CSB Bancorp, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

CSB Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 17:06:15 EDT.

Filings

10-K filed on 2024-03-15

CSB Bancorp, Inc. filed an 10-K at 2024-03-15 17:06:15 EDT
Accession Number: 0000950170-24-032295

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity in Part I of this Form 10-K. These SEC rules, and any other regulatory guidance, are in addition to notification and disclosure requirements under state and federal banking law and regulations. State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted regulations requiring certain financial institutions to implement cybersecurity programs and providing detailed requirements with respect to these programs, including data encryption requirements. Many states have also recently implemented or modified their data breach notification and data privacy requirements. CSB expects this trend of state-level activity in those areas to continue and is continually monitoring developments in the states in which our customers are located. Effect of Environmental Regulation Compliance with federal, state, and local provisions regulating the discharge of materials into the environment, or otherwise relating to the protection of the environment, has not had a material effect upon the capital expenditures, earnings, or competitive position of CSB or its subsidiaries. CSB believes the nature of the operations of its subsidiaries has little, if any, environmental impact. CSB, therefore, anticipates no material capital expenditures for environmental control facilities for its current fiscal year or for the foreseeable future. CSB believes its primary exposure to environmental risk is through the lending activities of the Bank. In cases where management believes environmental risk potentially exists, the Bank mitigates environmental risk exposure by requiring environmental site assessments at the time of loan origination to confirm collateral quality as to commercial real estate parcels posing higher than normal potential for environmental impact, as determined by reference to present and past uses of the subject property and adjacent sites. 9 Executive and Incentive Compensation Following the adoption of additional listing requirements in 2023 to comply with the Dodd-Frank Act and rules adopted by the SEC in October 2022, public companies listed on the NYSE or Nasdaq are now required to adopt and implement clawback procedures policies for incentive compensation payments and to disclose the details of the procedures, which allow recovery of incentive compensation that was paid on the basis of erroneous financial information necessitating an accounting restatement due to material noncompliance with financial reporting requirements. This clawback policy is intended to apply to compensation paid within the three completed fiscal years immediately preceding the date the issuer is required to prepare a restatement a three-year look-back window of the restatement and would cover all executives (including former executives) who received incentive awards. CSB adopted a clawback policy effective December 1, 2023, though it is not required to do so. Future Legislation Various and significant legislation affecting financial institutions and the financial industry is from time to time adopted by the U.S. Congress and state legislatures, and regulatory agencies frequently adopt or amend regulations. Such legislation and regulation may continue to change banking laws and regulations and the operating environment of CSB and its subsidiaries in substantial and unpredictable ways and could significantly increase or decrease costs of doing business, limit or expand permissible activities, or affect the competitive balance among financial institutions. The nature and extent of future legislative and regulatory changes affecting financial institutions remains very unpredictable. Statistical Disclosures The following schedules present, for the periods indicated, certain financial and statistical information of the Company as required under the SEC s Subpart 1400 of regulation S-K , as amended on September 11, 2020, or a specific reference as to the location of required disclosures in Item 7 Management s Discussion and Analysis of Financial Condition and Results of Operations ( MD&A ) or Item 8 Financial Statements and Supplementary Data of this Annual Report on Form 10-K. Distribution of Assets, Liabilities, and Stockholders Equity Interest Rates and Interest Differential The information set forth under the heading, Average Balance Sheets and Net Interest Margin Analysis located in the MD&A is incorporated by reference herein. The information set forth under the heading, Rate/Volume Analysis of Changes in Income and Expense located in the MD&A is incorporated by reference herein. Investment Portfolio The following is a schedule of maturities for each category of debt securities and the related weighted average yield of such securities as of December 31, 2023: One Year or Less After One Year Through Five Years Maturing After Five Years Through Ten Years After Ten Years Total (Dollars in thousands) Amortized Cost Yield Amortized Cost Yield Amortized Cost Yield Amortized Cost Yield Amortized Cost Yield Available-for-sale: U.S. Treasuries $ 9,010 2.00 % $ 9,100 2.04 % $ % $ % $ 18,110 2.02 % U.S. Government agencies 8,000 0.34 6,000 0.65 14,000 0.47 Mortgage-backed securities of government agencies 29 2.57 542 2.70 3,834 1.41 67,874 2.44 72,279 2.39 Asset-backed securities of government agencies 548 6.46 548 6.46 State and political subdivisions 1,258 3.64 8,134 2.71 8,084 1.62 17,476 2.27 Corporate bonds 22,670 2.96 6,465 3.75 29,135 3.14 Total $ 18,297 1.39 % $ 46,446 2.44 % $ 18,931 2.45 % $ 67,874 2.44 % $ 151,548 2.31 % Held-to-maturity: U.S. Treasuries $ 2,497 0.75 % $ 4,944 1.11 % $ 2,864 1.15 % $ % $ 10,305 1.03 % Mortgage-backed securities of government agencies 173 1.85 213,252 2.02 213,425 2.02 State and political subdivisions 220 1.32 1,868 2.14 461 1.20 2,549 1.90 Total $ 2,497 0.75 % $ 5,164 1.11 % $ 4,905 1.55 % $ 213,713 2.02 % $ 226,279 1.98 % The weighted average yields are calculated using amortized cost of investments and are based on coupon rates for securities purchased at par value, and on effective interest rates considering amortization or accretion if securities were purchased at a premium or discount. The weighted average yield on tax-exempt obligations is presented on a tax-equivalent basis based on the Company s marginal federal income tax rate of 21%. 10 Loan Portfolio The following is a schedule of maturities of loans based on contract terms and assuming no amortization or prepayments, as of December 31, 2023: Maturing (Dollars in thousands) One Year or Less One Through Five Years Five Through Fifteen Years After Fifteen Years Total Commercial and industrial $ 64,547 $ 56,665 $ 27,222 $ 3,691 $ 152,125 Commercial real estate 904 16,656 42,193 130,949 190,702 Commercial lessors of buildings 369 1,058 19,008 62,252 82,687 Construction 3,722 522 6,344 38,626 49,214 Consumer mortgage 2 1,355 42,393 123,141 166,891 Home equity line of credit 1,546 12,403 29,320 43,269 Consumer installment 385 7,491 2,683 77 10,636 Consumer indirect 6 497 5,421 33 5,957 Total $ 71,481 $ 96,647 $ 174,584 $ 358,769 $ 701,481 The following is a schedule of fixed rate and variable rate loans due after one year from December 31, 2023. (Dollars in thousands) Fixed Rate Variable Rate Commercial and industrial $ 59,189 $ 28,389 Commercial real estate 1,869 187,929 Commercial lessors of buildings 517 81,801 Construction 489 45,003 Consumer mortgage 44,921 121,968 Home equity line of credit 83 41,640 Consumer installment 9,333 918 Consumer indirect 5,951 Summary of Loan Loss Experience The following schedule presents an analysis of net charge-offs (recoveries) to average loans, and related ratios for the years ended: December 31, 2023 (Dollars in thousands) Net (Charge-offs) Recoveries Average Loans Net (Charge-offs) Recoveries as a % of Average Loans Commercial and industrial $ 181 $ 141,811 0.13 % Commercial real estate 9 175,699 0.01 % Commercial lessors of buildings 82,690 0.00 % Construction 45,779 0.00 % Consumer mortgage 1 161,275 0.00 % Home equity line of credit 42,838 0.00 % Consumer installment (26 ) 10,444 -0.25 % Consumer indirect (35 ) 6,257 -0.56 % Total $ 130 $ 666,793 0.02 % December 31, 2022 (Dollars in thousands) Net (Charge-offs) Recoveries Average Loans Net (Charge-offs) Recoveries as a % of Average Loans Commercial $ (177 ) $ 129,916 -0.14 % Commercial real estate (10 ) 200,174 0.00 % Residential real estate 3 180,740 0.00 % Construction & land development 312 61,034 0.51 % Consumer (13 ) 15,946 -0.08 % Total $ 115 $ 587,810 0.02 % 11 The following schedule is a breakdown of the allowance for credit losses allocated by type of loan and related ratios. While management s periodic analysis of the adequacy of the allowance for credit losses may allocate portions of the allowance for specific problem-loan situations, the entire allowance is available for any loan charge-offs that occur. Allocation of the Allowance for Credit Losses (Dollars in thousands) Allowance Amount Percentage of Loans in Each Category to Total Loans December 31, 2023 Commercial and industrial $ 1,737 21.7 % Commercial real estate 1,637 27.2 Commercial lessors of buildings 1,200 11.8 Construction 333 7.0 Consumer mortgage 1,107 23.8 Home equity line of credit 288 6.2 Consumer installment 76 1.5 Consumer indirect 229 0.8 Total $ 6,607 100.0 % Allocation of the Allowance for Loan Losses (Dollars in thousands) Allowance Amount Percentage of Loans in Each Category to Total Loans December 31, 2022 Commercial $ 1,110 20.6 % Commercial real estate 2,760 37.0 Residential real estate 1,268 30.9 Construction & land development 803 8.9 Consumer 233 2.6 Unallocated 664 Total $ 6,838 100.0 % Deposits The following is a schedule of average deposit amounts and average rates paid on each category for the periods indicated: Average Amounts Outstanding Year ended December 31, Average Rate Paid Year ended December 31, (Dollars in thousands) 2023 2022 2023 2022 Noninterest-bearing demand $ 314,956 $ 337,759 N/A N/A Interest-bearing demand 251,626 240,904 1.02 % 0.27 % Savings deposits 296,896 315,881 0.80 0.21 Time deposits 154,505 118,085 2.96 0.86 Total deposits $ 1,017,983 $ 1,012,629 12 The Bank does not have any material deposits by foreign depositors. The total uninsured portion of all deposit accounts greater than $250 thousand was $254 million as of December 31, 2023, and $267 million as of December 31, 2022. The following is a schedule of maturities of time certificates of deposit in amounts greater than $250 thousand as of December 31, 2023: (Dollars in thousands) Time Deposits Greater than $250 Thousand Three months or less $ 21,846 Over three through six months 13,365 Over six through twelve months 17,007 Over twelve months 6,379 Total $ 58,597 ITEM 1A. RISK FACTORS. Not Applicable. ITEM 1B. UNRESOLVED STAFF COMMENTS. Not applicable. ITEM 1C. CYBERSECURITY In the ordinary course of business, CSB relies on electronic communications and information systems to conduct its operations and to store sensitive data. CSB employs an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. CSB employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. CSB Places a high priority and focus on securing the confidential information it receives and stores about its customers and associates and providing highly available systems. Governance Our Information Security ( IS ) Program consists of policies, procedures and guidelines to ensure the security, availability, and confidentiality of systems and customer information. The IS Program is led by our Information Security Officer ( ISO ) under the direction of the Chief Information Officer ( CIO ) and is subject to oversight by our IT Steering Committee. The IT Steering Committee is a cross-functional management committee with overall responsibilities for identifying and approving the IT Strategic plan, identifying and approving strategic technology based initiatives that improve/enhance the security posture and mitigation efforts of cybersecurity threats, monitoring of the technology infrastructure and systems, monitoring critical vendors, monitoring cybersecurity threats and issues, and conducting, reviewing, and monitoring IT based risk assessments. These efforts include the framework used to identify and prevent cyberattacks or breaches. The IT Steering Committee makes recommendations for approval of certain risk assessments, risk frameworks, and appropriate application of mitigation strategies and frameworks to the Board of Directors. The Board of Directors oversees the IS Program in the following ways: (a) monitors and oversees the Company s business and information technology operations necessary for its business plan, including projected growth, technology capacity, planning, operational execution, product development and management capacity, (b) reviews the Company s framework(s) to prevent, detect, and respond to cyberattacks or breaches, as well as identifying areas of concern regarding possible vulnerabilities, and reviews policies pertaining to information security and cyber threats, taking into account the potential for external threats, internal threats, and threats arising from transaction and contractual relationships with trusted third party vendors, and (c) reviews the Company s incident response, business continuity and disaster recovery planning and preparedness including processes, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to the Company. As part of the Board s oversight, the Board receives frequent reports from the CIO and ISO including the summarization of new and emerging cybersecurity threats and trends and the effectiveness of our IS Program in mitigating cybersecurity threats among other items. In the event of an information security incident, our Incident Response Plan clarifies the steps for escalation according to the severity of the event. The IS team is staffed primarily with internal associates, and we utilize third party service providers for extended coverage. We hire IS team members that have relevant information security experience or technology certifications and knowledge to implement and oversee the procedures and processes of our IS Program and to adequately manage and enforce our policies and procedures. Further, management involved in the cybersecurity process, possess the necessary skills and expertise to adequately manage and enforce our policies and procedures. While all vendors are subject to our vendor management process, those with access to our data and data centers are subject to more rigorous initial and ongoing due diligence. This includes the reviews of Service Organization Control 2 (“SOC 2”) reports, financial information, and other policies and procedures related to such third party vendors and their various programs, including vendor management. 13 Risk Management and Strategy As part of the ongoing maintenance and development of our IS Program, we assess the various risks associated with the unauthorized access or loss of client information and the quality of security controls as prescribed by the Federal Financial Institutions Examinations Council and several other frameworks. The frameworks and our IS risk assessments are utilized to monitor and develop strategies to minimize risk to our information assets. Our systems are monitored 24/7 for cybersecurity threats, and we utilize a variety of tools to reduce the risk of data breaches and cybersecurity events. We maintain an Incident Response Plan that outlines the steps to be taken in the event of an incident, which could include a potential or actual data breach. The plan identifies a designated team, including associates and third-party experts, responsible for incident response and summarizes the steps, including escalation protocol, for determining whether an event has occurred and the nature and scope of the event (if applicable). The plan also summarizes protocol for notifying impacted persons, which may include customers as well as other applicable agencies or persons, including law enforcement and regulatory authorities. At least annually, we conduct a third-party information security audit focusing on internal and external network security protocols and penetration testing, as well as internally managed ad hoc testing as needed. Simulations and tabletop testing of our business continuity and Incident Response Plans are performed on a routine basis and assist with our associates familiarity and preparedness for an event. Any gaps or improvement areas identified by routine testing are addressed in a timely manner to help improve future testing and response. The processes and controls related to data security are regularly tested by the IS department and Internal Audit. Additional internal security assessments may be performed at the request of the CISO, CIO, the Internal Auditor, Management or our Board. Audit and assessment results are presented to the Audit Committee of the Board, and to the IT Steering Committee. At least annually, the IS Program, including its effectiveness, is reviewed by the Board. Annually, all associates participate in mandatory training related to the IS Program, including information security and its importance with respect to customer and associate privacy. All associates are required to participate in monthly bank wide phishing tests. Results from these tests are delivered to our Audit Committee of the Board of Directors. Notwithstanding the strength of CSB s defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date, CSB has not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, CSB s systems and those of its customers and third-party service providers are under constant threat and it is possible that CSB could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as the expanding use of internet banking, mobile banking and other technology-based products and services by the Company and its customers. 14
ITEM 1C. CYBERSECURITY In the ordinary course of business, CSB relies on electronic communications and information systems to conduct its operations and to store sensitive data. CSB employs an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. CSB employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. CSB Places a high priority and focus on securing the confidential information it receives and stores about its customers and associates and providing highly available systems. Governance Our Information Security ( IS ) Program consists of policies, procedures and guidelines to ensure the security, availability, and confidentiality of systems and customer information. The IS Program is led by our Information Security Officer ( ISO ) under the direction of the Chief Information Officer ( CIO ) and is subject to oversight by our IT Steering Committee. The IT Steering Committee is a cross-functional management committee with overall responsibilities for identifying and approving the IT Strategic plan, identifying and approving strategic technology based initiatives that improve/enhance the security posture and mitigation efforts of cybersecurity threats, monitoring of the technology infrastructure and systems, monitoring critical vendors, monitoring cybersecurity threats and issues, and conducting, reviewing, and monitoring IT based risk assessments. These efforts include the framework used to identify and prevent cyberattacks or breaches. The IT Steering Committee makes recommendations for approval of certain risk assessments, risk frameworks, and appropriate application of mitigation strategies and frameworks to the Board of Directors. The Board of Directors oversees the IS Program in the following ways: (a) monitors and oversees the Company s business and information technology operations necessary for its business plan, including projected growth, technology capacity, planning, operational execution, product development and management capacity, (b) reviews the Company s framework(s) to prevent, detect, and respond to cyberattacks or breaches, as well as identifying areas of concern regarding possible vulnerabilities, and reviews policies pertaining to information security and cyber threats, taking into account the potential for external threats, internal threats, and threats arising from transaction and contractual relationships with trusted third party vendors, and (c) reviews the Company s incident response, business continuity and disaster recovery planning and preparedness including processes, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to the Company. As part of the Board s oversight, the Board receives frequent reports from the CIO and ISO including the summarization of new and emerging cybersecurity threats and trends and the effectiveness of our IS Program in mitigating cybersecurity threats among other items. In the event of an information security incident, our Incident Response Plan clarifies the steps for escalation according to the severity of the event. The IS team is staffed primarily with internal associates, and we utilize third party service providers for extended coverage. We hire IS team members that have relevant information security experience or technology certifications and knowledge to implement and oversee the procedures and processes of our IS Program and to adequately manage and enforce our policies and procedures. Further, management involved in the cybersecurity process, possess the necessary skills and expertise to adequately manage and enforce our policies and procedures. While all vendors are subject to our vendor management process, those with access to our data and data centers are subject to more rigorous initial and ongoing due diligence. This includes the reviews of Service Organization Control 2 (“SOC 2”) reports, financial information, and other policies and procedures related to such third party vendors and their various programs, including vendor management. 13 Risk Management and Strategy As part of the ongoing maintenance and development of our IS Program, we assess the various risks associated with the unauthorized access or loss of client information and the quality of security controls as prescribed by the Federal Financial Institutions Examinations Council and several other frameworks. The frameworks and our IS risk assessments are utilized to monitor and develop strategies to minimize risk to our information assets. Our systems are monitored 24/7 for cybersecurity threats, and we utilize a variety of tools to reduce the risk of data breaches and cybersecurity events. We maintain an Incident Response Plan that outlines the steps to be taken in the event of an incident, which could include a potential or actual data breach. The plan identifies a designated team, including associates and third-party experts, responsible for incident response and summarizes the steps, including escalation protocol, for determining whether an event has occurred and the nature and scope of the event (if applicable). The plan also summarizes protocol for notifying impacted persons, which may include customers as well as other applicable agencies or persons, including law enforcement and regulatory authorities. At least annually, we conduct a third-party information security audit focusing on internal and external network security protocols and penetration testing, as well as internally managed ad hoc testing as needed. Simulations and tabletop testing of our business continuity and Incident Response Plans are performed on a routine basis and assist with our associates familiarity and preparedness for an event. Any gaps or improvement areas identified by routine testing are addressed in a timely manner to help improve future testing and response. The processes and controls related to data security are regularly tested by the IS department and Internal Audit. Additional internal security assessments may be performed at the request of the CISO, CIO, the Internal Auditor, Management or our Board. Audit and assessment results are presented to the Audit Committee of the Board, and to the IT Steering Committee. At least annually, the IS Program, including its effectiveness, is reviewed by the Board. Annually, all associates participate in mandatory training related to the IS Program, including information security and its importance with respect to customer and associate privacy. All associates are required to participate in monthly bank wide phishing tests. Results from these tests are delivered to our Audit Committee of the Board of Directors. Notwithstanding the strength of CSB s defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date, CSB has not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, CSB s systems and those of its customers and third-party service providers are under constant threat and it is possible that CSB could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as the expanding use of internet banking, mobile banking and other technology-based products and services by the Company and its customers. 14

Company Information