Skyline Bankshares, Inc. 10-K Cybersecurity GRC - 2025-03-26

Page last updated on March 26, 2025

Skyline Bankshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-26 15:21:04 EDT.

Filings

10-K filed on 2025-03-26

Skyline Bankshares, Inc. filed a 10-K at 2025-03-26 15:21:04 EDT
Accession Number: 0001437749-25-009335

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. “Cybersecurity” below. Our inability to successfully manage growth or implement our growth strategy may adversely affect our results of operations and financial condition. A key aspect of our long-term business strategy is our continued growth and expansion. We may not be able to successfully implement this strategy if we are unable to identify attractive expansion locations or opportunities in the future. In addition, our successful implementation and management of growth will be contingent upon whether we can maintain appropriate levels of capital to support our growth, maintain control over expenses, maintain adequate asset quality, attract talented bankers and successfully integrate into the organization any branches or businesses acquired. As we continue to implement our growth strategy, we expect to incur increased personnel, occupancy and other operating expenses. In many cases, our expenses will increase prior to the income we expect to generate from the growth. For instance, in the case of new branches, we must absorb these expenses prior to or as we begin to generate new deposits, and there is a further time lag involved in redeploying the new deposits into attractively priced loans and other higher yielding earning assets. Thus, our plans to branch or expand loan or mortgage operations could depress earnings in the short run, even if we are able to efficiently execute our strategy. 17 In addition, our business strategy in recent years has involved expansion in North Carolina and Tennessee, with several branches opening in new markets in western North Carolina in 2020 and 2022 and our acquisition of JCB in 2024. The banking business in western North Carolina and eastern Tennessee is competitive, and the level of competition may increase further. There can be no assurance that the Company will be able to successfully compete in these markets, or that we will be able to successfully manage additional growth. Because of our prior limited participation in these markets, there may be unexpected challenges and difficulties that could adversely affect our operations. Risks Related to the Regulatory Environment An inability to maintain our regulatory capital position could adversely affect our operations. As of December 31, 2024, the Bank was classified as “well capitalized” for regulatory capital purposes. If we do not maintain the expected levels of regulatory capital in the future, it could increase the regulatory scrutiny on the Company and the Bank, and the OCC could establish individual minimum capital ratios or take other regulatory actions against us. Further, if the Bank were no longer “well capitalized” for regulatory capital purposes, it would not be able to offer interest rates on deposit accounts that are significantly higher than the average rates in its market area. As a result, it may be more difficult for us to increase deposits. If we are not able to attract new deposits, our ability to fund our loan portfolio may be adversely affected. In addition, the Bank is subject to a capital conservation buffer designed to absorb losses during periods of economic stress. Banking institutions with a ratio of common equity Tier 1 to risk-weighted assets above the minimum capital requirements but below the conservation buffer will face constraints on dividends, equity repurchases, and compensation based on the amount of the shortfall. We also could be required to pay higher insurance premiums to the FDIC if our capital position declines, which would reduce our earnings. Any of the foregoing could have a material adverse effect on our operations or financial condition. 18 Our profitability may suffer because of rapid and unpredictable changes in the highly regulated environment in which we operate. We are subject to extensive supervision by several governmental regulatory agencies at the federal and state levels. Recently enacted, proposed and future banking legislation and regulations have had, and will continue to have, a significant impact on the financial services industry. These regulations, which are intended to protect depositors and other customers and not our shareholders, and the interpretation and application of them by federal and state regulators, are beyond our control, may change rapidly and unpredictably and can be expected to influence our earnings and growth. Despite our ongoing compliance efforts, we may become subject to regulatory enforcement actions with respect to our programs and practices. The Company expects that the Trump administration will seek to implement a regulatory agenda that is significantly different than that of the Biden administration, impacting the rulemaking, supervision, examination, and enforcement priorities of the federal banking agencies. At this time, it is unclear what laws, regulations, and policies may change and whether future changes or uncertainty surrounding future changes will adversely affect the Company’s operating environment and therefore its business, financial condition, and results of operations. We are subject to stringent capital requirements, which could adversely affect our results of operations and future growth. We are subject to regulatory risk-based capital rules and minimum capital requirements including a “capital conservation buffer” that was fully effective on January 1, 2019. An institution will be subject to limitations on paying dividends, engaging in share repurchases, and paying discretionary bonuses if its capital level falls below the buffer amount. While the Economic Growth Act provided some relief through the establishment of a simplified leverage capital framework for smaller banks, these stringent capital requirements for us could, among other things, result in lower returns on equity, require the raising of additional capital, adversely affect our future growth opportunities, and result in regulatory actions such as a prohibition on the payment of dividends or on the repurchase shares if we were unable to comply with such requirements. Government measures to regulate the financial industry could materially affect our businesses, financial condition or results of operations. As a financial institution, we are heavily regulated at the state and federal levels. Banking regulations generally are intended to protect depositors, not investors, and regulators have broad interpretive and enforcement powers beyond our control that may change rapidly and unpredictably and could influence our earnings and growth. Our success depends on our continued ability to comply with these regulations. Future changes in the laws or regulations or their interpretations or enforcement could be materially adverse to us and our shareholders. Further, banks have faced, and expect to continue to face, increased public and legislative scrutiny as well as stricter and more comprehensive regulation of our financial services practices. In July 2010, the Dodd-Frank Act was signed into law and has increased our compliance costs in the short term. We expect that financial institutions will remain heavily regulated in the near future and that additional laws or regulations may be adopted further regulating specific banking practices. The ultimate impact of current or future legislation on our businesses and results of operations, will depend on regulatory interpretation and rulemaking, as well as the success of our actions to mitigate the negative earnings impact of certain provisions. 19 Changes in accounting standards could impact reported earnings and capital. The authorities that promulgate accounting standards, including the Financial Accounting Standards Board (the “FASB”), the SEC, and other regulatory authorities, periodically change the financial accounting and reporting standards that govern the preparation of the Company’s consolidated financial statements. These changes are difficult to predict and can materially impact how the Company records and reports its financial condition and results of operations. In some cases, the Company could be required to apply a new or revised standard retroactively, resulting in the restatement of financial statements for prior periods. Such changes could also impact the capital levels of the Company and the Bank, or require the Company to incur additional personnel or technology costs. Increasing scrutiny and evolving expectations from customers, regulators, investors, and other stakeholders with respect to environmental, social and governance ( " ESG " ) practices may impose additional costs on the Company or expose it to new or additional risks. Companies are facing increasing scrutiny from customers, regulators, investors, and other stakeholders related to ESG practices and disclosures, especially as they relate to climate risk, hiring practices, the diversity of the work force, racial and social justice issues, support for local communities, and corporate governance and transparency. New rules and regulations also could result in new or more stringent forms of ESG oversight and reporting, diligence, and disclosure. Complying with ESG-related rules, regulations and/or stakeholder expectations could result in increases to the Company’s overall operational costs and increased management time and attention. Further, failure to adapt to or comply with regulatory requirements or investor or stakeholder expectations and standards or to act responsibly in these areas could negatively impact the Company’s reputation, ability to do business with certain partners, and stock price. Conversely, if efforts around diversity and inclusion and other ESG-related areas are perceived as too ambitious, the Company may be subject to investigations, litigation and other proceedings and its reputation may be damaged. Adverse incidents could impact the value of the Company’s brand, the cost of its operations and/or relationships with customers, investors or employees, any of which could adversely affect its business and results. Climate change and related legislative and regulatory initiatives may result in operational changes and expenditures that could significantly impact the Company ’ s business. The current and anticipated effects of climate change are creating an increasing level of concern for the state of the global environment. As a result, political and social attention to the issue of climate change has increased. Federal and state legislatures and regulatory agencies have continued to propose and advance numerous legislative and regulatory initiatives seeking to mitigate the effects of climate change. The federal banking agencies have emphasized that climate-related risks are faced by banking organizations of all types and sizes and are in the process of enhancing supervisory expectations regarding banks’ risk management practices. In December 2021, the OCC published proposed principles for climate risk management by banking organizations with more than $100 billion in assets. The OCC also has appointed its first ever Climate Change Risk Officer and established an internal climate risk implementation committee in order to assist with these initiatives and to support the agency’s efforts to enhance its supervision of climate change risk management. Similar and even more expansive initiatives are expected, including potentially increasing supervisory expectations with respect to banks’ risk management practices, accounting for the effects of climate change in stress testing scenarios and systemic risk assessments, revising expectations for credit portfolio concentrations based on climate-related factors and encouraging investment by banks in climate-related initiatives and lending to communities disproportionately impacted by the effects of climate change. To the extent that these initiatives lead to the promulgation of new regulations or supervisory guidance applicable to the Company, the Company would likely experience increased compliance costs and other compliance-related risks. The lack of empirical data surrounding the credit and other financial risks posed by climate change render it impossible to predict how specifically climate change may impact the Company’s financial condition and results of operations; however, the physical effects of climate change may also directly impact the Company. Specifically, unpredictable and more frequent weather disasters may adversely impact the value of real property securing the loans in the Bank’s loan portfolio. Additionally, if insurance obtained by borrowers is insufficient to cover any losses sustained to the collateral, or if insurance coverage is otherwise unavailable to borrowers, the collateral securing loans may be negatively impacted by climate change, which could impact the Company’s financial condition and results of operations. Further, the effects of climate change may negatively impact regional and local economic activity, which could lead to an adverse effect on customers and impact the communities in which the Company operates. Overall, climate change, its effects and the resulting, unknown impact could have a material adverse effect on the Company’s financial condition and results of operations. 20 Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions and our information systems, the Company has implemented a comprehensive cybersecurity risk management program, which is a component of its overarching enterprise risk management program. Key components of the cybersecurity risk management program include: ● A risk assessment process that identifies and prioritizes material cybersecurity risks; defines and evaluates the effectiveness of controls to mitigate the risks; and reports results to executive management and the Board of Directors. ● A third-party Managed Detection and Response (“MDR”) service, which monitors the security of our information systems around-the-clock, including intrusion detection and alerting. ● A team covering all critical cyber defense functions such as engineering, data protection, identity and access management, insider risk management, security operations, threat emulation and threat intelligence. ● A training program that educates employees about cybersecurity risks and how to protect themselves from cyberattacks. ● An awareness program that keeps employees informed about cybersecurity threats and how to stay safe online. ● An incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident, which is tested on a periodic basis. The Company engages reputable third-party assessors to conduct various independent risk assessments on a regular basis, including but not limited to maturity assessments and various testing. Following a defense-in-depth strategy, the Company leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks. Our Third-Party Risk Management program is designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements. The Company’s cybersecurity risk management program and strategy are designed to protect the company’s information and information systems from a variety of threats, both natural and man-made. Periodic risk assessments are performed to validate control requirements and ensure that the Company’s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to protect the confidentiality, integrity, and availability of Company information. These controls include, but are not limited to access control, data encryption, data loss prevention, incident response, security monitoring, third party risk management, and vulnerability management. The Company’s cybersecurity risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Company’s business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards. Material Effects of Cybersecurity Threats While cybersecurity risks have the potential to materially affect the Company’s business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A. “Risk Factors” above. 21 Governance Board of Directors Oversight The Company’s Board of Directors is charged with overseeing the establishment and execution of the Company’s risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility the Board has delegated primary oversight responsibility over the Company’s risk management framework, including oversight of cybersecurity risk and cybersecurity risk management, to the Technology Committee of the Board of Directors. The Technology Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Operations Officer and the Information Security Officer and provides periodic updates regarding cybersecurity risks and the cybersecurity program to the full Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Board on an annual basis. Management’s Role The Company’s information security program is primarily administered at the management level by the Information Security Officer, and is supported by the Information Technology Department, which is led by the Chief Operations Officer. The Information Security Officer is responsible for day-to-day management of the Company’s information security program, including data loss prevention, access control, threat monitoring, incident response and employee education and training. The Company also maintains policies related to cybersecurity and data security that provide the required governance and technical aspects for the information security program. Each policy is mapped to applicable regulatory guidance, and is reviewed and approved by the Board annually. 22
Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy Cybersecurity risks are constantly evolving and becoming increasingly pervasive across all industries. To mitigate these risks and protect sensitive customer data, financial transactions and our information systems, the Company has implemented a comprehensive cybersecurity risk management program, which is a component of its overarching enterprise risk management program. Key components of the cybersecurity risk management program include: ● A risk assessment process that identifies and prioritizes material cybersecurity risks; defines and evaluates the effectiveness of controls to mitigate the risks; and reports results to executive management and the Board of Directors. ● A third-party Managed Detection and Response (“MDR”) service, which monitors the security of our information systems around-the-clock, including intrusion detection and alerting. ● A team covering all critical cyber defense functions such as engineering, data protection, identity and access management, insider risk management, security operations, threat emulation and threat intelligence. ● A training program that educates employees about cybersecurity risks and how to protect themselves from cyberattacks. ● An awareness program that keeps employees informed about cybersecurity threats and how to stay safe online. ● An incident response plan that outlines the steps the Company will take to respond to a cybersecurity incident, which is tested on a periodic basis. The Company engages reputable third-party assessors to conduct various independent risk assessments on a regular basis, including but not limited to maturity assessments and various testing. Following a defense-in-depth strategy, the Company leverages both in-house resources and third-party service providers to implement and maintain processes and controls to manage the identified risks. Our Third-Party Risk Management program is designed to ensure that our vendors meet our cybersecurity requirements. This includes conducting periodic risk assessments of vendors, requiring vendors to implement appropriate cybersecurity controls and monitoring vendor compliance with our cybersecurity requirements. The Company’s cybersecurity risk management program and strategy are designed to protect the company’s information and information systems from a variety of threats, both natural and man-made. Periodic risk assessments are performed to validate control requirements and ensure that the Company’s information is protected at a level commensurate with its sensitivity, value, and criticality. Preventative and detective security controls are employed on all media where information is stored, the systems that process it, and infrastructure components that facilitate its transmission to protect the confidentiality, integrity, and availability of Company information. These controls include, but are not limited to access control, data encryption, data loss prevention, incident response, security monitoring, third party risk management, and vulnerability management. The Company’s cybersecurity risk management program and strategy are regularly reviewed and updated to ensure that they are aligned with the Company’s business objectives and are designed to address evolving cybersecurity threats and satisfy regulatory requirements and industry standards. Material Effects of Cybersecurity Threats While cybersecurity risks have the potential to materially affect the Company’s business, financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including its business strategy, results of operations or financial condition. However, the sophistication of cyber threats continues to increase, and the Company’s cybersecurity risk management and strategy may be insufficient or may not be successful in protecting against all cyber incidents. Accordingly, no matter how well designed or implemented the Company’s controls are, it will not be able to anticipate all cyber security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A. “Risk Factors” above. 21 Governance Board of Directors Oversight The Company’s Board of Directors is charged with overseeing the establishment and execution of the Company’s risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Consistent with this responsibility the Board has delegated primary oversight responsibility over the Company’s risk management framework, including oversight of cybersecurity risk and cybersecurity risk management, to the Technology Committee of the Board of Directors. The Technology Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Operations Officer and the Information Security Officer and provides periodic updates regarding cybersecurity risks and the cybersecurity program to the full Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Board on an annual basis. Management’s Role The Company’s information security program is primarily administered at the management level by the Information Security Officer, and is supported by the Information Technology Department, which is led by the Chief Operations Officer. The Information Security Officer is responsible for day-to-day management of the Company’s information security program, including data loss prevention, access control, threat monitoring, incident response and employee education and training. The Company also maintains policies related to cybersecurity and data security that provide the required governance and technical aspects for the information security program. Each policy is mapped to applicable regulatory guidance, and is reviewed and approved by the Board annually. 22

Company Information