CAPITAL CITY BANK GROUP INC 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

CAPITAL CITY BANK GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 12:39:13 EST.

Filings

10-K filed on 2026-02-27

CAPITAL CITY BANK GROUP INC filed a 10-K at 2026-02-27 12:39:13 EST
Accession Number: 0000726601-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our Company, including financial, operational, market, regulatory, technology, legal, and reputational. Cybersecurity is a critical risk area given the increasing reliance on technology and potential of cyber risk threats. Our Chief Information Security Officer ("CISO") reports to the CCB President who provides oversight of the information security program and its activities, along with our management-level Enterprise Risk Oversight Committee ("ROC") and our Board of Directors. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse systems or information. Our cybersecurity risk management program is designed around the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, regulatory guidance, and other industry standards, although we cannot guarantee that we meet all technical specifications, or requirements under NIST. Our CISO and Information Security Officers ("ISOs") along with key members of the information security team collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. Our information security program, including our cyber risk management policies and procedures and our incident response program, are periodically reviewed by the CISO with the goal of addressing changing threats and conditions. The parts of our information security program relating to cybersecurity are built on a multi-layered and integrated defense model and include the following processes: ◾ Risk-based controls for information systems and information on our networks: We maintain risk management processes designed to identify, assess, and manage cybersecurity risks associated with external service providers and the services we provide to our clients. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We seek to maintain a risk management infrastructure that implements physical, administrative and technical controls that are designed, based on risk, to protect our information systems and the information stored on our networks, including personal information, intellectual property and proprietary information of our Company and our clients. ◾ Incident response program: We have an incident response program and dedicated teams to respond to cybersecurity incidents. When a cybersecurity incident occurs, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity and communicating potentially material cybersecurity incidents to the appropriate members of management and the Board of Directors. ◾ Training and testing: We have established processes and systems designed to mitigate cybersecurity risk, including regular education and training for associates, preparedness simulations and tabletop exercises, and recovery and resilience tests. We also monitor our email gateways for malicious phishing email campaigns and monitor remote connections. ◾ Internal and external risk assessments: We engage in ongoing assessments of our infrastructure, software systems, and network architecture using internal experts and third-party specialists, including to identify material risks from cybersecurity threats. Our internal auditor and other independent external partners will periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management processes. 40 Notwithstanding our defensive measures and processes, threats posed by cyberattacks are severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected, and are not reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition. Despite the Company's efforts, there can be no assurance that its cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting its systems and information. The company faces risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect its business strategy, results of operations or financial condition. For further discussion of risks from cybersecurity threats, see Item 1A. Risk Factors under the section captioned "Cybersecurity incidents, including security breaches and failures of our information systems could significantly disrupt our business, result in the unintended disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs, and cause losses." Governance Management's Role Our CISO is responsible for managing our Corporate Security Department and overseeing our information security program, including cybersecurity risks. The responsibilities of this department include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, third-party risk management, information governance risk and compliance and business resilience. The foregoing responsibilities are covered on a day-to-day basis with oversight and guidance provided by our CISO, the ISOs and key members of the information security team. The department, as a whole, consists of information security professionals with varying degrees of education and experience. Associates within the department are generally subject to professional education and certification requirements. In particular, our CISO has over 15 years of substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management and also serves on several advisory boards and committees within the financial sector. Our CISO regularly reports on the status of the information security program to the CCB President. On a quarterly basis, and as needed, the CISO reports the status of the information security program, notable threats or incidents, and other developments related to information security and cybersecurity risks to our ROC. Board Oversight of Cybersecurity The Board of Directors oversee cybersecurity risk and the information security program which includes overseeing management's actions to identify, assess, mitigate and remediate or prevent material cybersecurity risks. The CISO provides reports to the Board of Directors annually on the status of the information security program and risks, notable threats and incidents, and other developments related to cybersecurity of the information security program . An appropriate committee of the Board of Directors may also receive from the CISO periodic reports on these activities, as well as the status of any incident response and remediation efforts the Company may undertake.

Company Information