XML 62 R28.htm IDEA: XBRL DOCUMENT

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Ohio Valley recognizes the critical importance of assessing, identifying, and managing material risks from cybersecurity threats and safeguarding the security of its banking operations and data, including protecting its customers’ information. As a result, the Company has devoted significant financial and personnel resources to assessing, identifying, and managing cybersecurity risks and threats, including:

•	Maintaining policies and procedures regarding security operations and governance through the implementation of the Company’s Information Security Program;

•	Implementing multi-layered controls to avoid reliance on single controls;

•	Utilizing both preventative and detective tools to monitor and block suspicious activity and to alert us of potential threats;

•	Keeping abreast of new technology and evaluating tools to help respond to threats to cybersecurity in an efficient and effective manner;

•	Collaborating with third-party cybersecurity consultants that perform regular penetration testing, vulnerability assessments, and other procedures to identify potential weaknesses in our systems and processes;

•	Utilizing a third-party risk management program for purposes of identifying, assessing, and managing risks involved with external service providers;

•	Conducting thorough due diligence concerning our third-party service providers, including evaluating their cybersecurity practices; and

•	Providing regular cybersecurity training for both our employees and our Board of Directors.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Ohio Valley’s systems and those of its customers and third-party service providers are under constant threat, and it is possible that Ohio Valley could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking, and other technology-based products and services by us and our customers.

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Board, through the Information Technology Steering Committee, works with senior management and other employee committees to oversee the development, implementation, maintenance, and administration of the Information Security Program, which is aligned and integrated into Ohio Valley’s overall risk management system and processes. The Information Technology Steering Committee itself is comprised of diverse directors and officers of the Bank with vast knowledge and years of banking experience. The Information Security Officer of the committee has 26 years of banking experience including 25 IT related years as well as continuing education including a BA in Management Information Systems and Network+ and A+ certifications. The purpose of the Information Security Program is to:

•	Identify and analyze cybersecurity risks;

•	Provide the Company with direction on effectively managing such risks;

•	Approve information security plans, policies, and programs;

•	Assess whether the Company’s current security programs are effective; and

•	Provide recommendations for corrective action.

The Company has also implemented an Incident Response Plan which is reviewed and updated at least annually in response to an ever-changing threat landscape. The purpose of the Incident Response Plan is to provide long-term strategies for the remediation and prevention of, and resiliency to, cybersecurity threats and incidents. Our Incident Response Plan is executed through the incident response team comprised of both cybersecurity experts and select members of management, including one or more Information Security Officers, who are responsible for monitoring potential threats and identifying events that may warrant Board notification and/or public disclosure. Additionally, our Information Security Officers are responsible for responding to security events by ordering emergency actions to protect the Company and its customers; managing negative effects on the confidentiality, integrity, and availability of information; and minimizing the disruption and degradation of critical services.

Notwithstanding the strength of Ohio Valley’s defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date, Ohio Valley has not detected a significant compromise, significant data loss, or any material financial losses related to cybersecurity attacks, Ohio Valley’s systems and those of its customers and third-party service providers are under constant threat, and it is possible that Ohio Valley could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking, and other technology-based products and services by us and our customers.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Role of Management [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our Incident Response Plan is executed through the incident response team comprised of both cybersecurity experts and select members of management, including one or more Information Security Officers, who are responsible for monitoring potential threats and identifying events that may warrant Board notification and/or public disclosure.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The Information Security Officer of the committee has 26 years of banking experience including 25 IT related years as well as continuing education including a BA in Management Information Systems and Network+ and A+ certifications.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The purpose of the Incident Response Plan is to provide long-term strategies for the remediation and prevention of, and resiliency to, cybersecurity threats and incidents. Our Incident Response Plan is executed through the incident response team comprised of both cybersecurity experts and select members of management, including one or more Information Security Officers, who are responsible for monitoring potential threats and identifying events that may warrant Board notification and/or public disclosure. Additionally, our Information Security Officers are responsible for responding to security events by ordering emergency actions to protect the Company and its customers; managing negative effects on the confidentiality, integrity, and availability of information; and minimizing the disruption and degradation of critical services.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true