SUMMIT FINANCIAL GROUP, INC. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

SUMMIT FINANCIAL GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 15:05:14 EDT.

Filings

10-K filed on 2024-03-12

SUMMIT FINANCIAL GROUP, INC. filed an 10-K at 2024-03-12 15:05:14 EDT
Accession Number: 0001437749-24-007430

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain an Information Systems Security Program to safeguard all Summit and Summit Community s information assets against unauthorized use, disclosure, modification, damage, or loss. This is achieved through a collaborative effort involving Operations, Technology, Compliance, Risk, and Senior Management. The Program is designed to: Uphold the security and confidentiality of customer and bank records as mandated by law. Proactively guard against potential threats or hazards to the integrity of these records. Prevent unauthorized access or use of records or information that could significantly harm our Company, Customers, and Employees. Develop and maintain guidelines for Information Technology compliance with external and regulatory demands. Implement and regularly test effective Business Continuity and Disaster Recovery strategies. The Company’s Chief Operating Officer (COO) is designated as the program coordinator responsible for coordinating and overseeing the program. Risk and Compliance Protocols Annually, our Compliance Department conducts risk assessments to determine the effectiveness of controls outlined in the Information Systems Security Program. This is in alignment with the requirements of the Gramm-Leach Bliley Act ( GLBA ) and the Federal Financial Institutions Examination Council ( FFIEC ) guidance on securing customer information. Key focus areas include: Evaluating technology systems used for the collection, processing, and storage of information. Assessing both internal and external cybersecurity threats and vulnerabilities. Ensuring that penetration and controls testing are conducted regularly. Gauging the potential impact of compromised information or systems. Assessing the effectiveness of governance structures in managing information security risks. Monthly internal and external penetration testing is conducted and reviewed either by independent third parties or qualified employees not involved in developing or maintaining the security program. An audit is performed annually by qualified internal auditors or contracted independent parties and is overseen by the Company s Audit & Compliance Committee of the Board of Directors (“Audit Committee”). Management promptly reviews test results to initiate necessary remediation, which are then reviewed by the Audit Committee, third-party auditors, and examiners. In addition to assessing our own cybersecurity preparedness, we also identify, evaluate and manage cybersecurity risks associated with use of third-party vendors and service providers. Cybersecurity Incident Response The Company has established a Cybersecurity Incident Response Testing Plan (“CSIRTP”), integrated into the Business Continuity Plan. This plan outlines a systematic approach to managing information security incidents, supplemented by specific playbooks for various attack types. The CSIRTP requires approval by the Information Technology Steering Committee and is governed by the Business Continuity Plan that is approved annually by the Board of Directors. We are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations or financial condition. Governance and Oversight The Information Systems Security Program, reviewed and updated annually by the Board of Directors, is our benchmark for protecting the Company’s confidential information. The COO, with over 30 years of experience in operations and information security, reports security incidents and updates to the Board as needed. The Board and Senior Management are tasked with comprehensively understanding the Company s risk environment. Incident management and response teams are in place to execute response protocols and strategies, mitigating business risk and supporting recovery initiatives. This team adapts based on the nature of incidents, ensuring a flexible and effective response. The CSIRTP framework ensures timely reporting of cybersecurity incidents to the Executive Management Team. Incident severity is judged based on potential impacts, including damage, compromise, loss, and the likelihood of further exploitation. The Chief Risk Officer is informed of all incidents that are determined to be significant. The Chief Executive Officer and the Board of Directors are notified of these incidents as necessary. For further information on risks to the Company from cybersecurity threats, see “Our information systems may experience failure, interruption or breach in security” under Item 1A. Risk Factors. 23 Table of Contents

Company Information