Carter Bankshares, Inc. - (CARE)

10-K Filing Date: March 08, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
The Company has developed and implemented a Cybersecurity and Information Technology Incident Response Plan intended to ensure the confidentiality, integrity, and availability of the Company’s critical systems and information.
The Company has designed this Cybersecurity and Information Technology Incident Response Plan based in part on the National Institute of Standards and Technology Cybersecurity Framework (“NIST”). Use of the framework does not imply that the Company meets any particular technical standards, specifications, or requirements, but rather the NIST is used as a guide to help identify, assess, and manage cybersecurity risks relevant to the Company’s business. The Company’s Cybersecurity and Information Technology Response Plan is led by our Chief Operations Officer, (“COO”) who is responsible for the oversight and implementation of such plan. Additionally, the COO and the Information Security Manager meet with the Information Technology Steering Committee (“IT Steering Committee”) on a monthly basis or more frequently as necessary to discuss, among other things, cybersecurity matters.
The Cybersecurity and Information Technology Incident Response Plan is aligned to the Company’s business strategy. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk management, including legal, compliance, strategic, operational, and financial risk. In the event of a material or potentially material cybersecurity event, senior members of management, which includes the Chief Financial Officer, are promptly informed of the event and status update, response, and disclosure efforts following the terms of a documented incident response plan. Key elements of the Cybersecurity and Information Technology Incident Response Plan include:
risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader information technology (“IT”) environment;
an incident response team principally responsible for managing cybersecurity risk assessment processes, security controls, and responses to cybersecurity incidents;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
training and awareness programs for team members that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls;
a cybersecurity and IT incident response plan that includes procedures for responding to cybersecurity incidents;
utilization of independent third parties to perform penetration testing of the Company’s environment; and
utilization of a third party to monitor our environment continuously.
The Company has experienced cybersecurity incidents in the past, but none of these incidents, individually or in the aggregate, have had a material adverse effect on our business, financial condition or results of operations. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors – "Risks Related to Our Operations and Technology," which is incorporated by reference into this Item 1C.
Cybersecurity Governance
Management’s Role
The Company’s management has created an Incident Response Team (“IRT”), that consists of the Chief Operations Officer, a network manager, an application delivery manager, an information security manager, the IT Steering Committee, the regulatory
32

Table of Contents
CARTER BANKSHARES, INC. AND SUBSIDIARIES
risk management director and an internal auditor. Our COO holds multiple cybersecurity industry-recognized certifications and has gained extensive cybersecurity knowledge and skills through over 7 years of work experience on the IT security team at the Company. Our Information Security Manager, who also holds multiple cybersecurity industry-recognized certifications and is a member of the IT Steering Committee, has 20 years of experience working in IT and cybersecurity in various roles and industries throughout his career. Additionally, leaders in the Company’s IT function receive periodic training and education on cybersecurity related topics. The IRT is governed by policies and procedures and their proactive responsibilities include implementing awareness programs for the overall cybersecurity risk management plan and for the supervision of vulnerability and penetration testing.
The Company’s IRT serves as the central point for all cybersecurity incidents and reporting, including incidents that directly target associates, customers or the Company’s internal information systems and incidents originating from third parties. The IRT evaluates each incident in terms of its impact on the Company’s operations, ability to conduct business with customers, reputational risk to the Company, reduce legal risk and the speed and degree to which the incident has been contained. The IRT is also responsible for assessing the nature and scope of the incident, and engaging third-party service providers where appropriate to support the Company through the resolution of the incident. The COO escalates incidents to the Company’s IT Steering Committee, who is responsible for cybersecurity risk oversight, and also reports to the Board on a monthly basis.
Our information security team and members of IT also monitor the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings with law enforcement, regulators, and external consultants we may engage, and reports produced by security tools we have deployed in our IT environment.
Board of Director’s Role
The Company’s Board of Directors recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data, including with respect to its associates and customers. The Board is responsible for the consideration and oversight of risk facing the Company and is also responsible for ensuring that material risks are identified and managed appropriately, including cybersecurity risks. The COO gives a monthly report to the Company’s IT Steering Committee and Board on various information security issues. The Company has created and designated a separate committee of its Board as the Audit Committee consisting of four independent directors. The Audit Committee meets quarterly and reviews the Company’s major financial risk exposures, including cybersecurity risks, and reviews the steps management is taking to monitor and control such exposures, including results of internal and external audits.