COMMUNITY TRUST BANCORP INC /KY/ - (CTBI)
10-K Filing Date: February 28, 2024
Item1C.
Cybersecurity
As referenced in the Operational Risks/Cyber Risks section of Item 1A. Risk Factors included in this Form 10-K, our organization may be materially affected by cybersecurity threats and incidents that target its internally managed information technology systems or our critical vendor systems.
Our institution utilizes industry standard and regulatory approved assessment tools to identify cybersecurity risks and measure preparedness. The tools provide a repeatable and measurable framework for our organization to measure its cybersecurity preparedness over time.
The assessment process spans over five domains of interest: (1) cyber risk management and oversight, (2) threat intelligence and collaboration, (3) cybersecurity controls, (4) external dependencies, and (5) cyber incident management and resilience. All domains are currently assessed at an evolving maturity level which is in line with our organizations inherent risk assessment score.
Our institution has purchased and is using best of breed tools in the areas of endpoint security, Security Information Event Management (“SIEM”), Privileged Access Management (“PAM”), email and web browsing filtering and management, and user analytics. We also use a comprehensive third party 24-by-7 Security Operations Center (“SOC”) that monitors, detects, and remediates cybersecurity threats adhering to strict service response levels.
The internal assessment process and internal tools and SOC related key indicators are reported on a quarterly basis to the Security and Information Security Committee and the Enterprise-wide Risk Management Committee and annually to the Board of Directors.
The assessment process, internal tools, and corresponding SOC related services are also reviewed when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management shall determine whether additional risk management practices or controls are needed to maintain or augment the institution’s cybersecurity maturity.
A comprehensive and layered auditing approach including people, processes and technology components is executed by our internal audit program in order to evaluate the effectiveness of existing controls and ensure that cybersecurity risk has been adequately mitigated within our institution. Periodic phishing tests, network and application security reviews, third-party vulnerability assessments and penetration testing are used to gauge the overall effectiveness of our cybersecurity defenses.
In an effort to continually share threat intelligence and increase awareness of cybersecurity threats, routine communication to employees is conducted to highlight internal control requirements, common cybersecurity threats and schemes. Our incident response team members also participate in the annual Financial Services Information Sharing and Analysis Center tabletop cybersecurity tabletop exercises.
Our comprehensive vendor management program and processes assess all new vendors and segments them into criticality tiers. Our most critical vendors (tiers 1 and 2) are evaluated annually based on requested vendor documents, such as Statements on Standards Attestation Engagements No. 18 (SSAE 18), financial statements, insurance, and due diligence questionnaires. The vendor management team also monitors all news alerts related to all critical vendors.
As of the date of this report, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect CTBI. However, future incidents could have a material impact on CTBI’s business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see the Operational Risks/Cyber Risks section of Item 1A. Risk Factors included in this Form 10-K.
Management receives information on cyber activities, incidents, and risk assessments quarterly from the VP/Corporate Information Security, Resilience and Data Officer (CISRDO), the SVP/Manager Application Systems, and the EVP/Operations during the Security and Information Security Committee and the Information Technology Steering Committee meetings. This information is also shared and discussed quarterly with the Enterprise-wide Risk Management Committee. Various key risk measures related to cyber risk are tracked and reported quarterly to the Enterprise-wide Risk Management Committee. Our VP/CISRDO has been with CTBI for five years and has extensive 30+ years of experience in information technology management roles in various industries. Our SVP/Manager Application Systems has been with CTBI for 32 years and has held various information technology leadership roles. Our EVP/Operations has been with the company for 30 years, leading and guiding our technology teams.
The Board of Directors monitors cyber risk through quarterly reports from the Board’s Risk and Compliance Committee. This Board committee meets quarterly and receives information concerning cyber risk activities, including cyber risk assessments and incident reporting. The Board also receives an annual report covering cyber risk from the Chief Information Technology Officer. Controls over cyber risk are reviewed throughout the year by internal audit activities and third-party assessments whose reports are reviewed by the Board’s Audit Committee.