CITY HOLDING CO - (CHCO)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

The Company's information security program encompasses the security policies and procedures in place throughout the enterprise network to address compliance, transaction, reputation, and strategic risks. Our Information Security Officer is primarily responsible for this managing the information security program that includes identifying, assessing, and mitigating cyber threats. Our Information Security Officer reports directly to the Chief Information Officer.

Our objective for managing cybersecurity as part of the information security program is to ensure adequate procedures and proper controls are in place in order to provide an objective system for recording and aggregating information, supporting the institution's strategic goals and objectives, and protecting the security and confidentiality of the institution’s customers and business activities. Our information security program leverages guidance from the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. The information security program is periodically reviewed by the board of directors and updated by the Information Security Officer to adapt to potential new threats and conditions.

The Company employs a combination of patch management, network security, malicious code prevention, and user awareness and training to assist with preventing cybersecurity incidents. Users are made aware of policies and procedures regarding appropriate use of networks, systems, and applications. Additionally, employees are trained in handling sensitive data and made aware of specific requirements when handling client data. Periodic review and assessment of network infrastructure is completed. The Company, in certain instances, may rely on vendors, third-party support, or other outsourcing opportunities. Before introducing a new product or service, the internal controls and competence of a vendor, maintenance and upkeep of a third-party provider’s systems, and financial condition of the third-party vendor are evaluated. Internal and external auditors and independent external partners are engaged and periodically review the Company's processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.

We maintain an Incident Response Policy that provides a documented framework for bringing together and organizing the resources for dealing with any event that harms or threatens the security of information. The goal of the Incident Response Policy is to facilitate a quick and efficient response to incidents, and to limit their impact while protecting information assets. The plan defines roles and responsibilities, documents the steps necessary for effectively and efficiently managing an information security incident, and defines channels of communication. The Information Security Officer and Chief Information Officer coordinate investigations of potential cybersecurity incidents.

Our internal processes, and controls are designed to contain, mitigate, or resolve cybersecurity incidents. As of the report date, risks from cybersecurity threats have not materially affected our company. For further discussion of risks from cybersecurity threats, see the section captioned “System Failure, Cybersecurity Breaches, Fraud and Employee Misconduct Could Subject the Company to Increased Operating Costs, as Well as Litigation and Other Potential Losses” in Item 1A. Risk Factors.

Governance

As mentioned, the Company's Information Security Officer is primarily responsible for managing and updating the information security program. The responsibilities for managing the information security program include cybersecurity risk assessment, assessing the types and appropriateness implemented controls and coordinating related control testing, coordinating user training with each department and the appropriateness, data storage and maintenance, incident response, and third-party risk management. Specifically, the information technology department, as a whole, consists of information security professionals with varying degrees of education and experience with senior management in department having higher professional education and experience. Individuals within the department are generally subject to professional education and certification requirements. In particular, the Company's Information Security Officer and Chief Information Officer have relevant expertise and formal training in the areas of information security and cybersecurity risk management.

Our board of directors has approved and delegated initial cybersecurity threat responses to the Incident Response Team. The Information Security Officer and Chief Information Officer are assigned as the Incident Response Team leaders
23


and reports summaries of key issues, including significant cybersecurity and/or privacy incidents to Incident Response Team which includes the Chief Executive Officer. If appropriate, the Chief Executive Officer will communicate actions taken the actions taken to our board of directors. Further, given the ultimate oversight of the Company's information security programs, the Chief Legal Counsel will communicate any regulatory compliance matters related to information system, including cybersecurity, to the board of directors.