CAPITAL CITY BANK GROUP INC 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

CAPITAL CITY BANK GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 16:39:03 EDT.

Filings

10-K filed on 2024-03-13

CAPITAL CITY BANK GROUP INC filed an 10-K at 2024-03-13 16:39:03 EDT
Accession Number: 0000726601-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our Company, including financial, operational, market, regulatory, technology, legal, and reputational. Cybersecurity risk is a critical component of our technology risk management program, specifically our information security program given the increasing reliance on technology and potential of cyber risk threats. Our Chief Information Security Officer ( CISO ) is primarily responsible for coordinating the various aspects of the information security program with cross-functional support teams. The Chief Operating Officer ( COO ), management risk committees, and the Board of Directors provide oversight of the program and its activities. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse systems or information. Our cybersecurity risk management infrastructure is designed around regulatory guidance, other industry standards and the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, although this does not imply that we meet all technical standards, specification, or requirements under the NIST. Our CISO and Information Security Officer ( ISO ) along with key members of their respective teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. Our information security program and cyber risk management policies and procedures are periodically reviewed by the CISO and ISO with the goal of addressing changing threats and conditions. The parts of our information security program relating to cybersecurity are built on a multi-layered and integrated defense model and include the following processes: Risk-based controls for information systems and information on our networks: We maintain risk management processes designed to identify, assess, and manage cybersecurity risks associated with external service providers and the services we provide to our clients. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We seek to maintain a risk management infrastructure that implements physical, administrative and technical controls that are designed, based on risk, to protect our information systems and the information stored on our networks, including personal information, intellectual property and proprietary information of our Company and our clients. 37 Incident response program: We have an incident response program and dedicated teams to respond to cybersecurity, physical and administrative incidents. When a cybersecurity incident occurs, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity and communicating material cybersecurity incidents to the appropriate members of management and the Board of Directors. Training and testing: We have established processes and systems designed to mitigate cybersecurity risk, including regular and on-going education and training for associates, preparedness simulations and tabletop exercises, and recovery and resilience tests. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections. Internal and external risk assessments: We engage in regular assessments of our infrastructure, software systems, and network architecture using internal experts and third-party specialists. Our internal auditor and other independent external partners will periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management processes. Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected our Company. For further discussion of risks from cybersecurity threats, see Item 1A. Risk Factors under the section captioned Cybersecurity incidents, including security breaches and failures of our information systems could significantly disrupt our business, result in the unintended disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs, and cause losses. Governance Our CISO is responsible for managing our Corporate Security Department and overseeing our information security program, including cybersecurity risks. The CISO reports the day-to-day status of the program to the COO who in turn reports to our Bank President. On a quarterly basis, and as needed, the CISO reports the status of the program, notable threats or incidents, and other developments related to information security and cybersecurity risks to our Operations Risk Oversight Committee ( OROC ) and to our Enterprise Risk Oversight Committee ( ROC ). The CISO also provides reports to our Board of Directors at least annually on the status of the information security program and risks, notable threats and incidents, and other developments related to cybersecurity. In addition, the CISO provides more frequent reports to the Audit Committee on the aforementioned activities, including remediation efforts and the status of incident response, as needed.

Company Information