C & F FINANCIAL CORP - (CFFI)
10-K Filing Date: February 27, 2024
The Corporation considers cybersecurity a subset of information security, and as such, cybersecurity risks and controls are assessed in our information security risk assessment and managed in our Information Security Program (ISP). The ISP is developed and maintained utilizing the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook and represents the standards, policies, procedures, and guidelines defining the Corporation’s security requirements and related activities, which includes risk management and risk assessment practices. Management has designated the Information Security Officer (ISO), along with the Systems and Information Technology (IT) Steering Committee, with implementing and monitoring the ISP. The Corporation’s IT department consists of the Chief Information Officer (CIO), who has over 40 years of experience in the IT field, including 14 with the Corporation, and other key personnel who have years of experience and various certifications related to assessing and managing cybersecurity risk. Additionally, the Corporation has established a comprehensive enterprise risk management program to monitor risks related to its operations, including cybersecurity risk, and the Corporation’s Chief Risk Officer has primary responsibility for the enterprise risk management program. Management also engages the services of third parties to assist the ISO with their tasks. The Corporation believes that risk management is a component of overall governance and that IT risk management is a component of overall risk management.
30
The Corporation recognizes that our overall security culture contributes to the effectiveness of our ISP. The Corporation maintains an enterprise risk management program that identifies, prioritizes and provides a formal structure for the internal and external risks that impact the organization. The Board of Directors sets the tone and direction for the Corporation’s use of IT and has identified the Audit Committee as having primary responsibility for oversight of the Corporation’s risk exposures and risk assessments and policies, including risks related to cybersecurity. The Board of Directors and Audit Committee approve and periodically review and re-approve the ISP and other IT related policies. While the Board of Directors may delegate the design, implementation, and monitoring of certain IT activities to the CIO or designee, the full Board of Directors remains responsible for overseeing IT strategies and policies, including cybersecurity. To help carry out their responsibilities, Directors, management, and all employees are periodically trained to understand IT activities and risks, including cybersecurity risks. Management, via the Systems and IT Steering Committee and ISO, or combination, provides a status report to the Board of Directors at least annually, with more frequently communications as necessary. The report describes the overall status of the ISP and material matters related to the program, including security breaches, cybersecurity assessments, cybersecurity awareness training for employees and the Board of Directors and results of incident response testing.
The Corporation utilizes third-party threat analysis tools such as penetration testing and vulnerability scanning to assist in understanding and supporting the measurement of information security related risks. Additionally, the Corporation uses a third-party tool to help management identify current cybersecurity risks and control maturity levels, and to evaluate overall cybersecurity preparedness. The Corporation has also implemented a gap analysis and action plan designed to identify potential actions that would improve our overall cybersecurity posture, and periodically reevaluates both cybersecurity risks and controls to assure they are commensurate with our size and complexity and are keeping pace with the overall cybersecurity threat environment.
Management also obtains, analyzes, and responds to information from various sources on cybersecurity threats and vulnerabilities that may affect the Corporation, while incorporating available information on cybersecurity events into our ISP. Additionally, management develops, maintains, and updates a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments, and ultimately provide updates to the Board of Directors on cybersecurity risk trends. The Corporation has not experienced any cybersecurity incidents in the past that have individually or in the aggregate had a materially adverse effect on our business, financial condition or results of operations.
Additionally, the Corporation conducts due diligence in the selection and on-going monitoring of third-party service providers. Management is responsible for ensuring that such third parties use suitable information security controls when providing services to us. As part of the oversight of third-party service providers, management will determine whether cybersecurity risks are identified, measured, mitigated, monitored, and reported by such third parties.