CAPITAL CITY BANK GROUP INC - (CCBG)

10-K Filing Date: March 13, 2024
Item 1C.
Cybersecurity
Risk Management and Strategy
Our enterprise risk management program is designed to identify,
 
assess, and mitigate risks across various aspects of our
Company, including
 
financial, operational, market, regulatory,
 
technology, legal, and reputational.
 
Cybersecurity risk is a critical
component of our technology risk management program, specifically our
 
information security program given the increasing
reliance on technology and potential of cyber risk threats.
 
Our Chief Information Security Officer (“CISO”) is primarily
responsible for coordinating the various aspects of the information security
 
program with cross-functional support teams.
 
The
Chief Operating Officer (“COO”), management risk committees,
 
and the Board of Directors provide oversight of the program and
its activities.
 
Our objective for managing cybersecurity risk is to avoid or minimize the impacts
 
of external threat events or other efforts to
penetrate, disrupt or misuse systems or information.
 
Our cybersecurity risk management infrastructure is designed around
regulatory guidance, other industry standards and the National Institute of
 
Standards and Technology
 
(“NIST”) Cybersecurity
Framework, although this does not imply that we meet all technical standards,
 
specification, or requirements under the NIST.
 
Our
CISO and Information Security Officer (“ISO”) along
 
with key members of their respective teams, regularly collaborate with peer
banks, industry groups, and policymakers to discuss cybersecurity trends and
 
issues and identify best practices.
 
Our information
security program and cyber risk management policies and procedures are periodically
 
reviewed by the CISO and ISO with the
goal of addressing changing threats and conditions.
 
The parts of our information security program relating to cybersecurity are built
 
on a multi-layered and integrated defense model
and include the following processes:
Risk-based controls for information systems and information
 
on our networks:
 
We maintain risk
 
management
processes designed to identify,
 
assess, and manage cybersecurity risks associated with external service
 
providers and the
services we provide to our clients. We
 
leverage people, processes, and technology as part of our efforts
 
to manage and
maintain cybersecurity controls. We
 
also employ a variety of preventative and detective tools designed
 
to monitor, block,
and provide alerts regarding suspicious activity,
 
as well as to report on suspected advanced persistent threats. We
 
seek to
maintain a risk management infrastructure that implements physical, administrative
 
and technical controls that are
designed, based on risk, to protect our information systems and the information
 
stored on our networks, including personal
information, intellectual property and proprietary information of our
 
Company and our clients.
37
Incident response program:
We have an
 
incident response program and dedicated teams to respond to cybersecurity,
physical and administrative incidents. When a cybersecurity incident occurs,
 
we have cross-functional teams that are
responsible for leading the initial assessment of priority and severity and
 
communicating material cybersecurity incidents
to the appropriate members of management and the Board of Directors.
Training and testing:
We have
 
established processes and systems designed to mitigate cybersecurity risk, including
regular and on-going education and training for associates, preparedness simulations
 
and tabletop exercises, and recovery
and resilience tests. We
 
also actively monitor our email gateways for malicious phishing
 
email campaigns and monitor
remote connections.
Internal and external risk assessments:
 
We engage
 
in regular assessments of our infrastructure, software systems, and
network architecture using internal experts and third-party specialists.
 
Our internal auditor and other independent external
partners will periodically review our processes, systems, and controls, including
 
with respect to our information security
program, to assess their design and operating effectiveness and
 
make recommendations to strengthen our risk management
processes.
 
Notwithstanding our defensive measures and processes, the threat posed
 
by cyber-attacks is severe.
 
Our internal systems,
processes, and controls are designed to mitigate loss from cyber-attacks
 
and, while we have experienced cybersecurity incidents
in the past, to date, risks from cybersecurity threats have not materially affected
 
our Company.
 
For further discussion of risks
from cybersecurity threats, see Item 1A. Risk Factors under the section captioned
 
“Cybersecurity incidents, including security
breaches and failures of our information systems could significantly disrupt our
 
business, result in the unintended disclosure or
misuse of confidential or proprietary information, damage our reputation,
 
increase our costs, and cause losses.”
 
Governance
Our CISO is responsible for managing our Corporate Security Department
 
and overseeing our information security program,
including cybersecurity risks.
 
The CISO reports the day-to-day status of the program to the COO who in turn
 
reports to our Bank
President.
 
On a quarterly basis, and as needed, the CISO reports the status of the program, notable
 
threats or incidents, and other
developments related to information security and cybersecurity risks to our Operations
 
Risk Oversight Committee (“OROC”) and
to our Enterprise Risk Oversight Committee (“ROC”). The CISO also provides
 
reports to our Board of Directors at least annually
on the status of the information security program and risks, notable threats and
 
incidents, and other developments related to
cybersecurity. In
 
addition, the CISO provides more frequent reports to the Audit Committee on the
 
aforementioned activities,
including remediation efforts and the status of incident
 
response, as needed.