CSB Bancorp, Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

CSB Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 12:56:06 EDT.

Filings

10-K filed on 2025-03-14

CSB Bancorp, Inc. filed a 10-K at 2025-03-14 12:56:06 EDT
Accession Number: 0000950170-25-039227

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C “Cybersecurity” in Part I of this Form 10-K. These SEC rules, and any other regulatory guidance, are in addition to notification and disclosure requirements under state and federal banking law and regulations. State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted regulations requiring certain financial institutions to implement cybersecurity programs and providing detailed requirements with respect to these programs, including data encryption requirements. Many states have also recently implemented or modified their data breach notification and data privacy requirements. CSB expects this trend of state-level activity in those areas to continue and is continually monitoring developments in the states in which our customers are located. 9 Effect of Environmental Regulation Compliance with federal, state, and local provisions regulating the discharge of materials into the environment, or otherwise relating to the protection of the environment, has not had a material effect upon the capital expenditures, earnings, or competitive position of CSB or its subsidiaries. CSB believes the nature of the operations of its subsidiaries has little, if any, environmental impact. CSB, therefore, anticipates no material capital expenditures for environmental control facilities for its current fiscal year or for the foreseeable future. CSB believes its primary exposure to environmental risk is through the lending activities of the Bank. In cases where management believes environmental risk potentially exists, the Bank mitigates environmental risk exposure by requiring environmental site assessments at the time of loan origination to confirm collateral quality as to commercial real estate parcels posing higher than normal potential for environmental impact, as determined by reference to present and past uses of the subject property and adjacent sites. Executive and Incentive Compensation Following the adoption of additional listing requirements in 2023 to comply with the Dodd-Frank Act and rules adopted by the SEC in October 2022, public companies listed on the NYSE or Nasdaq are now required to adopt and implement “clawback” procedures policies for incentive compensation payments and to disclose the details of the procedures, which allow recovery of incentive compensation that was paid on the basis of erroneous financial information necessitating an accounting restatement due to material noncompliance with financial reporting requirements. This clawback policy is intended to apply to compensation paid within the three completed fiscal years immediately preceding the date the issuer is required to prepare a restatement a three-year look-back window of the restatement and would cover all executives (including former executives) who received incentive awards. CSB adopted a clawback policy effective December 1, 2023, though it is not required to do so. Future Legislation Various and significant legislation affecting financial institutions and the financial industry is from time to time adopted by the U.S. Congress and state legislatures, and regulatory agencies frequently adopt or amend regulations. Such legislation and regulation may continue to change banking laws and regulations and the operating environment of CSB and its subsidiaries in substantial and unpredictable ways and could significantly increase or decrease costs of doing business, limit or expand permissible activities, or affect the competitive balance among financial institutions. The nature and extent of future legislative and regulatory changes affecting financial institutions remains very unpredictable. Statistical Disclosures The following schedules present, for the periods indicated, certain financial and statistical information of the Company as required under the SEC’s “Subpart 1400 of regulation S-K”, as amended on September 11, 2020, or a specific reference as to the location of required disclosures in Item 7 Management’s Discussion and Analysis of Financial Condition and Results of Operations (“MD&A”) or Item 8 Financial Statements and Supplementary Data of this Annual Report on Form 10-K. Distribution of Assets, Liabilities, and Stockholders’ Equity; Interest Rates and Interest Differential The information set forth under the heading, “Average Balance Sheets and Net Interest Margin Analysis” located in the MD&A is incorporated by reference herein. The information set forth under the heading, “Rate/Volume Analysis of Changes in Income and Expense” located in the MD&A is incorporated by reference herein. 10 Investment Portfolio The following is a schedule of maturities for each category of debt securities and the related weighted average yield of such securities as of December 31, 2024: One Year or Less After One Year Through Five Years Maturing After Five Years Through Ten Years After Ten Years Total (Dollars in thousands) Amortized Cost Yield Amortized Cost Yield Amortized Cost Yield Amortized Cost Yield Amortized Cost Yield Available-for-sale: U.S. Treasuries $ 13,487 2.98 % $ - - % $ - - % $ - - % $ 13,487 2.98 % U.S. Government agencies 3,000 0.55 3,000 0.74 - - - - 6,000 0.65 Mortgage-backed securities of government agencies 26 3.23 233 2.58 2,925 1.37 66,562 2.72 69,746 2.66 Asset-backed securities of government agencies - - - - 404 5.88 - - 404 5.88 State and political subdivisions 2,493 2.46 5,521 2.85 7,037 1.61 - - 15,051 2.21 Corporate bonds 11,190 3.24 12,403 2.76 6,455 3.69 - - 30,048 3.14 Total $ 30,196 2.79 % $ 21,157 2.49 % $ 16,821 2.47 % $ 66,562 2.72 % $ 134,736 2.67 % Held-to-maturity: U.S. Treasuries $ 2,484 1.02 % $ 2,487 1.19 % $ 2,883 1.15 % $ - - % $ 7,854 1.12 % Mortgage-backed securities of government agencies - - - - 123 1.87 193,814 2.00 193,937 2.00 State and political subdivisions - - 818 1.70 1,700 2.74 - - 2,518 2.40 Total $ 2,484 1.02 % $ 3,305 1.32 % $ 4,706 1.74 % $ 193,814 2.00 % $ 204,309 1.97 % The weighted average yields are calculated using amortized cost of investments and are based on coupon rates for securities purchased at par value, and on effective interest rates considering amortization or accretion if securities were purchased at a premium or discount. The weighted average yield on tax-exempt obligations is presented on a tax-equivalent basis using the Company’s marginal federal income tax rate of 21%. Loan Portfolio The following is a schedule of maturities of loans based on contract terms and assuming no amortization or prepayments, as of December 31, 2024: Maturing (Dollars in thousands) One Year or Less One Through Five Years Five Through Fifteen Years After Fifteen Years Total Commercial and industrial $ 59,414 $ 49,792 $ 31,149 $ 4,021 $ 144,376 Commercial real estate 2,948 15,719 34,663 137,184 190,514 Commercial lessors of buildings 422 5,650 27,664 67,432 101,168 Construction 1,417 3,525 10,949 48,371 64,262 Consumer mortgage 1 2,254 34,522 140,801 177,578 Home equity line of credit 2,191 11,047 31,733 - 44,971 Consumer installment 559 7,083 1,935 68 9,645 Consumer indirect 7 350 4,919 - 5,276 Total $ 66,959 $ 95,420 $ 177,534 $ 397,877 $ 737,790 11 The following is a schedule of fixed rate and variable rate loans due after one year from December 31, 2024. (Dollars in thousands) Fixed Rate Variable Rate Commercial and industrial $ 49,969 $ 34,993 Commercial real estate 1,178 186,388 Commercial lessors of buildings 777 99,969 Construction 1,327 61,518 Consumer mortgage 38,944 138,633 Home equity line of credit 69 42,711 Consumer installment 8,396 690 Consumer indirect 5,269 - Total $ 105,929 $ 564,902 Summary of Credit Loss Experience The following schedule presents an analysis of net charge-offs (recoveries) to average loans, and related ratios for the years ended: December 31, 2024 2023 (Dollars in thousands) Net (Charge-offs) Recoveries Average Loans Net (Charge-offs) Recoveries as a % of Average Loans Net (Charge-offs) Recoveries Average Loans Net (Charge-offs) Recoveries as a % of Average Loans Commercial and industrial $ (5,597 ) $ 144,306 -3.88 % $ 181 $ 141,811 0.13 % Commercial real estate (597 ) 192,555 -0.31 % 9 175,699 0.01 % Commercial lessors of buildings - 94,553 0.00 % - 82,690 0.00 % Construction - 55,766 0.00 % - 45,779 0.00 % Consumer mortgage 10 171,475 0.01 % 1 161,275 0.00 % Home equity line of credit - 44,373 0.00 % - 42,838 0.00 % Consumer installment (48 ) 10,378 -0.46 % (26 ) 10,444 -0.25 % Consumer indirect (24 ) 5,622 -0.43 % (35 ) 6,257 -0.56 % Total $ (6,256 ) $ 719,028 -0.87 % $ 130 $ 666,793 0.02 % The following schedule is a breakdown of the allowance for credit losses allocated by type of loan and related ratios. While management’s periodic analysis of the adequacy of the allowance for credit losses may allocate portions of the allowance for specific problem-loan situations, the entire allowance is available for any loan charge-offs that occur. Allocation of the Allowance for Credit Losses (Dollars in thousands) Allowance Amount Percentage of Loans in Each Category to Total Loans Allowance Amount Percentage of Loans in Each Category to Total Loans December 31, 2024 December 31, 2023 Commercial and industrial $ 2,919 19 % $ 1,737 22 % Commercial real estate 1,681 26 1,637 27 Commercial lessors of buildings 1,141 14 1,200 12 Construction 502 9 333 7 Consumer mortgage 812 24 1,107 24 Home equity line of credit 205 6 288 6 Consumer installment 92 1 76 1 Consumer indirect 243 1 229 1 Total $ 7,595 100 % $ 6,607 100 % 12 Deposits The following is a schedule of average deposit amounts and average rates paid on each category for the periods indicated: Average Amounts Outstanding Year ended December 31, Average Rate Paid Year ended December 31, (Dollars in thousands) 2024 2023 2024 2023 Noninterest-bearing demand $ 281,675 $ 314,956 N/A N/A Interest-bearing demand 227,842 251,626 0.90 % 1.02 % Savings deposits 302,621 296,896 1.07 0.80 Time deposits 223,421 154,505 4.08 2.96 Total deposits $ 1,035,559 $ 1,017,983 The Bank does not have any material deposits by foreign depositors. The total uninsured portion of all deposit accounts greater than $250 thousand was $244 million as of December 31, 2024, and $254 million as of December 31, 2023. The following is a schedule of maturities of time certificates of deposit in amounts greater than $250 thousand as of December 31, 2024: (Dollars in thousands) Time Deposits Greater than $250 Thousand Three months or less $ 41,363 Over three through six months 20,472 Over six through twelve months 12,335 Over twelve months 5,464 Total $ 79,634 ITEM 1A. RISK FACTORS. Not Applicable. ITEM 1B. UNRESOLVED STAFF COMMENTS. Not applicable. ITEM 1C. CYBERSECURITY In the ordinary course of business, CSB relies on electronic communications and information systems to conduct its operations and to store sensitive data. CSB employs an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. CSB employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. CSB Places a high priority and focus on securing the confidential information it receives and stores about its customers and associates and providing highly available systems. Governance Our Information Security (“IS”) Program consists of policies, procedures and guidelines to ensure the security, availability, and confidentiality of systems and customer information. The IS Program is led by our Information Security Officer (“ISO”) under the direction of the Chief Information Officer (“CIO”) and is subject to oversight by our IT Steering Committee . The IT Steering Committee is a cross-functional management committee with overall responsibilities for identifying and approving the IT Strategic plan, identifying and approving strategic technology based initiatives that improve/enhance the security posture and mitigation efforts of cybersecurity threats, monitoring of the technology infrastructure and systems, monitoring critical vendors, monitoring cybersecurity threats and issues, and conducting, reviewing, and monitoring IT based risk assessments. These efforts include the framework used to identify and prevent cyberattacks or breaches. The IT Steering Committee makes recommendations for approval of certain risk assessments, risk frameworks, and appropriate application of mitigation strategies and frameworks to the Board of Directors. 13 The Board of Directors oversees the IS Program in the following ways: (a) monitors and oversees the Company’s business and information technology operations necessary for its business plan, including projected growth, technology capacity, planning, operational execution, product development and management capacity, (b) reviews the Company’s framework(s) to prevent, detect, and respond to cyberattacks or breaches, as well as identifying areas of concern regarding possible vulnerabilities, and reviews policies pertaining to information security and cyber threats, taking into account the potential for external threats, internal threats, and threats arising from transaction and contractual relationships with trusted third party vendors, and (c) reviews the Company’s incident response, business continuity and disaster recovery planning and preparedness including processes, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to the Company. As part of the Board’s oversight, the Board receives frequent reports from the CIO and ISO including the summarization of new and emerging cybersecurity threats and trends and the effectiveness of our IS Program in mitigating cybersecurity threats among other items. In the event of an information security incident, our Incident Response Plan clarifies the steps for escalation according to the severity of the event. The IS team is staffed primarily with internal associates, and we utilize third party service providers for extended coverage. We hire IS team members that have relevant information security experience or technology certifications and knowledge to implement and oversee the procedures and processes of our IS Program and to adequately manage and enforce our policies and procedures. Further, management involved in the cybersecurity process, possess the necessary skills and expertise to adequately manage and enforce our policies and procedures. While all vendors are subject to our vendor management process, those with access to our data and data centers are subject to more rigorous initial and ongoing due diligence. This includes the reviews of Service Organization Control 2 (“SOC 2”) reports, financial information, and other policies and procedures related to such third-party vendors and their various programs, including vendor management. Risk Management and Strategy As part of the ongoing maintenance and development of our IS Program, we assess the various risks associated with the unauthorized access or loss of client information and the quality of security controls as prescribed by the Federal Financial Institutions Examinations Council and several other frameworks. The frameworks and our IS risk assessments are utilized to monitor and develop strategies to minimize risk to our information assets. Our systems are monitored 24/7 for cybersecurity threats, and we utilize a variety of tools to reduce the risk of data breaches and cybersecurity events. We maintain an Incident Response Plan that outlines the steps to be taken in the event of an incident, which could include a potential or actual data breach. The plan identifies a designated team, including associates and third-party experts, responsible for incident response and summarizes the steps, including escalation protocol, for determining whether an event has occurred and the nature and scope of the event (if applicable). The plan also summarizes protocol for notifying impacted persons, which may include customers as well as other applicable agencies or persons, including law enforcement and regulatory authorities. At least annually, we conduct a third-party information security audit focusing on internal and external network security protocols and penetration testing, as well as internally managed ad hoc testing as needed. Simulations and tabletop testing of our business continuity and Incident Response Plans are performed on a routine basis and assist with our associates’ familiarity and preparedness for an event. Any gaps or improvement areas identified by routine testing are addressed in a timely manner to help improve future testing and response. The processes and controls related to data security are regularly tested by the IS department and Internal Audit. Additional internal security assessments may be performed at the request of the CISO, CIO, the Internal Auditor, Management or our Board. Audit and assessment results are presented to the Audit Committee of the Board, and to the IT Steering Committee. At least annually, the IS Program, including its effectiveness, is reviewed by the Board. Annually, all associates participate in mandatory training related to the IS Program, including information security and its importance with respect to customer and associate privacy. All associates are required to participate in monthly bank wide phishing tests. Results from these tests are delivered to our Audit Committee of the Board of Directors. Notwithstanding the strength of CSB’s defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures . While to date, CSB has not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, CSB’s systems and those of its customers and third-party service providers are under constant threat and it is possible that CSB could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as the expanding use of internet banking, mobile banking and other technology-based products and services by the Company and its customers. 14
ITEM 1C. CYBERSECURITY In the ordinary course of business, CSB relies on electronic communications and information systems to conduct its operations and to store sensitive data. CSB employs an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. CSB employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. CSB Places a high priority and focus on securing the confidential information it receives and stores about its customers and associates and providing highly available systems. Governance Our Information Security (“IS”) Program consists of policies, procedures and guidelines to ensure the security, availability, and confidentiality of systems and customer information. The IS Program is led by our Information Security Officer (“ISO”) under the direction of the Chief Information Officer (“CIO”) and is subject to oversight by our IT Steering Committee . The IT Steering Committee is a cross-functional management committee with overall responsibilities for identifying and approving the IT Strategic plan, identifying and approving strategic technology based initiatives that improve/enhance the security posture and mitigation efforts of cybersecurity threats, monitoring of the technology infrastructure and systems, monitoring critical vendors, monitoring cybersecurity threats and issues, and conducting, reviewing, and monitoring IT based risk assessments. These efforts include the framework used to identify and prevent cyberattacks or breaches. The IT Steering Committee makes recommendations for approval of certain risk assessments, risk frameworks, and appropriate application of mitigation strategies and frameworks to the Board of Directors. 13 The Board of Directors oversees the IS Program in the following ways: (a) monitors and oversees the Company’s business and information technology operations necessary for its business plan, including projected growth, technology capacity, planning, operational execution, product development and management capacity, (b) reviews the Company’s framework(s) to prevent, detect, and respond to cyberattacks or breaches, as well as identifying areas of concern regarding possible vulnerabilities, and reviews policies pertaining to information security and cyber threats, taking into account the potential for external threats, internal threats, and threats arising from transaction and contractual relationships with trusted third party vendors, and (c) reviews the Company’s incident response, business continuity and disaster recovery planning and preparedness including processes, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to the Company. As part of the Board’s oversight, the Board receives frequent reports from the CIO and ISO including the summarization of new and emerging cybersecurity threats and trends and the effectiveness of our IS Program in mitigating cybersecurity threats among other items. In the event of an information security incident, our Incident Response Plan clarifies the steps for escalation according to the severity of the event. The IS team is staffed primarily with internal associates, and we utilize third party service providers for extended coverage. We hire IS team members that have relevant information security experience or technology certifications and knowledge to implement and oversee the procedures and processes of our IS Program and to adequately manage and enforce our policies and procedures. Further, management involved in the cybersecurity process, possess the necessary skills and expertise to adequately manage and enforce our policies and procedures. While all vendors are subject to our vendor management process, those with access to our data and data centers are subject to more rigorous initial and ongoing due diligence. This includes the reviews of Service Organization Control 2 (“SOC 2”) reports, financial information, and other policies and procedures related to such third-party vendors and their various programs, including vendor management. Risk Management and Strategy As part of the ongoing maintenance and development of our IS Program, we assess the various risks associated with the unauthorized access or loss of client information and the quality of security controls as prescribed by the Federal Financial Institutions Examinations Council and several other frameworks. The frameworks and our IS risk assessments are utilized to monitor and develop strategies to minimize risk to our information assets. Our systems are monitored 24/7 for cybersecurity threats, and we utilize a variety of tools to reduce the risk of data breaches and cybersecurity events. We maintain an Incident Response Plan that outlines the steps to be taken in the event of an incident, which could include a potential or actual data breach. The plan identifies a designated team, including associates and third-party experts, responsible for incident response and summarizes the steps, including escalation protocol, for determining whether an event has occurred and the nature and scope of the event (if applicable). The plan also summarizes protocol for notifying impacted persons, which may include customers as well as other applicable agencies or persons, including law enforcement and regulatory authorities. At least annually, we conduct a third-party information security audit focusing on internal and external network security protocols and penetration testing, as well as internally managed ad hoc testing as needed. Simulations and tabletop testing of our business continuity and Incident Response Plans are performed on a routine basis and assist with our associates’ familiarity and preparedness for an event. Any gaps or improvement areas identified by routine testing are addressed in a timely manner to help improve future testing and response. The processes and controls related to data security are regularly tested by the IS department and Internal Audit. Additional internal security assessments may be performed at the request of the CISO, CIO, the Internal Auditor, Management or our Board. Audit and assessment results are presented to the Audit Committee of the Board, and to the IT Steering Committee. At least annually, the IS Program, including its effectiveness, is reviewed by the Board. Annually, all associates participate in mandatory training related to the IS Program, including information security and its importance with respect to customer and associate privacy. All associates are required to participate in monthly bank wide phishing tests. Results from these tests are delivered to our Audit Committee of the Board of Directors. Notwithstanding the strength of CSB’s defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures . While to date, CSB has not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, CSB’s systems and those of its customers and third-party service providers are under constant threat and it is possible that CSB could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as the expanding use of internet banking, mobile banking and other technology-based products and services by the Company and its customers. 14

Company Information