CAPITAL CITY BANK GROUP INC - (CCBG)
10-K Filing Date: March 13, 2024
Item 1C.
Cybersecurity
Risk Management and Strategy
Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our
Company, including financial, operational, market, regulatory, technology, legal, and reputational. Cybersecurity risk is a critical
component of our technology risk management program, specifically our information security program given the increasing
reliance on technology and potential of cyber risk threats. Our Chief Information Security Officer (“CISO”) is primarily
responsible for coordinating the various aspects of the information security program with cross-functional support teams. The
Chief Operating Officer (“COO”), management risk committees, and the Board of Directors provide oversight of the program and
its activities.
Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to
penetrate, disrupt or misuse systems or information. Our cybersecurity risk management infrastructure is designed around
regulatory guidance, other industry standards and the National Institute of Standards and Technology (“NIST”) Cybersecurity
Framework, although this does not imply that we meet all technical standards, specification, or requirements under the NIST. Our
CISO and Information Security Officer (“ISO”) along with key members of their respective teams, regularly collaborate with peer
banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. Our information
security program and cyber risk management policies and procedures are periodically reviewed by the CISO and ISO with the
goal of addressing changing threats and conditions.
The parts of our information security program relating to cybersecurity are built on a multi-layered and integrated defense model
and include the following processes:
◾
Risk-based controls for information systems and information on our networks:
processes designed to identify, assess, and manage cybersecurity risks associated with external service providers and the
services we provide to our clients. We leverage people, processes, and technology as part of our efforts to manage and
maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block,
and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We seek to
maintain a risk management infrastructure that implements physical, administrative and technical controls that are
designed, based on risk, to protect our information systems and the information stored on our networks, including personal
information, intellectual property and proprietary information of our Company and our clients.
37
◾
Incident response program:
We have an incident response program and dedicated teams to respond to cybersecurity,
physical and administrative incidents. When a cybersecurity incident occurs, we have cross-functional teams that are
responsible for leading the initial assessment of priority and severity and communicating material cybersecurity incidents
to the appropriate members of management and the Board of Directors.
◾
Training and testing:
We have established processes and systems designed to mitigate cybersecurity risk, including
regular and on-going education and training for associates, preparedness simulations and tabletop exercises, and recovery
and resilience tests. We also actively monitor our email gateways for malicious phishing email campaigns and monitor
remote connections.
◾
Internal and external risk assessments:
network architecture using internal experts and third-party specialists. Our internal auditor and other independent external
partners will periodically review our processes, systems, and controls, including with respect to our information security
program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management
processes.
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems,
processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents
in the past, to date, risks from cybersecurity threats have not materially affected our Company. For further discussion of risks
from cybersecurity threats, see Item 1A. Risk Factors under the section captioned “Cybersecurity incidents, including security
breaches and failures of our information systems could significantly disrupt our business, result in the unintended disclosure or
misuse of confidential or proprietary information, damage our reputation, increase our costs, and cause losses.”
Governance
Our CISO is responsible for managing our Corporate Security Department and overseeing our information security program,
including cybersecurity risks. The CISO reports the day-to-day status of the program to the COO who in turn reports to our Bank
President. On a quarterly basis, and as needed, the CISO reports the status of the program, notable threats or incidents, and other
developments related to information security and cybersecurity risks to our Operations Risk Oversight Committee (“OROC”) and
to our Enterprise Risk Oversight Committee (“ROC”). The CISO also provides reports to our Board of Directors at least annually
on the status of the information security program and risks, notable threats and incidents, and other developments related to
cybersecurity. In addition, the CISO provides more frequent reports to the Audit Committee on the aforementioned activities,
including remediation efforts and the status of incident response, as needed.