UWHARRIE CAPITAL CORP 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

UWHARRIE CAPITAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 13:30:20 EST.

Filings

10-K filed on 2025-03-06

UWHARRIE CAPITAL CORP filed a 10-K at 2025-03-06 13:30:20 EST
Accession Number: 0000950170-25-034396

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity for additional information. In addition to our obligation to address federal standards related to data breaches, cybersecurity incidents, and similar matters, all fifty states have enacted breach notification laws. State breach notification laws often present additional or different notification requirements than those arising under federal law. Evaluating and addressing our obligations under these laws adds complexity to our incident response process, and the nature of these laws may present compliance challenges. The application, interpretation and enforcement of these laws and regulations are often uncertain, particularly in light of new and rapidly evolving data-driven technologies and significant increases in computing power. These laws and regulations are constantly evolving, remain a focus of regulators, and will continue to have a significant impact on our businesses and operations. Violations of these laws and regulations can give rise to enforcement actions by governmental agencies and to private lawsuits for damages and other forms of relief. Additional Legislative and Regulatory Matters The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the “USA PATRIOT Act”) required each financial institution: (i) to establish an anti-money laundering program; (ii) to establish due diligence policies, procedures and controls with respect to its private banking accounts involving foreign individuals and certain foreign banks; and (iii) to avoid establishing, maintaining, administering or managing correspondent accounts in the United States for, or on behalf of, foreign banks that do not have a physical presence in any country. The USA PATRIOT Act also required the Secretary of the Treasury to prescribe by regulation minimum standards that financial institutions must follow to verify the identity of customers, both foreign and domestic, when a customer opens an account. In addition, the USA PATRIOT Act encouraged cooperation among financial institutions, regulatory authorities and law enforcement authorities with respect to individuals, entities and organizations engaged in, or reasonably suspected of engaging in, terrorist acts or money laundering activities. The Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) mandated for public companies, such as Uwharrie Capital Corp, a variety of reforms intended to address corporate and accounting fraud and provided for the establishment of the Public Company Accounting Oversight Board (“PCAOB”), which enforces auditing, quality control and independence standards for firms that audit SEC-reporting companies. Sarbanes-Oxley imposed higher standards for auditor independence and restricted the provision of consulting services by auditing firms to companies they audit and required that certain audit partners be rotated periodically. It also requires chief executive officers and chief financial officers, or their equivalents, to certify the accuracy of periodic reports filed with the SEC, subject to civil and criminal penalties if they knowingly or willfully violate this certification requirement, and increases the oversight and authority of audit committees of publicly traded companies. Fiscal and Monetary Policy Banking is a business which depends on interest rate differentials for success. In general, the difference between the interest paid by a bank on its deposits and its other borrowings, and the interest received by a bank on its loans and securities holdings, constitutes the significant portion of a bank’s earnings. Thus, our earnings and growth will be subject to the influence of economic conditions generally, both domestic and foreign, and also to the monetary and fiscal policies of the United States and its agencies, particularly the Federal Reserve. The Federal Reserve regulates the supply of money through various means, including open market dealings in United States government securities, the discount rate at which banks may borrow from the Federal Reserve and the reserve requirements on deposits. The nature and timing of any changes in such policies and their effect on our business and results of operations cannot be predicted. 10 Current and future legislation and the policies established by federal and state regulatory authorities will affect our future operations. Banking legislation and regulations may limit our growth and the return to investors by restricting certain of our activities. In addition, capital requirements could be changed and have the effect of restricting the activities of the Company or requiring additional capital to be maintained. The Company cannot predict with certainty what changes, if any, will be made to existing federal and state legislation and regulations or the effect that such changes may have on our business and results of operations. Federal Home Loan Bank System The FHLB System consists of 12 district Federal Home Loan Banks (“FHLBs”) subject to supervision and regulation by the Federal Housing Finance Agency (“FHFA”). The FHLBs provide a central credit facility primarily for member institutions. As a member of the FHLB of Atlanta, the Bank is required to acquire and hold shares of capital stock in the FHLB of Atlanta. The Bank was in compliance with this requirement with investment in FHLB of Atlanta stock of $750,000 at December 31, 2024. The FHLB of Atlanta serves as a reserve or central bank for its member institutions within its assigned district. It is funded primarily from proceeds derived from the sale of consolidated obligations of the FHLB System. It offers advances to members in accordance with policies and procedures established by the FHFA and the Board of Directors of the FHLB of Atlanta. Long-term advances may only be made for the purpose of providing funds for residential housing finance, small businesses, small farms and small agribusinesses. Real Estate Lending Evaluations The federal regulators have adopted uniform standards for evaluations of loans secured by real estate or made to finance improvements to real estate. Banks are required to establish and maintain written internal real estate lending policies consistent with safe and sound banking practices and appropriate to the size of the institution and the nature and scope of its operations. The regulations establish loan to value ratio limitations on real estate loans. The Bank’s loan policies establish limits on loan to value ratios that are equal to or less than those established in such regulations. Commercial Real Estate Concentrations Lending operations of commercial banks may be subject to enhanced scrutiny by federal banking regulators based on a bank’s concentration of commercial real estate loans. The federal banking regulators have issued guidance to remind financial institutions of the risk posed by commercial real estate, or CRE, lending concentrations. CRE loans generally include land development, construction loans, and loans secured by multifamily property, and nonfarm, nonresidential real property where the primary source of repayment is derived from rental income associated with the property. The guidance prescribes the following guidelines for its examiners to help identify institutions that are potentially exposed to significant CRE risk and may warrant greater supervisory scrutiny: - total reported loans for construction, land development and other land (“C&D”) represent 100% or more of the institution’s total capital; or - total CRE loans represent 300% or more of the institution’s total capital, and the outstanding balance of the institution’s CRE loan portfolio has increased by 50% or more. As of December 31, 2024, our C&D concentration as a percentage of risk-based capital totaled 70.1% and our CRE concentration, net of owner-occupied loans, as a percentage of risk-based capital totaled 189.2%. Limitations on Incentive Compensation The Federal Reserve reviews incentive compensation arrangements of bank holding companies such as Uwharrie Capital Corp as part of the regular, risk-focused supervisory process. The federal banking agencies have also issued guidance designed to help ensure that incentive compensation policies at banking organizations do not encourage excessive risk-taking or undermine the safety and soundness of the banking organizations. The guidance, which covers all employees that have the ability to materially affect the risk profile of an organization, either individually or as part of a group, is based upon the key principles that a banking organization’s incentive compensation arrangements should (i) provide employees incentives that appropriately balance risk and reward and, thus, do not encourage risk-taking beyond the organization’s ability to effectively identify and manage risks, (ii) be compatible with effective internal controls and risk management, and (iii) be supported by strong corporate governance, including active and effective oversight by the organization’s board of directors. Any deficiencies in compensation practices that are identified may be incorporated into the organization’s supervisory ratings, which can affect its ability to make acquisitions or perform other actions. The guidance provides that enforcement actions may be taken against a banking organization if its incentive compensation arrangements or related risk-management control or governance processes pose a risk to the organization’s safety and soundness and the organization is not taking prompt and effective measures to correct the deficiencies. 11 Economic Environment The policies of regulatory authorities, including the monetary policy of the Federal Reserve, have a significant effect on the operating results of bank holding companies and their subsidiaries. Among the means available to the Federal Reserve to affect the money supply are open market operations in U.S. government securities, changes in the discount rate on member bank borrowings and changes in reserve requirements against member bank deposits. These means are used in varying combinations to influence overall growth and distribution of bank loans, investments and deposits, and their use may affect interest rates charged on loans or paid on deposits. The Federal Reserve’s monetary policies have materially affected the operating results of commercial banks in the past and are expected to continue to do so in the future. The nature of future monetary policies and the effect of these policies on our business and earnings cannot be predicted. Evolving Legislation and Regulatory Action New laws or regulations or changes to existing laws and regulations, including changes in interpretation or enforcement, could materially adversely affect our financial condition or results of operations. As a result, the overall financial impact on the Company and the Bank cannot be anticipated at this time. Item 1A. Ri sk Factors. Item not required for smaller reporting companies. Item 1B. Unresolv ed Staff Comments. Item not required for non-accelerated filers. Item 1C. Cybersecurity. Risk Management and Strategy The Company recognizes the importance of a cybersecurity risk management program designed to assess, identify, and manage risk associated with cybersecurity threats. Our cybersecurity risk management program (the “Program”) is consistent with the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool, which incorporates bank regulatory guidance and principles from the National Institute of Standards and Technology Cybersecurity Framework and includes the following risk-based principles: - Identification, measurement, mitigation, monitoring and reporting of cybersecurity threats based on internal and external information sharing and resources; - Safeguards designed to protect against identified threats, including documented policies and procedures, controls, and employee education and awareness; - Processes to detect cybersecurity events and improve incident response, including routine testing of incident response, recovery and business continuity plans and processes; and - Third-party risk management process to manage cybersecurity risk with service providers, suppliers, and vendors. Our Program is designed to adapt to an evolving landscape of emerging cybersecurity threats and advancing technology to determine the Company’s cybersecurity preparedness. Through routine data gathering, emerging risks, internal incidents, technology investments and internal controls, our Program and overall cybersecurity risk strategy is adjusted as needed. Our Program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees through which we communicate our cybersecurity policies, standards, processes and practices to foster a culture of cybersecurity risk management across the Company. Integrated Risk Management The Program is integrated into the Company’s enterprise risk management framework and functions to identify risk, form a strategy to manage risk, implement the strategy, test the implementation, and monitor our technology environment to control risk. Our information technology team works closely with stakeholders across security, risk, compliance, operations, other business 12 stakeholders, and senior leadership to conduct an annual cybersecurity risk assessment utilizing the FFIEC Cybersecurity Assessment Tool. Engagement of Third Parties in Connection with Risk Management The Company engages various third parties to evaluate the effectiveness and maturity of our Program. The Company engages an independent third party to audit the cybersecurity risk strategy and preparedness. The Company also maintains cybersecurity insurance, however, the costs related to cybersecurity threats or disruptions may not be fully insured. The Company also engages third parties to perform regular penetration tests, vulnerability scans, disaster recovery tests and cyber exercises to simulate threat actor attacks. Our relationships with third parties enable us to leverage their cybersecurity expertise and industry knowledge to assess our Program and make adjustments as needed. Oversight of Third-party Risks Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact the Company in certain circumstances. In response, we have implemented processes for overseeing and managing these risks. The processes include limiting the exposure of our information systems to external systems to the least practical amount, assessing the third parties’ information security practices before allowing them to access our information systems or data, requiring third parties to implement appropriate cybersecurity controls in our agreements with them, conducting ongoing monitoring of their compliance with those requirements, and requiring third parties to agree to contractual requirements designed to ensure cybersecurity concepts are appropriately addressed. Risks from Cybersecurity Threats As of the date of this report, we have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company , including its business strategy, results of operations, or financial condition. Governance Board of Directors Oversight Our Board ’ s Audit Committee oversees cybersecurity risk. Management’s Role in Cybersecurity Risk Management Given the important role of technology in the Company’s operations and customer service, the Company has established an Information Technology Steering Committee, which consists of our IT Manager, President and Chief Risk Officer, Chief Operations Officer, Chief Financial Officer, Mortgage Systems Administrator and Enterprise Risk Manager. The Information Technology Steering Committee reviews, monitors, aligns, and prioritizes all significant strategic information technology initiatives and security risks. The Information Technology Steering Committee reports to the Audit Committee and minutes of the committee’s meetings are subsequently reported by the Audit Committee to the Company’s Board of Directors. Our IT Manager, in collaboration with our Enterprise Risk Manager make monthly/quarterly reports to the Information Technology Steering Committee. Such reports include updates related to key metrics, key risk indicators, key performance indicators, penetration test results, risk assessment results, project updates, incident reports, compliance matters, and operational issues. Risk Management Personnel The IT Manager has the primary responsibility for managing the Program to identify, assess, manage and control cybersecurity risk. The IT Manager reports directly to our Chief Operations Officer. Our IT Manager has approximately 20 years of experience in cybersecurity, information security risk management, identity and access management, security architecture, vulnerability management, threat intelligence, security operations and incident management and response. Monitoring Cybersecurity Incidents The IT Manager is continually informed of and monitors cybersecurity risks and incidents. In the event of a cybersecurity incident, the Company has developed an incident response plan to timely report cybersecurity incidents to our executive management team, the Audit Committee and Board of Directors, as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this plan also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as monitoring post-incident mitigation and remediation. 13 Reporting to Board of Directors The Audit Committee receives reports from the Chief Operations Officer, IT Manager or Enterprise Risk Manager and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, bank regulatory examinations and evaluations, as well as maturity assessments of our information security program.
Item 1C. Cybersecurity. Risk Management and Strategy The Company recognizes the importance of a cybersecurity risk management program designed to assess, identify, and manage risk associated with cybersecurity threats. Our cybersecurity risk management program (the “Program”) is consistent with the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool, which incorporates bank regulatory guidance and principles from the National Institute of Standards and Technology Cybersecurity Framework and includes the following risk-based principles: - Identification, measurement, mitigation, monitoring and reporting of cybersecurity threats based on internal and external information sharing and resources; - Safeguards designed to protect against identified threats, including documented policies and procedures, controls, and employee education and awareness; - Processes to detect cybersecurity events and improve incident response, including routine testing of incident response, recovery and business continuity plans and processes; and - Third-party risk management process to manage cybersecurity risk with service providers, suppliers, and vendors. Our Program is designed to adapt to an evolving landscape of emerging cybersecurity threats and advancing technology to determine the Company’s cybersecurity preparedness. Through routine data gathering, emerging risks, internal incidents, technology investments and internal controls, our Program and overall cybersecurity risk strategy is adjusted as needed. Our Program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees through which we communicate our cybersecurity policies, standards, processes and practices to foster a culture of cybersecurity risk management across the Company. Integrated Risk Management The Program is integrated into the Company’s enterprise risk management framework and functions to identify risk, form a strategy to manage risk, implement the strategy, test the implementation, and monitor our technology environment to control risk. Our information technology team works closely with stakeholders across security, risk, compliance, operations, other business 12 stakeholders, and senior leadership to conduct an annual cybersecurity risk assessment utilizing the FFIEC Cybersecurity Assessment Tool. Engagement of Third Parties in Connection with Risk Management The Company engages various third parties to evaluate the effectiveness and maturity of our Program. The Company engages an independent third party to audit the cybersecurity risk strategy and preparedness. The Company also maintains cybersecurity insurance, however, the costs related to cybersecurity threats or disruptions may not be fully insured. The Company also engages third parties to perform regular penetration tests, vulnerability scans, disaster recovery tests and cyber exercises to simulate threat actor attacks. Our relationships with third parties enable us to leverage their cybersecurity expertise and industry knowledge to assess our Program and make adjustments as needed. Oversight of Third-party Risks Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact the Company in certain circumstances. In response, we have implemented processes for overseeing and managing these risks. The processes include limiting the exposure of our information systems to external systems to the least practical amount, assessing the third parties’ information security practices before allowing them to access our information systems or data, requiring third parties to implement appropriate cybersecurity controls in our agreements with them, conducting ongoing monitoring of their compliance with those requirements, and requiring third parties to agree to contractual requirements designed to ensure cybersecurity concepts are appropriately addressed. Risks from Cybersecurity Threats As of the date of this report, we have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company , including its business strategy, results of operations, or financial condition. Governance Board of Directors Oversight Our Board ’ s Audit Committee oversees cybersecurity risk. Management’s Role in Cybersecurity Risk Management Given the important role of technology in the Company’s operations and customer service, the Company has established an Information Technology Steering Committee, which consists of our IT Manager, President and Chief Risk Officer, Chief Operations Officer, Chief Financial Officer, Mortgage Systems Administrator and Enterprise Risk Manager. The Information Technology Steering Committee reviews, monitors, aligns, and prioritizes all significant strategic information technology initiatives and security risks. The Information Technology Steering Committee reports to the Audit Committee and minutes of the committee’s meetings are subsequently reported by the Audit Committee to the Company’s Board of Directors. Our IT Manager, in collaboration with our Enterprise Risk Manager make monthly/quarterly reports to the Information Technology Steering Committee. Such reports include updates related to key metrics, key risk indicators, key performance indicators, penetration test results, risk assessment results, project updates, incident reports, compliance matters, and operational issues. Risk Management Personnel The IT Manager has the primary responsibility for managing the Program to identify, assess, manage and control cybersecurity risk. The IT Manager reports directly to our Chief Operations Officer. Our IT Manager has approximately 20 years of experience in cybersecurity, information security risk management, identity and access management, security architecture, vulnerability management, threat intelligence, security operations and incident management and response. Monitoring Cybersecurity Incidents The IT Manager is continually informed of and monitors cybersecurity risks and incidents. In the event of a cybersecurity incident, the Company has developed an incident response plan to timely report cybersecurity incidents to our executive management team, the Audit Committee and Board of Directors, as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this plan also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as monitoring post-incident mitigation and remediation. 13 Reporting to Board of Directors The Audit Committee receives reports from the Chief Operations Officer, IT Manager or Enterprise Risk Manager and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, bank regulatory examinations and evaluations, as well as maturity assessments of our information security program.

Company Information