|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
OFG has a comprehensive framework in place to assess, identify and manage material risks from cybersecurity threats. Our Information Security Officer (“ISO”) is responsible for overseeing and implementing OFG’s cybersecurity risk management framework as part of our broader Information Security Program approved by our Board. Our cybersecurity risk management framework is integrated into OFG’s broader risk management system with a focus on monitoring key risk indicators within a defined risk tolerance set by our Board.
Our cybersecurity risk management framework is focused on the following key areas:
•Regular cybersecurity risk assessments;
•Design and implementation of controls to mitigate any identified cybersecurity risks;
•Continuous evaluation of the effectiveness of such controls; and
•Implementation of an incident response plan that includes procedures for responding to cybersecurity incidents.
In addition, our cybersecurity risk management framework incorporates three lines of defense, each with defined roles and responsibilities. OFG conducts an annual cybersecurity maturity assessment to (a) evaluate its cybersecurity risk management practices and (b) develop action plans for improving its cybersecurity risk management program.
The cybersecurity risk management framework also establishes standards or controls for the design of our cybersecurity infrastructure, including with respect to monitoring and preventing cybersecurity incidents, authenticating the identity of persons authorized to access critical information resources, and assessing safeguards that must be implemented by our external vendors and service providers.
OFG uses external consultants and other third-party service providers to monitor our information systems for any cyberattacks, impersonators or unauthorized releases of sensitive customer data, as well as performing investigations and penetration testing, identifying system vulnerabilities and required software patches, monitoring and managing firewalls, and advising on systems and cloud architecture. OFG also conducts due diligence of third-party software and related services and reviews cybersecurity reports from technology services providers to ensure that our cybersecurity infrastructure can respond to evolving cybersecurity risks relevant to our business.
Pursuant to our cybersecurity risk management framework, our Information Security team develops an annual information security awareness plan to educate employees as to OFG’s standards, processes and practices with respect to information security, potential cybersecurity threats and proper use of information security resources entrusted to them, with the goal of minimizing possible employee security risks. Our Information Security team engages third-party consultants to assist us in the evaluation of our cybersecurity risk management practices to identify risks, perform social engineering exercises, and provide annual cybersecurity training.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity risk management framework is focused on the following key areas:
•Regular cybersecurity risk assessments;
•Design and implementation of controls to mitigate any identified cybersecurity risks;
•Continuous evaluation of the effectiveness of such controls; and
•Implementation of an incident response plan that includes procedures for responding to cybersecurity incidents.
In addition, our cybersecurity risk management framework incorporates three lines of defense, each with defined roles and responsibilities. OFG conducts an annual cybersecurity maturity assessment to (a) evaluate its cybersecurity risk management practices and (b) develop action plans for improving its cybersecurity risk management program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board is responsible for overseeing OFG’s cybersecurity efforts and approving the Information Security Program, which sets forth OFG’s policy regarding the confidentiality, integrity and availability of its information assets. The Board’s Risk and Compliance Committee more directly oversees the implementation of the Information Security Program and receives quarterly reports on any cybersecurity risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board’s Risk and Compliance Committee more directly oversees the implementation of the Information Security Program and receives quarterly reports on any cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our ISO provides quarterly reports to our Executive Risk and Compliance Team, which is comprised of several executive officers of OFG. In addition, our Chief Risk Officer reports to the Board’s Risk and Compliance Committee and, when necessary, the Board.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Board is responsible for overseeing OFG’s cybersecurity efforts and approving the Information Security Program, which sets forth OFG’s policy regarding the confidentiality, integrity and availability of its information assets. The Board’s Risk and Compliance Committee more directly oversees the implementation of the Information Security Program and receives quarterly reports on any cybersecurity risks.
Our ISO, under the supervision of our Chief Risk Officer, leads the development and implementation of the Information Security Program. In addition, our Information Technology Department (“IT”) also has a dedicated cybersecurity team under the supervision of our Chief Information Officer. Members of our Information Security and IT cybersecurity teams have over 50 years of combined experience in information technology systems and cybersecurity risk management and include a team member that has a ISACA Certified Information Systems Auditor certification and two team members each with a master’s degree in cybersecurity.
Our ISO provides quarterly reports to our Executive Risk and Compliance Team, which is comprised of several executive officers of OFG. In addition, our Chief Risk Officer reports to the Board’s Risk and Compliance Committee and, when necessary, the Board.
Any identified cybersecurity incidents must be reported to the ISO and the mitigation and remediation thereof is performed by the Incident Response Team, which is led by the ISO and composed of key executives, with identified call trees and key service providers to support the coordination of a rapid response.
In the last three fiscal years, OFG has not experienced any material cybersecurity incidents, and expenses incurred from any cybersecurity incidents were immaterial. For more information on the risks to the Company of future cybersecurity threats or incidents, see “Item 1A, Risk Factors — Operations and Business Risks.”
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our ISO, under the supervision of our Chief Risk Officer, leads the development and implementation of the Information Security Program. In addition, our Information Technology Department (“IT”) also has a dedicated cybersecurity team under the supervision of our Chief Information Officer. Members of our Information Security and IT cybersecurity teams have over 50 years of combined experience in information technology systems and cybersecurity risk management and include a team member that has a ISACA Certified Information Systems Auditor certification and two team members each with a master’s degree in cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Members of our Information Security and IT cybersecurity teams have over 50 years of combined experience in information technology systems and cybersecurity risk management and include a team member that has a ISACA Certified Information Systems Auditor certification and two team members each with a master’s degree in cybersecurity.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Any identified cybersecurity incidents must be reported to the ISO and the mitigation and remediation thereof is performed by the Incident Response Team, which is led by the ISO and composed of key executives, with identified call trees and key service providers to support the coordination of a rapid response.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef