 of the Securities Exchange Act of 1934 (17 CFR §240.12b-2).

Emerging growth company  ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.   ☐

Securities registered pursuant to Section 12(b) of the Act:

As previously disclosed on April 21, 2023, Middlefield Banc Corp. (the “Company”) learned of a cyber-attack that resulted in a disruption to the computer systems of The Middlefield Banking Company (the “Bank”), the Company’s banking subsidiary. The Bank took immediate action to remediate the security vulnerability and retained a cybersecurity firm to investigate the nature and scope of the incident, evaluate our systems, identify solutions, and confirm what data had been impacted by this event, if any. The Bank also notified law enforcement.

Our forensic review has determined that nonpublic information relating to current and former employees, customers and others was obtained from our systems during this incident. While the information varies by individual, some of the types of information that may have been obtained include name, Social Security number, driver’s license information, date of birth, financial account information, medical information, passport number, payment card information, and username and password. We have begun notifying all potentially impacted individuals in accordance with applicable law. The Bank is also notifying regulatory authorities in accordance with applicable law. We will offer complimentary identity protection services to all potentially impacted individuals.

The Company does not believe the incident will have a material adverse effect on its business, operations, or financial results. The Company remains subject to risks and uncertainties due to the incident, including potential litigation, changes in customer behavior, and additional regulatory scrutiny.

Forward-Looking Information

This Form 8-K contains certain statements that may be considered forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, including the Company’s current expectations concerning the resolution of this cyber-attack and its impact on the Company’s business, operations or financial results. Such forward-looking statements include, but are not limited to, statements as to future results of operations and financial projections, express or implied statements relating to the Company’s expectations regarding its ability to contain and assess the cyber-attack and the impact of the cyber-attack on the Company’s business, operations and financial condition. Factors that could cause actual results to differ materially from those expressed or implied include the following: the ongoing assessment of the cyber-attack; legal, reputational and financial risks resulting from the cyber-attack or additional cyber-attacks; and the other factors set forth in the Company’s Annual Report on Form 10-K for the year ended December 31, 2022, and other public filings with the Securities and Exchange Commission. Forward-looking statements are based on currently available information and our current beliefs, expectations and understanding, which may change as our investigation and remediation efforts progress. Except as required by the federal securities laws, the Company undertakes no obligation to publicly update or revise any forward-looking statement, whether as a result of new information, future events or otherwise. Forward-looking statements speak only as of the date they are made, and we do not undertake to update these statements other than as required by law and specifically disclaim any duty to do so.

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.