UNITED STATES SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
_____________________________________________
FORM 10-K/A
(Amendment No. 1)
_____________________________________________
(Mark One)
☒ Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the fiscal year ended December 31, 2023
or
☐ Transition Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the transition period from _____________ to _____________.
Commission file Number 0-15536
_____________________________________________
CODORUS VALLEY BANCORP, INC.
(Exact name of registrant as specified in its charter)
|
|
|
Pennsylvania |
| 23-2428543 |
(State or other jurisdiction of incorporation or organization) |
| (I.R.S. Employer Identification No.) |
105 Leader Heights Road, York, Pennsylvania 17403
(Address of principal executive offices)(Zip code)
Registrant’s telephone number, including area code: (717) 747-1519
_____________________________________________
Securities registered pursuant to Section 12(b) of the Act:
|
|
|
Title of each class | Trading Symbol | Name of each exchange on which registered |
Common Stock, $2.50 par value | CVLY | NASDAQ Global Market |
Securities registered pursuant to Section 12(g) of the Act: None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. ☐ Yes ☒ No
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15 (d) of the Act. ☐ Yes ☒ No
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. ☒ Yes ☐ No
Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files). ☒ Yes No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company or emerging growth company. See definition of “large accelerated filer,” “accelerated filer”, “smaller reporting company” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
|
|
|
| Large accelerated filer ☐ | Accelerated filer ☐ |
| Non-accelerated filer ☒ | Smaller reporting company ☒ |
| | Emerging growth company ☐ |
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☐
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements. ☐
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). ☐
Indicate by check mark whether the registrant is a shell company as defined in Rule 12b-2 of the Exchange Act. ☐ Yes ☒ No
The aggregate market value of Codorus Valley Bancorp, Inc.’s voting stock held by non-affiliates was approximately $181,853,487 as of June 30, 2023.
As of March 1, 2024, Codorus Valley Bancorp, Inc. had 9,642,669 shares of common stock outstanding, par value $2.50 per share.
Auditor Name: Crowe LLP Auditor Location: Columbus, OH Auditor Firm ID: PCAOB 173
EXPLANATORY NOTE
Codorus Valley Bancorp, Inc. (the “Corporation”) is filing this Annual Report on Form 10-K/A (the “Amendment” or “Form 10-K/A”) to correct the Annual Report on Form 10-K for the year ended December 31, 2023, as filed with the Securities and Exchange Commission (“SEC”) on March 12, 2024 (the “Original Report”). This Amendment is being filed to include (i) “Item 1.C. Cybersecurity” to Part I of the Form 10-K/A and (ii) “Exhibit 97, Compensation Recovery (Clawback) Policy)” to Item 15. Exhibits to Part IV of the Form 10-K/A, which were previously omitted from the Original Report.
In addition, pursuant to Rule 12b-15 under the Securities Exchange Act of 1934, as amended, this Amendment includes new certifications of the Corporation’s principal executive officer and principal financial officer on Exhibits 31.1 and 31.2 as of the date of this Amendment. However, because no financial statements have been included in this Amendment and the Amendment does not contain or amend any disclosure with respect to Items 307 or 308 of Regulation S-K, paragraphs 3, 4 and 5 of the certifications have been omitted. We are not including the certifications under Section 906 of the Sarbanes-Oxley Act of 2002 as no financial statements are being filed with this Amendment.
This Amendment does not affect any other portion of the Original Report. Additionally, except as specifically referenced herein, this Amendment does not reflect any event after March 12, 2024, the filing date of the Original Report.
PART I
Item 1.C. Cybersecurity
Cybersecurity Governance
Cybersecurity risk is managed by the Corporation in a structure that vests primary responsibility with management, specifically, the Bank’s Information Security Officer, who reports to the Chief Risk Officer as well as to the Strategic Technology and Cybersecurity Committee, which is comprised of members of bank management, including the Bank’s Chief Executive Officer, Chief Risk Officer, Chief Financial Officer, Chief Lending Officer, Chief Administrative Officer, Network Manager, Director of Marketing and Client Experience and the General Counsel. The Bank’s Chief Information Officer and Information Security Officer are members of the Committee and also serve as Committee Chair and Vice Chair, respectively.
The Strategic Technology and Cybersecurity Committee is responsible for providing oversight and guidance regarding both information technology and cybersecurity related issues of strategic importance to the Corporation and the Bank. The Committee recognizes the importance of information technology to the financial services industry and its clients, as well as the increasing prevalence of cyber-attacks against instruments of our society and the critical importance of effective controls, as well as prevention and detection measures to mitigate the risks. The Committee met three (3) times in 2023.
Minutes of the proceedings of the Strategic Technology and Cybersecurity Committee are provided to the Board’s Risk Committee for review at its next following meeting, unless there should be an urgency to any given situation demanding immediate consultation. The Board’s Risk Committee has oversight responsibility for cybersecurity and receives reports from management on cybersecurity risk in accordance with its charter, which provides that the Committee shall review the Corporation’s cybersecurity and other information technology risks, controls and procedures, and its strategy to mitigate cybersecurity risks and potential breaches.
In addition, the Board’s Audit Committee has oversight responsibility for audits related to information technology security, including network penetration and social engineering testing.
Processes for Assessing, Identifying and Managing Cybersecurity Risks
The Corporation maintains a comprehensive approach to cybersecurity risks, deploying a multi-layered program with a focus on risk assessment and management. The aim is to identify cybersecurity risks, deploy appropriate means of preventing and/or detecting intrusions; mitigating potential harm and remediating the effects if a breach were to occur.
Deterrence/Detection
A number of means are used to deter and detect cyber-activity as well as to detect cybersecurity vulnerabilities, including, among others, use of periodic comprehensive risk assessments; technologies and systems that monitor network activity and alert for suspicious or anomalous activity; vulnerability and patch management programs; multi-factor authentication; proactive access management; mobile device management; and annual network security penetration testing by a third-party vendor which serves as a basis for the Corporation to enhance its own capabilities with respect to the deterrence and detection of cyber-activity and detection of cybersecurity vulnerabilities.
Mitigation/Remediation
Risk mitigation and remediation are additional means of managing cybersecurity risk in the Corporation’s multi-layered approach. Security awareness training is provided to all of the Corporation’s associates throughout each year, as well as phishing exercises, which are performed on a regular schedule. In addition, the Information Security Officer organizes and conducts an annual Tabletop Cybersecurity exercise in which a mock cybersecurity incident scenario is presented to a selected group of the Corporation’s associates with the aim of providing enhanced training for relevant individuals to learn the proper actions to take in such a situation. This exercise is used to operationalize the Corporation’s Information Security Policies, Business Continuity Plan and Incident Response Plan, and to sensitize the participants to the latest cyber threat schemes and actors.
PART IV
Item 15: Exhibits and financial statement schedules
(a)Documents filed as part of this Form 10-K/A.
1.Financial Statements
The following consolidated statements of Codorus Valley Bancorp, Inc. were included in Part II, Item 8 of the Original Report:
Reports of Independent Registered Public Accounting Firm
Consolidated Balance Sheets
Consolidated Statements of Income
Consolidated Statements of Comprehensive Income
Consolidated Statements of Cash Flows
Consolidated Statements of Changes in Shareholders’ Equity
Notes to Consolidated Financial Statements
2.Financial Statement Schedules
Required financial statement schedules are omitted. This information is either not
applicable, not required or is shown in the respective financial statements or in the notes thereto in the Original Report.
3.Exhibits filed as part of 10-K/A pursuant to Item 601 of Regulation S-K.
See Exhibit Index.