Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - CTBI
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A.
The assessment process spans over five domains of interest : (1) cyber risk management and oversight, (2) threat intelligence and collaboration, (3) cybersecurity controls, (4) external dependencies, and (5) cyber incident management and resilience. All domains are currently assessed at an evolving maturity level which is in line with our organizations inherent risk assessment score.
The assessment process, internal tools, and corresponding SOC related services are also reviewed when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management shall determine whether additional risk management practices or controls are needed to maintain or augment the institution’s cybersecurity maturity.
As of the date of this report, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect CTBI. However, future incidents could have a material impact on CTBI’s business strategy, results of operations, or financial condition. However, future incidents could have a material impact on CTBI’s business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see the Operational Risks/Cyber Risks section of Item 1A. For additional discussion of the risks posed by cybersecurity threats, see the Operational Risks/Cyber Risks section of Item 1A. Risk Factors included in this Form 10-K. Risk Factors included in this Form 10-K.
Management receives information on cyber activities, incidents, and risk assessments quarterly from the VP/Corporate Information Security, Resilience and Data Officer (CISRDO), the VP/Manager Client/Server and Network Computing Systems, and the EVP/Operations during the Security and Information Security Committee and the Information Technology Steering Committee meetings. This information is also shared and discussed quarterly with the Enterprise-wide Risk Management Committee. Various key risk measures related to cyber risk are tracked and reported quarterly to the Enterprise-wide Risk Management Committee. Our VP/CISRDO has been with CTBI for seven years and has extensive 30+ years of experience in information technology management roles in various industries. Our EVP/Operations has been with CTBI for 34 years and held various information technology leadership roles. Our VP/Manager Client/Server and Network Computing Systems has been with the company for 23 years and has over 36 years of experience in information technology. He is primarily responsible for the technical defense and response to cybersecurity threats for CTBI.
The Board of Directors monitors cyber risk through quarterly reports from the Board’s Risk and Compliance Committee. This Board committee meets quarterly and receives information concerning cyber risk activities, including cyber risk assessments and incident reporting. The Board also receives an annual report covering cyber risk from the Chief Information Technology Officer. Controls over cyber risk are reviewed throughout the year by internal audit activities and third-party assessments whose reports are reviewed by the Board’s Audit Committee. Controls over cyber risk are reviewed throughout the year by internal audit activities and third-party assessments whose reports are reviewed by the Board’s Audit Committee.
Risk Factors
An investment in our common stock is subject to risks inherent to our business. The material risks and uncertainties that management believes affect us are described below. Before making an investment decision, you should carefully consider the risks and uncertainties described below, together with all of the other information included or incorporated by reference herein. Before making an investment decision, you should carefully consider the risks and uncertainties described below, together with all of the other information included or incorporated by reference herein. The risks and uncertainties described below are not the only ones facing us. Additional risks and uncertainties that management is not aware of or focused on or that management currently deems immaterial may also impair our business operations. This report is qualified in its entirety by these risk factors. See also, “Cautionary Statement Regarding Forward-Looking Statements.” If any of the following risks actually occur, our financial condition and results of operations could be materially and adversely affected. If this were to happen, the value of our common stock could decline significantly, and you could lose all or part of your investment. If this were to happen, the value of our common stock could decline significantly, and you could lose all or part of your investment.
Economic Environment Risks
Economic Risk
CTBI may continue to be adversely affected by economic and market conditions.
Our financial performance generally, and in particular the ability of borrowers to pay interest on and repay principal of outstanding loans and the value of collateral securing those loans, as well as demand for loans and other products and services we offer, is highly dependent upon the business environment in the markets where we operate, in the states of Kentucky, West Virginia, and Tennessee and in the United States as a whole. A favorable business environment is generally characterized by, among other factors, economic growth, efficient capital markets, low inflation, low unemployment, high business and investor confidence, and strong business earnings. A favorable business environment is generally characterized by, among other factors, economic growth, efficient capital markets, low inflation, low unemployment, high business and investor confidence, and strong business earnings. Unfavorable or uncertain economic and market conditions can be caused by declines in economic growth, business activity, or investor or business confidence; limitations on the availability or increases in the cost of credit and capital; increases in inflation or interest rates; high unemployment; natural disasters; or a combination of these or other factors. Unfavorable or uncertain economic and market conditions can be caused by declines in economic growth, business activity, or investor or business confidence; limitations on the availability or increases in the cost of credit and capital; increases in inflation or interest rates; high unemployment; natural disasters; or a combination of these or other factors. Such conditions could adversely affect the credit quality of our loans and our business, financial condition, and results of operations.
Economy of Our Markets
Our business may continue to be adversely affected by ongoing weaknesses in the local economies on which we depend.
Our loan portfolio is concentrated primarily in eastern, northeastern, central, and south central Kentucky, southern West Virginia, and northeastern Tennessee. Our profits depend on providing products and services to clients in these local regions. Our profits depend on providing products and services to clients in these local regions. Although unemployment rates in many of our markets have decreased, they remain above the national average. Increases in unemployment, decreases in real estate values, or increases in interest rates could weaken the local economies in which we operate. These economic indicators typically affect certain industries, such as real estate and financial services, more significantly. Also, our growth within certain of our markets may be adversely affected by inconsistent access to high speed internet and the lack of population and business growth in such markets in recent years. Also, our growth within certain of our markets may be adversely affected by inconsistent access to high speed internet and the lack of population and business growth in such markets in recent years. Weakness in our market area could depress our earnings and consequently our financial condition because:
| • | Clients may not want, need, or qualify for our products and services; |
| • | Borrowers may not be able to repay their loans; |
| • | The value of the collateral securing our loans to borrowers may decline; and |
| • | The quality of our loan portfolio may decline. |
Climate Change Risk
Our business may be adversely impacted by climate change and related initiatives.
Climate change and other emissions-related laws, regulations, and agreements have been proposed and, in some cases adopted, on the international, federal, state, and local levels. These final and proposed initiatives take the form of restrictions, caps, taxes, or other controls on emissions. These final and proposed initiatives take the form of restrictions, caps, taxes, or other controls on emissions. Our markets include areas where the coal industry was historically a significant part of the local economy. The importance of the coal industry to such areas has, however, continued to decline substantially and the economies of our markets have become more diversified. The importance of the coal industry to such areas has, however, continued to decline substantially and the economies of our markets have become more diversified. Nevertheless, to the extent that existing or new climate change laws, regulations, or agreements further impact production, purchase, or use of coal, the economies of certain areas within our markets, the demand for financing, the value of collateral securing our coal-related loans, and our financial condition and results of operations may be adversely affected. Nevertheless, to the extent that existing or new climate change laws, regulations, or agreements further impact production, purchase, or use of coal, the economies of certain areas within our markets, the demand for financing, the value of collateral securing our coal-related loans, and our financial condition and results of operations may be adversely affected.
We, like all businesses, as well as our market areas, borrowers, and customers, may be adversely impacted to the extent that weather-related events cause damage or disruption to properties or businesses.
Risk from Infectious Disease Outbreaks
Our business, results of operations, and financial condition may be adversely affected by epidemics, pandemics, or other infectious disease outbreaks.
We may face risks related to epidemics, pandemics or other infectious disease outbreaks, which could result in a widespread health crisis that adversely affects general commercial activity, the global economy (including the states and local economies in which we operate), and financial markets.
Epidemics, pandemics, or infectious disease outbreaks, may result in us having to close certain offices and may require us to limit how customers conduct business through our branch network. If our employees are required to work remotely, we may be exposed to increased cybersecurity risks such as phishing, malware, and other cybersecurity attacks, all of which could expose us to liability and could seriously disrupt our business operations. If our employees are required to work remotely, we may be exposed to increased cybersecurity risks such as phishing, malware, and other cybersecurity attacks, all of which could expose us to liability and could seriously disrupt our business operations. Furthermore, our business operations may be disrupted due to vendors and third-party service providers being unable to work or provide services effectively during such a health crisis, including because of illness, quarantines, or other government actions.
In addition, an epidemic, a pandemic, or another infectious disease outbreak could significantly impact households and businesses, or cause limitations on commercial activity, increased unemployment, and general economic and financial instability. An economic slow-down, or the reversal of an economic recovery, in the regions in which we conduct our business could result in declines in loan demand and collateral values. An economic slow-down, or the reversal of the economic recovery, in the regions in which we conduct our business could result in declines in loan demand and collateral values. Furthermore, negative impacts on our customers caused by such a health crisis could result in increased risk of delinquencies, defaults, foreclosures, and losses on our loans. Furthermore, negative impacts on our customers caused by such a health crisis, including the resurgence of COVID-19, could result in increased risk of delinquencies, defaults, foreclosures, and losses on our loans. Moreover, governmental and regulatory actions taken in response to an epidemic, a pandemic, or another infectious disease outbreak may include decreased interest rates, which could adversely impact our interest margins and may lead to decreases in our net interest income. Moreover, governmental and regulatory actions taken in response to an epidemic, a pandemic, or another infectious disease outbreak may include decreased interest rates, which could adversely impact our interest margins and may lead to decreases in our net interest income.
The extent to which a widespread health crisis may impact our business, results of operations, and financial condition, as well as its regulatory capital and liquidity ratios, will depend on future developments, which are highly uncertain and are difficult to predict, including, but not limited to, the duration and severity of the crisis, the potential for seasonal or other resurgences, actions taken by governmental authorities and other third parties to contain and treat such an epidemic, a pandemic, or another infectious disease outbreak, and how quickly and to what extent normal economic and operating conditions can resume. Moreover, the effects of a widespread health crisis may heighten many of the other risks described in this “Risk Factors” section. Moreover, the effects of a widespread health crisis may heighten many of the other risks described in this “Risk Factors” section. As a result, the negative effects on our business, results of operations, and financial condition from an epidemic, a pandemic, or another infectious disease outbreak could be material. As a result, the negative effects on our business, results of operations, and financial condition from an epidemic, a pandemic, or another infectious disease outbreak, including the resurgence of the COVID-19 pandemic, could be material.
Operational Risks
Interest Rate Risk
Changes in interest rates could adversely affect our earnings and financial condition.
Our earnings and financial condition are dependent to a large degree upon net interest income, which is the difference between interest earned from loans and investments and interest paid on deposits and borrowings. The narrowing of interest-rate spreads, meaning the difference between the interest rates earned on loans and investments and the interest rates paid on deposits and borrowings, could adversely affect our earnings and financial condition. Interest rates are highly sensitive to many factors, including:
| • | The rate of inflation; |
| • | The rate of economic growth; |
| • | Employment levels; |
| • | Monetary policies; and |
| • | Instability in domestic and foreign financial markets. |
Changes in market interest rates will also affect the level of voluntary prepayments on our loans and the receipt of payments on our mortgage-backed securities resulting in the receipt of proceeds that may be reinvested at a lower rate than the loan or mortgage-backed security being prepaid.
We originate residential loans for sale and for our portfolio. The origination of loans for sale is designed to meet client financing needs and earn fee income. The origination of loans for sale is highly dependent upon the local real estate market and the level and trend of interest rates. The origination of loans for sale is highly dependent upon the local real estate market and the level and trend of interest rates. Increasing interest rates may reduce the origination of loans for sale and consequently the fee income we earn. While our commercial banking, construction, and income property loan portfolios remain a significant portion of our activities, high interest rates may reduce our mortgage-banking activities and thereby our income. While our commercial banking, construction, and income property loan portfolios remain a significant portion of our activities, high interest rates may reduce our mortgage-banking activities and thereby our income. In contrast, decreasing interest rates have the effect of causing clients to refinance mortgage loans faster than anticipated. In contrast, decreasing interest rates have the effect of causing clients to refinance mortgage loans faster than anticipated. This causes the value of assets related to the servicing rights on loans sold to be lower than originally anticipated. If this happens, we may need to write down our servicing assets faster, which would accelerate our expense and lower our earnings. If this happens, we may need to write down our servicing assets faster, which would accelerate our expense and lower our earnings.
We consider interest rate risk one of our most significant market risks. Interest rate risk is the exposure to adverse changes in net interest income due to changes in interest rates. Consistency of our net interest revenue is largely dependent upon the effective management of interest rate risk. Consistency of our net interest revenue is largely dependent upon the effective management of interest rate risk. We employ a variety of measurement techniques to identify and manage our interest rate risk, including the use of an earnings simulation model to analyze net interest income sensitivity to changing interest rates. The model is based on actual cash flows and repricing characteristics for on and off-balance sheet instruments and incorporates market-based assumptions regarding the effect of changing interest rates on the prepayment rates of certain financial assets and liabilities. Assumptions based on the historical behavior of deposit rates and balances in relation to changes in interest rates are also incorporated into the model. These assumptions are inherently uncertain, and as a result, the model cannot precisely measure net interest income or precisely predict the impact of fluctuations in interest rates on net interest income. Actual results will differ from simulated results due to timing, magnitude, and frequency of interest rate changes as well as changes in market conditions and management strategies. Actual results will differ from simulated results due to timing, magnitude, and frequency of interest rate changes as well as changes in market conditions and management strategies.
Credit Risk
Our earnings and reputation may be adversely affected if we fail to effectively manage our credit risk.
Originating and underwriting loans are integral to the success of our business. This business requires us to take “credit risk,” which is the risk of losing principal and interest income because borrowers fail to repay loans. Collateral values and the ability of borrowers to repay their loans may be affected at any time by factors such as:
| • | The length and severity of downturns in the local economies in which we operate or the national economy; |
| • | The length and severity of downturns in one or more of the business sectors in which our customers operate, particularly the automobile, hotel/motel, and residential development industries; or |
| • | A rapid increase in interest rates. |
Our loan portfolio includes loans with a higher risk of loss.
We originate commercial real estate residential loans, commercial real estate nonresidential loans, hotel/motel loans, other commercial loans, consumer loans, and residential mortgage loans, primarily within our market area. Commercial real estate residential, commercial real estate nonresidential, hotel/motel, and other commercial loans tend to involve larger loan balances to a single borrower or groups of related borrowers and are most susceptible to a risk of loss during a downturn in the business cycle. These loans also have historically had a greater credit risk than other loans for the following reasons:
| • | Commercial Real Estate Residential. Repayment is dependent on income being generated in amounts sufficient to cover operating expenses and debt service. As of December 31, 2025, commercial real estate residential loans comprised approximately 10% of our total loan portfolio. |
| • | Commercial Real Estate Nonresidential. Repayment is dependent on income being generated in amounts sufficient to cover operating expenses and debt service. As of December 31, 2025, commercial real estate nonresidential loans comprised approximately 20% of our total loan portfolio. |
| • | Hotel/Motel. The hotel and motel industry is highly susceptible to changes in the domestic and global economic environments, which has caused the industry to experience substantial volatility due to the recent global pandemic. As of December 31, 2025, hotel/motel loans comprised approximately 10% of our total loan portfolio. |
| • | Other Commercial Loans. Repayment is generally dependent upon the successful operation of the borrower’s business. In addition, the collateral securing the loans may depreciate over time, be difficult to appraise, be illiquid, or fluctuate in value based on the success of the business. In addition, the collateral securing the loans may depreciate over time, be difficult to appraise, be illiquid, or fluctuate in value based on the success of the business. As of December 31, 2025, other commercial loans comprised approximately 9% of our total loan portfolio. |
Consumer loans may carry a higher degree of repayment risk than residential mortgage loans, particularly when the consumer loan is unsecured. Repayment of a consumer loan typically depends on the borrower’s financial stability, and it is more likely to be affected adversely by job loss, illness, or personal bankruptcy. Repayment of a consumer loan typically depends on the borrower’s financial stability, and it is more likely to be affected adversely by job loss, illness, or personal bankruptcy. In addition, federal and state bankruptcy, insolvency, and other laws may limit the amount we can recover when a consumer client defaults. As of December 31, 2025, consumer loans comprised approximately 21% of our total loan portfolio. Approximately 86% of our consumer loans and 18% of our total loan portfolio were consumer indirect loans. Consumer indirect loans are fixed rate loans secured by new and used automobiles, trucks, vans, and recreational vehicles originated at selling dealerships which are purchased by us following our review and approval of such loans. Consumer indirect loans are fixed rate loans secured by new and used automobiles, trucks, vans, and recreational vehicles originated at selling dealerships which are purchased by us following our review and approval of such loans. These loans generally have a greater risk of loss in the event of default than, for example, one-to-four family residential mortgage loans due to the rapid depreciation of vehicles securing the loans. These loans generally have a greater risk of loss in the event of default than, for example, one-to-four family residential mortgage loans due to the rapid depreciation of vehicles securing the loans. We face the risk that the collateral for a defaulted loan may not provide an adequate source of repayment of the outstanding loan balance. We face the risk that the collateral for a defaulted loan may not provide an adequate source of repayment of the outstanding loan balance. We also assume the risk that the dealership administering the lending process does not comply with applicable consumer protection law and regulations.
A significant part of our lending business is focused on small to medium-sized business which may be impacted more severely during periods of economic weakness.
A significant portion of our commercial loan portfolio is tied to small to medium-sized businesses in our markets. During periods of economic weakness, small to medium-sized businesses may be impacted more severely than larger businesses. As a result, the ability of smaller businesses to repay their loans may deteriorate, particularly if economic challenges persist over a period of time, and such deterioration would adversely impact our results of operations and financial condition.
A large percentage of our loan portfolio is secured by real estate, in particular commercial real estate. Weakness in the real estate market or other segments of our loan portfolio would lead to additional losses, which could have a material adverse effect on our business, financial condition, and results of operations. Weakness in the real estate market or other segments of our loan portfolio would lead to additional losses, which could have a material adverse effect on our business, financial condition, and results of operations.
As of December 31, 2025, approximately 70% of our loan portfolio was secured by real estate, with approximately 42% of the portfolio consisting of commercial real estate (“CRE”). High levels of commercial and consumer delinquencies or declines in real estate market values could require increased net charge-offs and increases in the allowance for credit losses, which could have a material adverse effect on our business, financial condition, and results of operations and prospects. High levels of commercial and consumer delinquencies or declines in real estate market values could require increased net charge-offs and increases in the allowance for credit losses, which could have a material adverse effect on our business, financial condition, and results of operations and prospects. CRE held by CTBI is not concentrated in office space/large metro areas and at risk of significant decrease in collateral value.
Competition
Strong competition within our market area may reduce our ability to attract and retain deposits and originate loans.
We face competition both in originating loans and in attracting deposits. Competition in the financial services industry is intense. We compete for clients by offering excellent service and competitive rates on our loans and deposit products. The type of institutions we compete with include commercial banks, savings institutions, mortgage banking firms, credit unions, finance companies, mutual funds, insurance companies, and brokerage and investment banking firms. Competition arises from institutions located within and outside our market areas. As financial services become increasingly dependent on technology, permitting transactions to be conducted by telephone, mobile banking, and the internet, non-bank institutions are able to attract funds and provide lending and other financial services without offices located in our market areas. As financial services become increasingly dependent on technology, permitting transactions to be conducted by telephone, mobile banking, and the internet, non-bank institutions are able to attract funds and provide lending and other financial services without offices located in our market areas. As a result of their size and ability to achieve economies of scale, certain of our competitors offer a broader range of products and services than we offer. As a result of their size and ability to achieve economies of scale, certain of our competitors offer a broader range of products and services than we offer. With the increased consolidation in the financial industry, larger financial institutions may strengthen their competitive positions. In addition, to stay competitive in our markets we may need to adjust the interest rates on our products to match the rates offered by our competitors, which could adversely affect our net interest margin. In addition, to stay competitive in our markets we may need to adjust the interest rates on our products to match the rates offered by our competitors, which could adversely affect our net interest margin. As a result, our profitability depends upon our continued ability to successfully compete in our market areas while achieving our investment objectives. As a result, our profitability depends upon our continued ability to successfully compete in our market areas while achieving our investment objectives.
Technology and other changes are allowing consumers to complete financial transactions through alternative methods to those which historically involved banks. For example, consumers can now hold funds that would have been held as bank deposits in mutual funds, brokerage accounts, general purpose reloadable prepaid cards, or cyber currency. For example, consumers can now hold funds that would have been held as bank deposits in mutual funds, brokerage accounts, general purpose reloadable prepaid cards, or cyber currency. In addition, consumers can complete transactions, such as paying bills or transferring funds, directly without utilizing the services of a bank. The process of eliminating banks as intermediaries (known as disintermediation) could result in the loss of fee income, as well as the loss of deposits and the income that might be generated from those deposits. The related revenue reduction could adversely affect our financial condition, cash flows, and results of operations.
Operational Risk
An extended disruption of vital infrastructure or a security breach could negatively impact our business, results of operations, and financial condition.
Our operations depend upon, among other things, our infrastructure, including equipment and facilities. Extended disruption of vital infrastructure by fire, power loss, natural disaster, telecommunications failure, computer hacking or viruses, terrorist activity or the domestic and foreign response to such activity, or other events outside of our control could have a material adverse impact on the financial services industry as a whole and on our business, results of operations, cash flows, and financial condition in particular. Extended disruption of vital infrastructure by fire, power loss, natural disaster, telecommunications failure, computer hacking or viruses, terrorist activity or the domestic and foreign response to such activity, or other events outside of our control could have a material adverse impact on the financial services industry as a whole and on our business, results of operations, cash flows, and financial condition in particular. Our business recovery plan may not work as intended or may not prevent significant interruption of our operations. The occurrence of any failures, interruptions, or security breaches of our information systems could damage our reputation, result in the loss of customer business, subject us to additional regulatory scrutiny, or expose us to civil litigation and possible financial liability, any of which could have an adverse effect on our financial condition and results of operation. The occurrence of any failures, interruptions, or security breaches of our information systems could damage our reputation, result in the loss of customer business, subject us to additional regulatory scrutiny, or expose us to civil litigation and possible financial liability, any of which could have an adverse effect on our financial condition and results of operation.
Our information technology systems and networks may experience interruptions, delays, or cessations of service or produce errors due to regular maintenance efforts, such as systems integration or migration work that takes place from time to time. We may not be successful in implementing new systems and transitioning data, which could cause business disruptions and be more expensive, time-consuming, disruptive, and resource intensive. Such disruptions could damage our reputation and otherwise adversely impact our business and results of operations. Such disruptions could damage our reputation and otherwise adversely impact our business and results of operations.
Third party vendors provide key components of our business infrastructure, such as processing, internet connections, and network access. While CTBI selected these third party vendors carefully through our vendor management process, we do not control their actions and generally are not able to obtain satisfactory indemnification provisions in our third party vendor written contracts. While CTBI selected these third party vendors carefully through our vendor management process, we do not control their actions and generally are not able to obtain satisfactory indemnification provisions in our third party vendor written contracts. Any problems caused by third parties or arising from their services, such as disruption in service, negligence in the performance of services or a breach of customer data security with regard to the third parties’ systems, could adversely affect our ability to deliver services, negatively impact our business reputation, cause a loss of customers, or result in increased expenses, regulatory fines and sanctions, or litigation. Any problems caused by third parties or arising from their services, such as disruption in service, negligence in the performance of services or a breach of customer data security with regard to the third parties’ systems, could adversely affect our ability to deliver services, negatively impact our business reputation, cause a loss of customers, or result in increased expenses, regulatory fines and sanctions, or litigation.
Claims and litigation may arise pertaining to fiduciary responsibility.
Customers may, from time to time, make a claim and take legal action pertaining to our performance of fiduciary responsibilities. Whether customer claims and legal action related to our performance of fiduciary responsibilities are founded or unfounded, if such claims and legal actions are not resolved in a manner favorable to us, they may result in significant financial liability, adversely affect the market perception of us and our products and services, and impact customer demand for those products and services. Whether customer claims and legal action related to our performance of fiduciary responsibilities are founded or unfounded, if such claims and legal actions are not resolved in a manner favorable to us, they may result in significant financial liability, adversely affect the market perception of us and our products and services, and impact customer demand for those products and services. Any such financial liability or reputational damage could have an adverse effect on our business, financial condition, and results of operations.
Significant legal actions could subject us to uninsured liabilities.
From time to time, we may be subject to claims related to our operations. These claims and legal actions, including supervisory actions by our regulators, could involve significant amounts. We maintain insurance coverage in amounts and with deductibles we believe are appropriate for our operations. We maintain insurance coverage in amounts and with deductibles we believe are appropriate for our operations. However, our insurance coverage may not cover all claims against us and related costs, and further insurance coverage may not continue to be available at a reasonable cost. As a result, CTBI could be exposed to uninsured liabilities, which could adversely affect CTBI’s business, financial condition, or results of operations.
Technology Risk
CTBI continually encounters technological change.
The financial services industry is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better serve customers and to reduce costs. The effective use of technology increases efficiency and enables financial institutions to better serve customers and to reduce costs. Our future success depends, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands, as well as to create additional efficiencies in our operations. Many of our competitors have substantially greater resources to invest in technological improvements. We may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers. We may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers. Failure to successfully keep pace with technological change affecting the financial services industry could have a material adverse impact on our business and, in turn, our financial condition and results of operations. Failure to successfully keep pace with technological change affecting the financial services industry could have a material adverse impact on our business and, in turn, our financial condition and results of operations.
Cyber Risk
A breach in the security of our systems could disrupt our business, result in the disclosure of confidential information, damage our reputation, and create significant financial and legal exposure for us.
Our businesses are dependent on our ability and the ability of our third party service providers to process, record, and monitor a large number of transactions. If the financial, accounting, data processing, or other operating systems and facilities fail to operate properly, become disabled, experience security breaches, or have other significant shortcomings, our results of operations could be materially adversely affected. If the financial, accounting, data processing, or other operating systems and facilities fail to operate properly, become disabled, experience security breaches, or have other significant shortcomings, our results of operations could be materially adversely affected.
Management is responsible for the day-to-day management of information security risk, while the Risk and Compliance Committee of our Board of Directors is responsible for the oversight of information security risk. The Risk and Compliance Committee has the responsibility to satisfy itself that the processes designed and implemented by management are adequate and functioning as designed. The Chairman of this Committee makes a quarterly report to the Board covering key risk areas. The Chairman of this Committee makes a quarterly report to the Board covering key risk areas. We have an annual third-party information technology review conducted by information security professionals following industry-standard testing procedures. All employees go through information security training annually, in addition to random quarterly phishing testing. All employees go through information security training annually, in addition to random quarterly phishing testing. In the event of an information security breach, we have an insurance policy in place.
Although we and our third party service providers devote significant resources to maintain and upgrade our systems and processes that are designed to protect the security of computer systems, software, networks, and other technology assets and the confidentiality, integrity, and availability of information belonging to us and our customers, there is no assurance that our security systems and those of our third party service providers will provide absolute security. Financial services institutions and companies engaged in data processing have reported breaches in the security of their websites or other systems, some of which have involved sophisticated and targeted attacks intended to obtain unauthorized access to confidential information, destroy data, disable or degrade service, or sabotage systems, often through the introduction of computer viruses or malware, cyber-attacks, and other means. Financial services institutions and companies engaged in data processing have reported breaches in the security of their websites or other systems, some of which have involved sophisticated and targeted attacks intended to obtain unauthorized access to confidential information, destroy data, disable or degrade service, or sabotage systems, often through the introduction of computer viruses or malware, cyber-attacks, and other means. Despite our efforts and those of our third party service providers to ensure the integrity of these systems, it is possible that we or our third party service providers may not be able to anticipate or to implement effective preventive measures against all security breaches of these types, especially because techniques used change frequently or are not recognized until launched, and because security attacks can originate from a wide variety of sources. Despite our efforts and those of our third party service providers to ensure the integrity of these systems, it is possible that we or our third party service providers may not be able to anticipate or to implement effective preventive measures against all security breaches of these types, especially because techniques used change frequently or are not recognized until launched, and because security attacks can originate from a wide variety of sources.
A successful breach of the security of our systems or those of our third party service providers could cause serious negative consequences to us, including significant disruption of our operations, misappropriation of our confidential information or the confidential information of our customers, or damage to our computers or operating systems, and could result in violations of applicable privacy and other laws, financial loss to us or to our customers, loss in confidence in our security measures, customer dissatisfaction, litigation exposure, and harm to our reputation, all of which could have a material adverse effect on us. While we maintain insurance coverage that should, subject to policy terms and conditions, cover certain aspects of our cyber risks, this insurance coverage may be insufficient to cover all losses we could experience resulting from a cyber-security breach. While we maintain insurance coverage that should, subject to policy terms and conditions, cover certain aspects of our cyber risks, this insurance coverage may be insufficient to cover all losses we could experience resulting from a cyber-security breach. Moreover, the cost of insurance sufficient to cover substantially all, or a reasonable portion, of losses related to cyber security breaches is expected to increase and such increases are likely to be material. Moreover, the cost of insurance sufficient to cover substantially all, or a reasonable portion, of losses related to cyber security breaches is expected to increase and such increases are likely to be material.
CTBI has not experienced any data breaches; however, one of our third party vendors did experience a data breach during 2023, as disclosed in note 19 to our consolidated financial statements in our annual report on Form 10-K for the year ended December 31, 2023. The incident did not impact the ongoing operations of CTBI, and we do not expect any significant expenses beyond what our insurance policy covers.
Banking customers and employees have been, and will likely continue to be, targeted by parties using fraudulent e-mails and other communications in attempts to misappropriate passwords, account information, or other personal information, or to introduce viruses or other malware to bank information systems or customers’ computers. Though we endeavor to lessen the success of such threats through the use of authentication technology and employee education, such cyber-attacks remain a serious issue. Publicity concerning security and cyber-related problems could inhibit the use or growth of electronic or web-based applications as a means of conducting banking and other commercial transactions.
We could incur increased costs or reductions in revenue or suffer reputational damage in the event of misuse of information.
Our operations rely on the secure processing, transmission, and storage of confidential information in our computer systems and networks regarding our customers and their accounts. To provide these products and services, we use information systems and infrastructure that we and third party service providers operate. To provide these products and services, we use information systems and infrastructure that we and third party service providers operate. As a financial institution, we also are subject to and examined for compliance with an array of data protection laws, regulations, and guidance, as well as to our own internal privacy and information security policies and programs. As a financial institution, we also are subject to and examined for compliance with an array of data protection laws, regulations, and guidance, as well as to our own internal privacy and information security policies and programs.
Information security risks for financial institutions like us have generally increased in recent years in part because of the proliferation of new technologies, the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, and other external parties. Our technologies and systems may become the target of cyber-attacks or other attacks that could result in the misuse or destruction of our or our customers’ confidential, proprietary, or other information or that could result in disruptions to the business operations of us or our customers or other third parties. Our technologies and systems may become the target of cyber-attacks or other attacks that could result in the misuse or destruction of our or our customers’ confidential, proprietary, or other information or that could result in disruptions to the business operations of us or our customers or other third parties. Also, our customers, in order to access some of our products and services, may use personal computers, smart mobile phones, tablet PCs, and other devices that are beyond our controls and security systems. Also, our customers, in order to access some of our products and services, may use personal computers, smart mobile phones, tablet PCs, and other devices that are beyond our controls and security systems. Further, a breach or attack affecting one of our third-party service providers or partners could impact us through no fault of our own. Further, a breach or attack affecting one of our third-party service providers or partners could impact us through no fault of our own. In addition, because the methods and techniques employed by perpetrators of fraud and others to attack systems and applications change frequently and often are not fully recognized or understood until after they have been launched, we and our third-party service providers and partners may be unable to anticipate certain attack methods in order to implement effective preventative measures. In addition, because the methods and techniques employed by perpetrators of fraud and others to attack systems and applications change frequently and often are not fully recognized or understood until after they have been launched, we and our third-party service providers and partners may be unable to anticipate certain attack methods in order to implement effective preventative measures.
While we have policies and procedures designed to prevent or limit the effect of the possible security breach of our information systems, if unauthorized persons were somehow to get access to confidential or proprietary information in our possession or to our proprietary information, it could result in litigation and regulatory investigations, significant legal and financial exposure, damage to our reputation, or a loss of confidence in the security of our systems that could materially adversely affect our results of operation.
Counterparty Risk
The soundness of other financial institutions could adversely affect CTBI.
Our ability to engage in routine funding transactions could be adversely affected by the actions and commercial soundness of other financial institutions. Financial services companies are interrelated as a result of trading, clearing, counterparty, or other relationships. Financial services companies are interrelated as a result of trading, clearing, counterparty, or other relationships. We have exposure to many different industries and counterparties, and we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds, and other institutional counterparties. We have exposure to many different industries and counterparties, and we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds, and other institutional counterparties. As a result, defaults by, or even rumors or questions about, one or more financial services companies, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions. As a result, defaults by, or even rumors or questions about, one or more financial services companies, or the financial services industry generally, have led to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions. Many of these transactions expose us to credit risk in the event of default of our counterparty or client. In addition, our credit risk may be exacerbated when the collateral held by us cannot be realized or is liquidated at prices not sufficient to recover the full amount of the loan due us. There is no assurance that any such losses would not materially and adversely affect our businesses, financial condition, or results of operations. There is no assurance that any such losses would not materially and adversely affect our businesses, financial condition, or results of operations.
Acquisition Risks
Acquisition Risk
We may have difficulty in the future continuing to grow through acquisitions.
We may experience difficulty in making acquisitions on acceptable terms due to the decreasing number of suitable acquisition targets, competition for attractive acquisitions, regulatory impediments, and certain limitations on interstate acquisitions.
Any future acquisitions or mergers by CTBI or our banking subsidiary are subject to approval by the appropriate federal and state banking regulators. The banking regulators evaluate a number of criteria in making their approval decisions, such as:
| • | Safety and soundness guidelines; |
| • | Compliance with all laws including the USA PATRIOT Act, the International Money Laundering Abatement and Anti-Terrorist Financing Act, the Sarbanes-Oxley Act and the related rules and regulations promulgated under such Act or the Exchange Act, the Equal Credit Opportunity Act, the Fair Housing Act, the Community Reinvestment Act, the Home Mortgage Disclosure Act, and all other applicable fair lending and consumer protection laws and other laws relating to discriminatory business practices; and |
| • | Anti-competitive concerns with the proposed transaction. |
If the banking regulators or a commenter on our regulatory application raise concerns about any of these criteria at the time a regulatory application is filed, the banking regulators may deny, delay, or condition their approval of a proposed transaction. We have grown, and, subject to regulatory approval, intend to continue to grow, through acquisitions of banks and other financial institutions. After these acquisitions, we may experience adverse changes in results of operations of acquired entities, unforeseen liabilities, asset quality problems of acquired entities, loss of key personnel, loss of clients because of change of identity, difficulties in integrating data processing and operational procedures, and deterioration in local economic conditions. After these acquisitions, we may experience adverse changes in results of operations of acquired entities, unforeseen liabilities, asset quality problems of acquired entities, loss of key personnel, loss of clients because of change of identity, difficulties in integrating data processing and operational procedures, and deterioration in local economic conditions. These various acquisition risks can be heightened in larger transactions.
Integration Risk
We may not be able to achieve the expected integration and cost savings from our bank acquisition activities.
We have a long history of acquiring financial institutions and, subject to regulatory approval, we expect this acquisition activity to resume in the future. Difficulties may arise in the integration of the business and operations of the financial institutions that agree to merge with and into CTBI and, as a result, we may not be able to achieve the cost savings and synergies that we expect will result from the merger activities. Difficulties may arise in the integration of the business and operations of the financial institutions that agree to merge with and into CTBI and, as a result, we may not be able to achieve the cost savings and synergies that we expect will result from the merger activities. Achieving cost savings is dependent on consolidating certain operational and functional areas, eliminating duplicative positions and terminating certain agreements for outside services. Achieving cost savings is dependent on consolidating certain operational and functional areas, eliminating duplicative positions and terminating certain agreements for outside services. Additional operational savings are dependent upon the integration of the banking businesses of the acquired financial institution with that of CTBI, including the conversion of the acquired entity’s core operating systems, data systems, and products to those of CTBI and the standardization of business practices. Additional operational savings are dependent upon the integration of the banking businesses of the acquired financial institution with that of CTBI, including the conversion of the acquired entity’s core operating systems, data systems, and products to those of CTBI and the standardization of business practices. Complications or difficulties in the conversion of the core operating systems, data systems, and products of these other banks to those of CTBI may result in the loss of clients, damage to our reputation within the financial services industry, operational problems, one-time costs currently not anticipated by us, and/or reduced cost savings resulting from the merger activities. Complications or difficulties in the conversion of the core operating systems, data systems, and products of these other banks to those of CTBI may result in the loss of clients, damage to our reputation within the financial services industry, operational problems, one-time costs currently not anticipated by us, and/or reduced cost savings resulting from the merger activities.
Market and Liquidity Risks
Market Risk
CTBI’s stock price is volatile.
Our stock price has been volatile in the past, and several factors could cause the price to fluctuate substantially in the future. These factors include:
| • | Actual or anticipated variations in earnings; |
| • | Changes in analysts’ recommendations or projections; |
| • | CTBI’s announcements of developments related to our businesses; |
| • | Operating and stock performance of other companies deemed to be peers; |
| • | New technology used or services offered by traditional and non-traditional competitors; |
| • | News reports of trends, concerns, and other issues related to the financial services industry; and |
| • | Additional governmental policies and enforcement of current laws. |
Our stock price may fluctuate significantly in the future, and these fluctuations may be unrelated to CTBI’s performance. General market price declines or market volatility in the future could adversely affect the price of our common stock, and the current market price may not be indicative of future market prices.
Liquidity Risk
CTBI is subject to liquidity risk.
CTBI requires liquidity to meet our deposit and debt obligations as they come due and to fund loan demands. CTBI’s access to funding sources in amounts adequate to finance our activities or on terms that are acceptable to us could be impaired by factors that affect us specifically or the financial services industry or economy in general. CTBI’s access to funding sources in amounts adequate to finance our activities or on terms that are acceptable to us could be impaired by factors that affect us specifically or the financial services industry or economy in general. Factors that could reduce our access to liquidity sources include a downturn in the market, difficult credit markets, or adverse regulatory actions against CTBI. CTBI’s access to deposits may also be affected by the liquidity needs of our depositors. In particular, a substantial majority of CTBI’s liabilities are demand, savings, interest checking, and money market deposits, which are payable on demand or upon several days’ notice, while by comparison, a substantial portion of our assets are loans, which cannot be called or sold in the same time frame. In particular, a substantial majority of CTBI’s liabilities are demand, savings, interest checking, and money market deposits, which are payable on demand or upon several days’ notice, while by comparison, a substantial portion of our assets are loans, which cannot be called or sold in the same time frame. To the extent that consumer confidence in other investment vehicles, such as the stock market, increases, customers may move funds from bank deposits and products into such other investment vehicles. To the extent that consumer confidence in other investment vehicles, such as the stock market, increases, customers may move funds from bank deposits and products into such other investment vehicles. In addition, given the adoption of electronic banking, these transfers could occur more quickly than they have historically. In addition, given the adoption of electronic banking, these transfers could occur more quickly than they have historically. Although CTBI historically has been able to replace maturing deposits and advances as necessary, we might not be able to replace such funds in the future, especially if a large number of our depositors sought to withdraw their accounts, regardless of the reason. A failure to maintain adequate liquidity could have a material adverse effect on our financial condition and results of operations.
Adverse developments affecting the financial services industry, such as bank failures or concerns involving liquidity, may have a material effect on our operations.
A financial institution’s liquidity reflects its ability to meet customer demand for loans, accommodating possible outflows in deposits, and accessing alternative sources of funds when needed, while at the same time taking advantage of interest rate market opportunities. The ability to manage liquidity is fundamental to a financial institution’s business and success. Bank failures that occurred in 2023 highlighted the potential results of an insured depository institution unexpectedly having to obtain needed liquidity to satisfy deposit withdrawal requests, including how quickly such requests can accelerate once uninsured depositors lose confidence in an institutions ability to satisfy its obligations to depositors. The bank failures in March 2023 highlight the potential results of an insured depository institution unexpectedly having to obtain needed liquidity to satisfy deposit withdrawal requests, including how quickly such requests can accelerate once uninsured depositors lose confidence in an institutions ability to satisfy its obligations to depositors. Current market uncertainties and other external factors may impact the competitive landscape for deposits in the banking industry in an unpredictable manner. In addition, the rising interest rate environment has continued to increase competition for liquidity and the premium at which liquidity is available to meet funding needs. In addition, the rising interest rate environment has continued to increase competition for liquidity and the premium at which liquidity is available to meet funding needs. These possible impacts may adversely affect our future operating results, including net income, and negatively impact capital.
The recent increase in longer-term interest rates has negatively impacted the market value of our investment portfolio. We have traditionally relied upon our investment portfolio as a source of liquidity. With this reduced market value, it is more difficult to access this liquidity without an adverse impact on our capital and earnings positions.
Legal, Legislation, and Regulation Risks
Risks Related to Regulatory Policies and Oversight
The banking industry is heavily regulated, and our business may be adversely affected by legislation or changes in regulatory policies and oversight.
The earnings of banks and bank holding companies such as ours are affected by the policies of regulatory authorities, including the Federal Reserve Board, which regulates the money supply. Among the methods employed by the Federal Reserve Board are open market operations in U.S. Government securities, changes in the discount rate on member bank borrowings, and changes in reserve requirements against member bank deposits. These methods are used in varying combinations to influence overall growth and distribution of bank loans, investments, and deposits, and their use may also affect interest rates charged on loans or paid on deposits. These methods are used in varying combinations to influence overall growth and distribution of bank loans, investments, and deposits, and their use may also affect interest rates charged on loans or paid on deposits. The monetary policies of the Federal Reserve Board have had a significant effect on the operating results of commercial and savings banks in the past and are expected to continue to do so in the future. The monetary policies of the Federal Reserve Board have had a significant effect on the operating results of commercial and savings banks in the past and are expected to continue to do so in the future.
In recent years, federal banking regulators have increased regulatory scrutiny, and additional limitations on financial institutions have been proposed or adopted by regulators and by Congress. Moreover, banking regulatory agencies have increasingly over the last few years used authority under Section 5 of the Federal Trade Commission Act to take supervisory or enforcement action with respect to alleged unfair or deceptive acts or practices by banks to address practices that may not necessarily fall within the scope of a specific banking or consumer finance law. Moreover, banking regulatory agencies have increasingly over the last few years used authority under Section 5 of the Federal Trade Commission Act to take supervisory or enforcement action with respect to alleged unfair or deceptive acts or practices by banks to address practices that may not necessarily fall within the scope of a specific banking or consumer finance law. The banking industry is highly regulated and changes in federal and state banking regulations as well as policies and administration guidelines may affect our practices, growth prospects, and earnings. The banking industry is highly regulated and changes in federal and state banking regulations as well as policies and administration guidelines may affect our practices, growth prospects, and earnings. In particular, there is no assurance that governmental actions designed to stabilize the economy and banking system will not adversely affect our financial position or results of operations.
From time to time, CTBI and/or our subsidiaries may be involved in information requests, reviews, investigations, and proceedings (both formal and informal) by various governmental agencies and law enforcement authorities regarding our respective businesses. Any of these matters may result in material adverse consequences to CTBI and our subsidiaries, including adverse judgements, findings, limitations on merger and acquisition activity, settlements, fines, penalties, orders, injunctions, and other actions. Such adverse consequences may be material to the financial position of CTBI or our results of operations.
In particular, consumer products and services are subject to increasing regulatory oversight and scrutiny with respect to compliance with consumer laws and regulations. We may face a greater number or wider scope of investigations, enforcement actions, and litigation in the future related to consumer practices. We may face a greater number or wider scope of investigations, enforcement actions, and litigation in the future related to consumer practices. In addition, any required changes to our business operations resulting from these developments could result in a significant loss of revenue, require remuneration to customers, trigger fines or penalties, limit the products or services we offer, require us to increase certain prices and therefore reduce demand for our products, impose additional compliance costs on us, cause harm to our reputation, or otherwise adversely affect our consumer business. In addition, any required changes to our business operations resulting from these developments could result in a significant loss of revenue, require remuneration to customers, trigger fines or penalties, limit the products or services we offer, require us to increase certain prices and therefore reduce demand for our products, impose additional compliance costs on us, cause harm to our reputation, or otherwise adversely affect our consumer business.
The financial services industry has experienced leadership changes at federal banking agencies, which may impact regulations and government policy applicable to us. New appointments to the Board of Governors of the Federal Reserve could affect monetary policy and interest rates. New appointments to the Board of Governors of the Federal Reserve could affect monetary policy and interest rates.
We are required to maintain certain minimum amounts and types of capital and may be subject to more stringent capital requirements in the future. A failure to meet applicable capital requirements could have a material adverse effect on our financial condition and results of operations. A failure to meet applicable capital requirements could have a material adverse effect on our financial condition and results of operations.
We are subject to regulatory requirements specifying minimum amounts and types of capital that we must maintain. From time to time, banking regulators change these regulatory capital adequacy guidelines. See Item 1 above for additional information regarding current capital requirements. A failure to meet minimum capital requirements could result in certain mandatory and possible additional discretionary actions by regulators that, if undertaken, could have a material adverse effect on our financial condition and results of operations.
Environmental Liability Risk
We are subject to environmental liability risk associated with lending activity.
A significant portion of our loan portfolio is secured by real property. During the ordinary course of business, we may foreclose on and take title to properties securing loans. In doing so, there is a risk that hazardous or toxic substances could be found on these properties. In doing so, there is a risk that hazardous or toxic substances could be found on these properties. If hazardous or toxic substances are found, we may be liable for remediation costs, as well as for personal injury and property damage. Environmental laws may require us to incur substantial expenses and may materially reduce the affected property’s value or limit our ability to use or sell the affected property. Environmental laws may require us to incur substantial expenses and may materially reduce the affected property’s value or limit our ability to use or sell the affected property. In addition, future laws or more stringent interpretations or enforcement policies with respect to existing laws may increase our exposure to environmental liability. In addition, future laws or more stringent interpretations or enforcement policies with respect to existing laws may increase our exposure to environmental liability. Although we have policies and procedures to perform an environmental review before initiating any foreclosure action on real property, these reviews may not be sufficient to detect all potential environmental hazards. The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on our financial condition and results of operations.
None.
As referenced in the Operational Risks/Cyber Risks section of Item 1A. Risk Factors included in this Form 10-K, our organization may be materially affected by cybersecurity threats and incidents that target its internally managed information technology systems or our critical vendor systems.
Our institution utilizes industry standard and regulatory approved assessment tools to identify cybersecurity risks and measure preparedness. The tools provide a repeatable and measurable framework for our organization to measure its cybersecurity preparedness over time. The tools provide a repeatable and measurable framework for our organization to measure its cybersecurity preparedness over time.
Our institution has purchased and is using tools in the areas of endpoint security, Security Information Event Management (“SIEM”), Privileged Access Management (“PAM”), email and web browsing filtering and management, and user analytics. We also use a comprehensive third party 24-by-7 Security Operations Center (“SOC”) that monitors, detects, and remediates cybersecurity threats adhering to strict service response levels.
The internal assessment process and internal tools and SOC related key indicators are reported on a quarterly basis to the Security and Information Security Committee and the Enterprise-wide Risk Management Committee and annually to the Board of Directors.
Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management processes. Our internal audit program executes a comprehensive and layered auditing approach including people, processes and technology in order to evaluate the effectiveness of existing controls and ensure that cybersecurity risk has been adequately mitigated within our institution. Periodic phishing tests, network and application security reviews, third-party vulnerability assessments and penetration testing are used to gauge the overall effectiveness of our cybersecurity defenses. The audit program and cybersecurity defense evaluations are key parts of our overall risk management processes.
Our enterprise risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our processes and policies related to cybersecurity are focused on: (i) developing organizational understanding to manage cybersecurity risks, (ii) applying safeguards to protect our systems, (iii) detecting the occurrence of a cybersecurity incident, (iv) responding to a cybersecurity incident, and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall enterprise risk management systems and processes. For example, all of our employees with network access are required to complete information security and privacy training on an annual basis. We are continuously working to improve our information technology systems and provide employee awareness training around phishing, malware, and other cyber risks to enhance our levels of protection.
Other aspects of our cyber and information security risk management program include:
| • | Monitoring external and internal threats and events, managing access, facilitating use of appropriate authentication options, validating controls and programs by internal teams and independent third parties and testing various compromise scenarios that are overseen by our information security team; |
| • | Investing in threat intelligence platforms and participating in financial services industry and government forums which track and report on cyber and other information security threats; |
| • | Routinely performing vulnerability tests; |
| • | Engaging independent consultants and other third-parties to assist CTBI in establishing and improving its policies; and |
| • | Conducting “tabletop” exercises at least annually to test CTBI’s processes and policies and using feedback from those exercises to further improve our processes. |
CTBI also maintains insurance coverage for cybersecurity incidents as part of its overall insurance portfolio.
In the event of a cybersecurity incident, CTBI maintains incident response plans to investigate, classify, respond to, and manage cybersecurity incidents that may compromise the availability or integrity of our information systems, network resources, or data. In accordance with the incident response plans, cross-functional management teams assess and assign a threat level to each cybersecurity incident. A cybersecurity incident (or incidents, if aggregated together) determined to be at a critical threat level is escalated to a group consisting of CTBI’s Chief Executive Officer and certain other officers, including the Chief Legal Officer, Executive Vice President/Operations, Chief Risk Officer, and Chief Financial Officer for review.
In an effort to continually share threat intelligence and increase awareness of cybersecurity threats, routine communication to employees is conducted to highlight internal control requirements, common cybersecurity threats and schemes. Our incident response team members also participate in the annual Financial Services Information Sharing and Analysis Center tabletop cybersecurity tabletop exercises. Our incident response team members also participate in the annual Financial Services Information Sharing and Analysis Center tabletop cybersecurity tabletop exercises.
Our comprehensive vendor management program and processes assess all new vendors and segments them into criticality tiers. Our most critical vendors (tiers 1 and 2) are evaluated annually based on requested vendor documents, such as Statements on Standards Attestation Engagements No. 18 (SSAE 18), financial statements, insurance, and due diligence questionnaires. The vendor management team also monitors all news alerts related to all critical vendors.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| NVTS | 41 minutes ago |
| DAN | 44 minutes ago |
| FSBC | 48 minutes ago |
| CLMB | an hour ago |
| NPKI | an hour ago |
| SBGI | an hour ago |
| BXP | an hour ago |
| SHO | an hour ago |
| HFWA | an hour ago |
| SSP | an hour ago |
| FBP | an hour ago |
| WULF | an hour ago |
| GSG | an hour ago |
| SLV | an hour ago |
| IBIT | an hour ago |
| IAUM | an hour ago |
| IAU | an hour ago |
| ETHA | an hour ago |
| SOLV | an hour ago |
| NWN | 2 hours ago |
| TDC | 2 hours ago |
| SAFT | 2 hours ago |
| RPC | 2 hours ago |
| FMAO | 2 hours ago |
| HMN | 2 hours ago |
| STLD | 2 hours ago |
| UBSI | 2 hours ago |
| DKL | 2 hours ago |
| DK | 2 hours ago |
| SBAC | 2 hours ago |
| GLP | 2 hours ago |
| CCBG | 3 hours ago |
| CRI | 3 hours ago |
| SBR | 3 hours ago |
| MSIF | 3 hours ago |
| MAIN | 3 hours ago |
| FMC | 3 hours ago |
| FMBH | 3 hours ago |
| NYT | 4 hours ago |
| LASR | 4 hours ago |
| TXRH | 4 hours ago |
| DRH | 4 hours ago |
| DROR | 4 hours ago |
| ACA | 4 hours ago |
| HOMB | 5 hours ago |
| AVB | 5 hours ago |
| EPD | 5 hours ago |
| WWW | 5 hours ago |
| CHE | 6 hours ago |
| MBWM | 6 hours ago |
