UNITED STATES SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
_____________________________________________
FORM
(Amendment No. 1)
_____________________________________________
(Mark One)
For the ended
or
For the transition period from _____________ to _____________.
Commission file Number
_____________________________________________
(Exact name of registrant as specified in its charter)
|
|
|
| ||
(State or other jurisdiction of incorporation or organization) |
| (I.R.S. Employer Identification No.) |
(Address of principal executive offices)(Zip code)
Registrant’s telephone number, including area code: (
_____________________________________________
Securities registered pursuant to Section 12(b) of the Act:
|
|
|
Title of each class | Trading Symbol | Name of each exchange on which registered |
Securities registered pursuant to Section 12(g) of the Act: None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. ☐ Yes ☒
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15 (d) of the Act. ☐ Yes ☒
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. ☒
Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files). ☒
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company or emerging growth company. See definition of “large accelerated filer,” “accelerated filer”, “smaller reporting company” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
|
|
|
| Large accelerated filer ☐ | Accelerated filer ☐ |
| Smaller reporting company | |
|
| Emerging growth company |
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements.
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). ☐
Indicate by check mark whether the registrant is a shell company as defined in Rule 12b-2 of the Exchange Act. ☐ Yes
The aggregate market value of Codorus Valley Bancorp, Inc.’s voting stock held by non-affiliates was approximately $
As of March 1, 2024, Codorus Valley Bancorp, Inc. had
Auditor Name:
EXPLANATORY NOTE
Codorus Valley Bancorp, Inc. (the “Corporation”) is filing this Annual Report on Form 10-K/A (the “Amendment” or “Form 10-K/A”) to correct the Annual Report on Form 10-K for the year ended December 31, 2023, as filed with the Securities and Exchange Commission (“SEC”) on March 12, 2024 (the “Original Report”). This Amendment is being filed to include (i) “Item 1.C. Cybersecurity” to Part I of the Form 10-K/A and (ii) “Exhibit 97, Compensation Recovery (Clawback) Policy)” to Item 15. Exhibits to Part IV of the Form 10-K/A, which were previously omitted from the Original Report.
In addition, pursuant to Rule 12b-15 under the Securities Exchange Act of 1934, as amended, this Amendment includes new certifications of the Corporation’s principal executive officer and principal financial officer on Exhibits 31.1 and 31.2 as of the date of this Amendment. However, because no financial statements have been included in this Amendment and the Amendment does not contain or amend any disclosure with respect to Items 307 or 308 of Regulation S-K, paragraphs 3, 4 and 5 of the certifications have been omitted. We are not including the certifications under Section 906 of the Sarbanes-Oxley Act of 2002 as no financial statements are being filed with this Amendment.
This Amendment does not affect any other portion of the Original Report. Additionally, except as specifically referenced herein, this Amendment does not reflect any event after March 12, 2024, the filing date of the Original Report.
PART I
Item 1.C. Cybersecurity
Cybersecurity Governance
Cybersecurity risk is managed by the Corporation in a structure that vests primary responsibility with management, specifically, the Bank’s Information Security Officer, who reports to the Chief Risk Officer as well as to the Strategic Technology and Cybersecurity Committee, which is comprised of members of bank management, including the Bank’s Chief Executive Officer, Chief Risk Officer, Chief Financial Officer, Chief Lending Officer, Chief Administrative Officer, Network Manager, Director of Marketing and Client Experience and the General Counsel. The Bank’s Chief Information Officer and Information Security Officer are members of the Committee and also serve as Committee Chair and Vice Chair, respectively.
The Strategic Technology and Cybersecurity Committee is responsible for providing oversight and guidance regarding both information technology and cybersecurity related issues of strategic importance to the Corporation and the Bank. The Committee recognizes the importance of information technology to the financial services industry and its clients, as well as the increasing prevalence of cyber-attacks against instruments of our society and the critical importance of effective controls, as well as prevention and detection measures to mitigate the risks. The Committee met three (3) times in 2023.
Minutes of the proceedings of the Strategic Technology and Cybersecurity Committee are provided to the Board’s Risk Committee for review at its next following meeting, unless there should be an urgency to any given situation demanding immediate consultation. The Board’s Risk Committee has oversight responsibility for cybersecurity and receives reports from management on cybersecurity risk in accordance with its charter, which provides that the Committee shall review the Corporation’s cybersecurity and other information technology risks, controls and procedures, and its strategy to mitigate cybersecurity risks and potential breaches.
In addition, the Board’s Audit Committee has oversight responsibility for audits related to information technology security, including network penetration and social engineering testing.
Processes for Assessing, Identifying and Managing Cybersecurity Risks
The Corporation maintains a comprehensive approach to cybersecurity risks, deploying a multi-layered program with a focus on risk assessment and management. The aim is to identify cybersecurity risks, deploy appropriate means of preventing and/or detecting intrusions; mitigating potential harm and remediating the effects if a breach were to occur.
Deterrence/Detection
A number of means are used to deter and detect cyber-activity as well as to detect cybersecurity vulnerabilities, including, among others, use of periodic comprehensive risk assessments; technologies and systems that monitor network activity and alert for suspicious or anomalous activity; vulnerability and patch management programs; multi-factor authentication; proactive access management; mobile device management; and annual network security penetration testing by a third-party vendor which serves as a basis for the Corporation to enhance its own capabilities with respect to the deterrence and detection of cyber-activity and detection of cybersecurity vulnerabilities.
Mitigation/Remediation
Risk mitigation and remediation are additional means of managing cybersecurity risk in the Corporation’s multi-layered approach. Security awareness training is provided to all of the Corporation’s associates throughout each year, as well as phishing exercises, which are performed on a regular schedule. In addition, the Information Security Officer organizes and conducts an annual Tabletop Cybersecurity exercise in which a mock cybersecurity incident scenario is presented to a selected group of the Corporation’s associates with the aim of providing enhanced training for relevant individuals to learn the proper actions to take in such a situation. This exercise is used to operationalize the Corporation’s Information Security Policies, Business Continuity Plan and Incident Response Plan, and to sensitize the participants to the latest cyber threat schemes and actors.
The Corporation also maintains comprehensive cyber insurance, which provides the potential for monetary recovery of certain expenses and damages incurred in connection with certain cyber breaches, as well as the services of a knowledgeable breach coach to assist the Corporation with the management and decisioning in connection with a cyber-incident, including for the hiring of expert forensic and legal assistance.
(a)Documents filed as part of this Form 10-K/A.
1.Financial Statements
The following consolidated statements of Codorus Valley Bancorp, Inc. were included in Part II, Item 8 of the Original Report:
Reports of Independent Registered Public Accounting Firm
Consolidated Balance Sheets
Consolidated Statements of Income
Consolidated Statements of Comprehensive Income
Consolidated Statements of Cash Flows
Consolidated Statements of Changes in Shareholders’ Equity
Notes to Consolidated Financial Statements
2.Financial Statement Schedules
Required financial statement schedules are omitted. This information is either not
applicable, not required or is shown in the respective financial statements or in the notes thereto in the Original Report.
3.Exhibits filed as part of 10-K/A pursuant to Item 601 of Regulation S-K.
See Exhibit Index.
Signatures
Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the Registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.
Codorus Valley Bancorp, Inc. (Registrant)
|
|
|
|
|
|
|
| /s/ Craig L. Kauffman |
Date: March 14, 2024 |
| Craig L. Kauffman, |
|
| President and Chief Executive Officer |
Exhibit Index
|
|
|
|
|
|
|
|
Exhibit |
|
Number | Description of Exhibit |
|
|
101 | Interactive data file containing the following financial statements of Codorus Valley Bancorp, Inc. formatted in XBRL: (i) Consolidated Balance Sheets at December 31, 2023 and 2022, (ii) Consolidated Statements of Income for the years ended December 31, 2023 and 2022, (iii) Consolidated Statements of Comprehensive Income for the years ended December 31, 2023 and 2022, (iv) Consolidated Statements of Cash Flows for the years ended December 31, 2023 and 2022, (v) Consolidated Statements of Changes in Shareholders’ Equity for the years ended December 31, 2023 and 2022, and (vi) Notes to Consolidated Financial Statements – filed with Original Report. |
104 | Cover page interactive data file (formatted as inline XBRL and contained in Exhibit 101) |
| * Management contract or compensation plan or arrangement required to be filed or incorporated as an exhibit. **Portions of this exhibit which are not material have been omitted because they would likely cause competitive harm to the registrant if publicly disclosed. |