XML 48 R33.htm IDEA: XBRL DOCUMENT

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

As referenced in the Operational Risks/Cyber Risks section of Item 1A. Risk Factors included in this Form 10-K, our organization may be materially affected by cybersecurity threats and incidents that target its internally managed information technology systems or our critical vendor systems.

Our institution utilizes industry standard and regulatory approved assessment tools to identify cybersecurity risks and measure preparedness. The tools provide a repeatable and measurable framework for our organization to measure its cybersecurity preparedness over time.

The assessment process spans over five domains of interest: (1) cyber risk management and oversight, (2) threat intelligence and collaboration, (3) cybersecurity controls, (4) external dependencies, and (5) cyber incident management and resilience. All domains are currently assessed at an evolving maturity level which is in line with our organizations inherent risk assessment score.

Our institution has purchased and is using best of breed tools in the areas of endpoint security, Security Information Event Management (“SIEM”), Privileged Access Management (“PAM”), email and web browsing filtering and management, and user analytics. We also use a comprehensive third party 24-by-7 Security Operations Center (“SOC”) that monitors, detects, and remediates cybersecurity threats adhering to strict service response levels.

The internal assessment process and internal tools and SOC related key indicators are reported on a quarterly basis to the Security and Information Security Committee and the Enterprise-wide Risk Management Committee and annually to the Board of Directors.

The assessment process, internal tools, and corresponding SOC related services are also reviewed when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management shall determine whether additional risk management practices or controls are needed to maintain or augment the institution’s cybersecurity maturity.

Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management processes. Our internal audit program executes a comprehensive and layered auditing approach including people, processes and technology in order to evaluate the effectiveness of existing controls and ensure that cybersecurity risk has been adequately mitigated within our institution. Periodic phishing tests, network and application security reviews, third-party vulnerability assessments and penetration testing are used to gauge the overall effectiveness of our cybersecurity defenses. The audit program and cybersecurity defense evaluations are key parts of our overall risk management processes.

Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our processes and policies related to cybersecurity are focused on: (i) developing organizational understanding to manage cybersecurity risks, (ii) applying safeguards to protect our systems, (iii) detecting the occurrence of a cybersecurity incident, (iv) responding to a cybersecurity incident, and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall enterprise risk management systems and processes. For example, all of our employees with network access are required to complete information security and privacy training on an annual basis. We are continuously working to improve our information technology systems and provide employee awareness training around phishing, malware, and other cyber risks to enhance our levels of protection.

Other aspects of our cyber and information security risk management program include:

•

Monitoring external and internal threats and events, managing access, facilitating use of appropriate authentication options, validating controls and programs by internal teams and independent third parties and testing various compromise scenarios that are overseen by our information security team;

•

Investing in threat intelligence platforms and participating in financial services industry and government forums which track and report on cyber and other information security threats;

•

Routinely performing vulnerability tests;

•

Engaging independent consultants and other third-parties to assist CTBI in establishing and improving its policies; and

•

Conducting “tabletop” exercises at least annually to test CTBI’s processes and policies and using feedback from those exercises to further improve our processes.

CTBI also maintains insurance coverage for cybersecurity incidents as part of its overall insurance portfolio.

In the event of a cybersecurity incident, CTBI maintains incident response plans to investigate, classify, respond to, and manage cybersecurity incidents that may compromise the availability or integrity of our information systems, network resources, or data. In accordance with the incident response plans, cross-functional management teams assess and assign a threat level to each cybersecurity incident. A cybersecurity incident (or incidents, if aggregated together) determined to be at a critical threat level is escalated to a group consisting of CTBI’s Chief Executive Officer and certain other officers, including the Chief Legal Officer, Executive Vice President/Operations, Chief Risk Officer, and Chief Financial Officer for review.

In an effort to continually share threat intelligence and increase awareness of cybersecurity threats, routine communication to employees is conducted to highlight internal control requirements, common cybersecurity threats and schemes. Our incident response team members also participate in the annual Financial Services Information Sharing and Analysis Center tabletop cybersecurity tabletop exercises.

Our comprehensive vendor management program and processes assess all new vendors and segments them into criticality tiers. Our most critical vendors (tiers 1 and 2) are evaluated annually based on requested vendor documents, such as Statements on Standards Attestation Engagements No. 18 (SSAE 18), financial statements, insurance, and due diligence questionnaires. The vendor management team also monitors all news alerts related to all critical vendors.

As of the date of this report, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect CTBI. However, future incidents could have a material impact on CTBI’s business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see the Operational Risks/Cyber Risks section of Item 1A. Risk Factors included in this Form 10-K.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Cybersecurity Risk Board of Directors Oversight [Text Block]

Management receives information on cyber activities, incidents, and risk assessments quarterly from the VP/Corporate Information Security, Resilience and Data Officer (CISRDO), the SVP/Manager Application Systems, and the EVP/Operations during the Security and Information Security Committee and the Information Technology Steering Committee meetings. This information is also shared and discussed quarterly with the Enterprise-wide Risk Management Committee. Various key risk measures related to cyber risk are tracked and reported quarterly to the Enterprise-wide Risk Management Committee. Our VP/CISRDO has been with CTBI for six years and has extensive 30+ years of experience in information technology management roles in various industries. At December 31, 2024, our SVP/Manager Application Systems had been with CTBI for 33 years and held various information technology leadership roles, and our EVP/Operations had been with the company for 31 years, leading and guiding our technology teams. Effective January 31, 2025, our EVP/Operations retired, and our SVP/Manager Application Systems was promoted to EVP/Operations.

The Board of Directors monitors cyber risk through quarterly reports from the Board’s Risk and Compliance Committee. This Board committee meets quarterly and receives information concerning cyber risk activities, including cyber risk assessments and incident reporting. The Board also receives an annual report covering cyber risk from the Chief Information Technology Officer. Controls over cyber risk are reviewed throughout the year by internal audit activities and third-party assessments whose reports are reviewed by the Board’s Audit Committee.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Board of Directors monitors cyber risk through quarterly reports from the Board’s Risk and Compliance Committee.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

This Board committee meets quarterly and receives information concerning cyber risk activities, including cyber risk assessments and incident reporting. The Board also receives an annual report covering cyber risk from the Chief Information Technology Officer. Controls over cyber risk are reviewed throughout the year by internal audit activities and third-party assessments whose reports are reviewed by the Board’s Audit Committee.

Cybersecurity Risk Role of Management [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our VP/CISRDO has been with CTBI for six years and has extensive 30+ years of experience in information technology management roles in various industries. At December 31, 2024, our SVP/Manager Application Systems had been with CTBI for 33 years and held various information technology leadership roles, and our EVP/Operations had been with the company for 31 years, leading and guiding our technology teams. Effective January 31, 2025, our EVP/Operations retired, and our SVP/Manager Application Systems was promoted to EVP/Operations.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

information on cyber activities, incidents, and risk assessments quarterly from the VP/Corporate Information Security, Resilience and Data Officer (CISRDO), the SVP/Manager Application Systems, and the EVP/Operations during the Security and Information Security Committee and the Information Technology Steering Committee meetings. This information is also shared and discussed quarterly with the Enterprise-wide Risk Management

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true