UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8‑K

CURRENT REPORT

PURSUANT TO SECTION 13 OR 15(d) OF

THE SECURITIES EXCHANGE ACT OF 1934

Date of Report (date of earliest event reported): December 21, 2018

CBTX, Inc.

(Exact name of registrant as specified in its charter)

9 Greenway Plaza, Suite 110

Houston, Texas 77046

(Address of principal executive offices)

(713) 210‑7600

(Registrant’s telephone number, including area code)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

☐ Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

☐ Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

☐ Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

☐ Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§230.12b-2 of this chapter).

Item 7.01    Regulation FD Disclosure.

On December 21, 2018, CommunityBank of Texas, N.A. (the “Bank”), the wholly owned bank subsidiary of CBTX, Inc. (the “Company”), notified individuals that may have been affected by a security incident (the “Incident”) of the possible unauthorized access of certain personal information in the possession of the Bank.

The Company takes the privacy of personal information seriously and it took steps to address the Incident promptly after it was discovered, including initiating an internal investigation into the Incident and working with an independent forensic investigation firm to assist it in the investigation of and response to the Incident.  Based on the report of the independent forensic investigation firm, the Company believes that a phishing incident occurred where certain emails and attachments from two employee email accounts may have been accessed by an unauthorized person.  The Company believes that these email accounts contained certain personal information for approximately 7,800 individuals.  At this time, the Company expects that its out-of-pocket expenditures related to the Incident will be less than $105,000.

The information stored in the affected email accounts varies by individual, but may include first and last names, addresses, drivers’ licenses or other identification information, financial account information and Social Security numbers. The Company’s investigation has not found any evidence that this Incident involves any unauthorized access to or use of any of the Bank’s internal computer systems or network and the Company believes that access was limited to information that was contained in the email accounts of the two employees.  At this time, the Company is not aware of any fraud or misuse of information as a result of this Incident. 

The Company has also notified law enforcement of the Incident and is cooperating with their investigation of the Incident.

To help protect the identity of individuals whose data may have been disclosed, the Company is notifying such individuals directly to provide them with information and offering one year of complimentary identity protection services from a leading identity monitoring services company to such individuals.

In accordance with General Instruction B.2 of Form 8-K, the information furnished in this Item 7.01 of this Current Report on Form 8-K shall not be deemed “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), or otherwise subject to the liabilities of that section, nor shall it be deemed incorporated by reference in any filing under the Securities Act of 1933, as amended, or the Exchange Act, except as shall be expressly set forth by specific reference in such filing.

Forward-Looking Statements

This Current Report on Form 8‑K contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. All statements contained in this Current Report on Form 8‑K other than statements of historical fact, including statements regarding the Company’s current knowledge of the Incident and when the Company anticipates notifying affected users, are forward-looking statements. The words “believe,” “may,” “will,” “would,” “could,” “estimate,” “continue,” “anticipate,” “intend,” “project,” “possible,” “expect,” “plans to,” “if,” “future,” and similar expressions are intended to identify forward-looking statements. Forward-looking statements in this Form 8-K relate to, among other things, the anticipated timing and number of notifications, the Company’s anticipated security enhancements and remediation efforts and any statements relating to the impact on the Company of the Incident. We have based these forward-looking statements largely on our current expectations and projections about future events and trends that we believe may affect our financial condition, results of operations, business strategy, short-term and long-term business operations and objectives, and financial needs. These forward-looking statements are subject to a number of risks, uncertainties, and assumptions, including the impact of additional information concerning the Incident, including the scope of the unauthorized access and type of information accessed, costs related to the Incident and related ongoing investigation and any resulting liabilities, the outcome of the ongoing investigation, uncertainty regarding any future civil litigation, governmental investigations and enforcement proceedings, uncertainties regarding the scope and effectiveness of security enhancements and remediation efforts, uncertainties regarding the impact to the Company’s brands and reputation, and uncertainties regarding the impact of the Incident, notification of individuals affected by the Incident, in addition to those risks those described in Part I, Item 1A, “Risk Factors” in the Company’s Annual Report on Form 10‑K for the year ended December 31, 2017 filed with the Securities and Exchange Commission (“SEC”) on March 23, 2018 (the “Form 10‑K”) and in its quarterly

reports on Form 10-Q, current reports on Form 8-K and other filings with the SEC. Moreover, we operate in a very competitive and rapidly changing environment. New risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ materially from those contained in any forward-looking statements we may make. In light of these risks, uncertainties, and assumptions, the future events and trends discussed herein and in the Form 10‑K may not occur and actual results could differ materially and adversely from those anticipated or implied in the forward-looking statements. You should read the Form 10‑K completely and with the understanding that our actual future results may be materially different from what we expect. The Company undertakes no obligation to update any such statements to reflect circumstances or events that occur after the date on which the forward- looking statement is made, except as required by law. Given these risks and uncertainties, readers are cautioned not to place undue reliance on such forward-looking statements.  Copies of the SEC filings for the Company are available for download free of charge from www.communitybankoftx.com under the Investor Relations tab.

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned thereunto duly authorized.