CITY HOLDING CO 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

CITY HOLDING CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 14:02:27 EST.

Filings

10-K filed on 2024-02-28

CITY HOLDING CO filed an 10-K at 2024-02-28 14:02:27 EST
Accession Number: 0000726854-24-000040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . General Risk Factors The Company Relies Heavily on Its Management Team, and the Unexpected Loss of Key Management May Adversely Affect Its Operations. The Company’s success to date has been strongly influenced by its ability to attract and to retain senior management personnel experienced in banking in the markets it serves. Competition for key personnel is intense. The Company’s ability to retain executive officers and the current management teams will continue to be important to the successful implementation of its strategies. The Company has employment agreements with these key employees in the event of a change of control, as well as confidentiality, non-solicitation and non-competition agreements related to its stock options. The unexpected loss of services of any key management personnel, or the inability to recruit and retain qualified personnel in the future, could have an adverse effect on the Company’s business and financial results. Severe Weather, Natural Disasters, Acts of War or Terrorism, and Other External Events Could Significantly Impact the Company’s Business. Severe weather, natural disasters, health emergencies (including COVID-19), acts of war or terrorism, and other adverse external events, especially those that directly affect the Company s market areas, could have a significant impact on the Company s ability to conduct business. These events could adversely affect the ability of borrowers to repay outstanding loans, decrease the value of collateral securing loans, cause significant property and infrastructure damage, and affect the stability of the Company s deposit base. The Company may experience decreased revenue, increased charge-offs, and other expenses. Climate Change Could Materially Impact the Company s Underlying Customers or the General Economic Conditions, Resulting in Impacts on the Company. The Company s business, as well as the operations and activities of its customers, could be negatively impacted by climate change. Climate change presents both immediate and long-term risks to the Company and its customers, and these risks are expected to increase over time. Climate change presents multi-faceted risks, including: operational risk from the physical effects of climate events on the Company and its customers facilities and other assets; credit risk from borrowers with significant exposure to climate risk; transition risks associated with the transition to a less carbon-dependent economy; and reputational risk from stakeholder concerns about the Company s practices related to climate change, the Company s carbon footprint, and the Company s business relationships with clients who operate in carbon-intensive industries. The Company s success depends on its relationships with customers and general economic conditions. Because the Company s customer base is geographically concentrated in West Virginia, Kentucky, Virginia, and southeastern Ohio, if the customers in those geographies are physically impacted by climate change, the Company may be financially impacted as well. In addition, an economic transition to mitigate climate change on a broader scale could have a negative or destabilizing impact on the general economic conditions of the country, which could also have a negative impact on the financial outcomes of the Company. 22 Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity Risk Management and Strategy The Company’s information security program encompasses the security policies and procedures in place throughout the enterprise network to address compliance, transaction, reputation, and strategic risks. Our Information Security Officer is primarily responsible for this managing the information security program that includes identifying, assessing, and mitigating cyber threats. Our Information Security Officer reports directly to the Chief Information Officer. Our objective for managing cybersecurity as part of the information security program is to ensure adequate procedures and proper controls are in place in order to provide an objective system for recording and aggregating information, supporting the institution’s strategic goals and objectives, and protecting the security and confidentiality of the institution s customers and business activities. Our information security program leverages guidance from the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, regulatory guidance, and other industry standards. The information security program is periodically reviewed by the board of directors and updated by the Information Security Officer to adapt to potential new threats and conditions. The Company employs a combination of patch management, network security, malicious code prevention, and user awareness and training to assist with preventing cybersecurity incidents. Users are made aware of policies and procedures regarding appropriate use of networks, systems, and applications. Additionally, employees are trained in handling sensitive data and made aware of specific requirements when handling client data. Periodic review and assessment of network infrastructure is completed. The Company, in certain instances, may rely on vendors, third-party support, or other outsourcing opportunities. Before introducing a new product or service, the internal controls and competence of a vendor, maintenance and upkeep of a third-party provider s systems, and financial condition of the third-party vendor are evaluated. Internal and external auditors and independent external partners are engaged and periodically review the Company’s processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program. We maintain an Incident Response Policy that provides a documented framework for bringing together and organizing the resources for dealing with any event that harms or threatens the security of information. The goal of the Incident Response Policy is to facilitate a quick and efficient response to incidents, and to limit their impact while protecting information assets. The plan defines roles and responsibilities, documents the steps necessary for effectively and efficiently managing an information security incident, and defines channels of communication. The Information Security Officer and Chief Information Officer coordinate investigations of potential cybersecurity incidents. Our internal processes, and controls are designed to contain, mitigate, or resolve cybersecurity incidents. As of the report date, risks from cybersecurity threats have not materially affected our company. For further discussion of risks from cybersecurity threats, see the section captioned System Failure, Cybersecurity Breaches, Fraud and Employee Misconduct Could Subject the Company to Increased Operating Costs, as Well as Litigation and Other Potential Losses in Item 1A. Risk Factors. Governance As mentioned, the Company’s Information Security Officer is primarily responsible for managing and updating the information security program. The responsibilities for managing the information security program include cybersecurity risk assessment, assessing the types and appropriateness implemented controls and coordinating related control testing, coordinating user training with each department and the appropriateness, data storage and maintenance, incident response, and third-party risk management. Specifically, the information technology department, as a whole, consists of information security professionals with varying degrees of education and experience with senior management in department having higher professional education and experience. Individuals within the department are generally subject to professional education and certification requirements. In particular, the Company’s Information Security Officer and Chief Information Officer have relevant expertise and formal training in the areas of information security and cybersecurity risk management. Our board of directors has approved and delegated initial cybersecurity threat responses to the Incident Response Team. The Information Security Officer and Chief Information Officer are assigned as the Incident Response Team leaders 23 and reports summaries of key issues, including significant cybersecurity and/or privacy incidents to Incident Response Team which includes the Chief Executive Officer. If appropriate, the Chief Executive Officer will communicate actions taken the actions taken to our board of directors. Further, given the ultimate oversight of the Company’s information security programs, the Chief Legal Counsel will communicate any regulatory compliance matters related to information system, including cybersecurity, to the board of directors.
Item 1C. Cybersecurity Risk Management and Strategy The Company’s information security program encompasses the security policies and procedures in place throughout the enterprise network to address compliance, transaction, reputation, and strategic risks. Our Information Security Officer is primarily responsible for this managing the information security program that includes identifying, assessing, and mitigating cyber threats. Our Information Security Officer reports directly to the Chief Information Officer. Our objective for managing cybersecurity as part of the information security program is to ensure adequate procedures and proper controls are in place in order to provide an objective system for recording and aggregating information, supporting the institution’s strategic goals and objectives, and protecting the security and confidentiality of the institution s customers and business activities. Our information security program leverages guidance from the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, regulatory guidance, and other industry standards. The information security program is periodically reviewed by the board of directors and updated by the Information Security Officer to adapt to potential new threats and conditions. The Company employs a combination of patch management, network security, malicious code prevention, and user awareness and training to assist with preventing cybersecurity incidents. Users are made aware of policies and procedures regarding appropriate use of networks, systems, and applications. Additionally, employees are trained in handling sensitive data and made aware of specific requirements when handling client data. Periodic review and assessment of network infrastructure is completed. The Company, in certain instances, may rely on vendors, third-party support, or other outsourcing opportunities. Before introducing a new product or service, the internal controls and competence of a vendor, maintenance and upkeep of a third-party provider s systems, and financial condition of the third-party vendor are evaluated. Internal and external auditors and independent external partners are engaged and periodically review the Company’s processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program. We maintain an Incident Response Policy that provides a documented framework for bringing together and organizing the resources for dealing with any event that harms or threatens the security of information. The goal of the Incident Response Policy is to facilitate a quick and efficient response to incidents, and to limit their impact while protecting information assets. The plan defines roles and responsibilities, documents the steps necessary for effectively and efficiently managing an information security incident, and defines channels of communication. The Information Security Officer and Chief Information Officer coordinate investigations of potential cybersecurity incidents. Our internal processes, and controls are designed to contain, mitigate, or resolve cybersecurity incidents. As of the report date, risks from cybersecurity threats have not materially affected our company. For further discussion of risks from cybersecurity threats, see the section captioned System Failure, Cybersecurity Breaches, Fraud and Employee Misconduct Could Subject the Company to Increased Operating Costs, as Well as Litigation and Other Potential Losses in Item 1A. Risk Factors. Governance As mentioned, the Company’s Information Security Officer is primarily responsible for managing and updating the information security program. The responsibilities for managing the information security program include cybersecurity risk assessment, assessing the types and appropriateness implemented controls and coordinating related control testing, coordinating user training with each department and the appropriateness, data storage and maintenance, incident response, and third-party risk management. Specifically, the information technology department, as a whole, consists of information security professionals with varying degrees of education and experience with senior management in department having higher professional education and experience. Individuals within the department are generally subject to professional education and certification requirements. In particular, the Company’s Information Security Officer and Chief Information Officer have relevant expertise and formal training in the areas of information security and cybersecurity risk management. Our board of directors has approved and delegated initial cybersecurity threat responses to the Incident Response Team. The Information Security Officer and Chief Information Officer are assigned as the Incident Response Team leaders 23 and reports summaries of key issues, including significant cybersecurity and/or privacy incidents to Incident Response Team which includes the Chief Executive Officer. If appropriate, the Chief Executive Officer will communicate actions taken the actions taken to our board of directors. Further, given the ultimate oversight of the Company’s information security programs, the Chief Legal Counsel will communicate any regulatory compliance matters related to information system, including cybersecurity, to the board of directors.

Company Information