|
Cybersecurity Risk Management Strategy And Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management Strategy And Governance [Line Items]
|
|Cybersecurity Risk Management Processes For Assessing Identifying And Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
The Corporation recognizes
the significance of cybersecurity
in the financial
industry and the potential
risks associated, such
as the
risks arising from
the loss of confidentiality,
integrity,
or availability of
information systems.
The Corporation’s
processes to identify,
assess,
and
monitor
material
risks
from
cybersecurity
threats
are
part
of
its
Enterprise
Risk
Management
(“ERM”)
Program,
under
which
the
Corporation
has
implemented
a
comprehensive
Corporate
Information
Security
Program
(“CISP”).
managed as
part of
the overall
information technology
risk, under
the direction
of the
Corporate Security
Office (“CSO”)
led by
the
Corporate
Security
Officer
(“CSO Officer”),
who
directly
reports
to
the
Chief
Operations
Officer.
The
CSO
Officer
also
serves
as
Chief Information Security Officer (“CISO”).
The
CISP
outlines
the
Corporation’s
overall
vision,
direction,
and
governance
to
protect
the
confidentiality,
integrity,
and
availability
of
customer
information
and
seeks
to
prevent
unauthorized
access
as
required
by
regulatory
guidelines
and
industry
security best practices. The CISP
is based on well-renowned frameworks
such as the International Organizational
Standard ISO 27000
series and
the NIST
Cybersecurity Framework.
As such,
it serves as
a guide
for the
implementation of
security safeguards
across the
Corporation
and
its
subsidiaries.
The
CISP
also
addresses
cybersecurity
breaches
and
procedures
for
appropriate
response
efforts,
including
any
required
notification,
depending
on the
severity
of the
specific security
incident. In
addition,
the
CISP incorporates
a
risk-based approach
to ensure that
risk is
treated in
a consistent
and effective
matter and
is designed
to protect
classified information
to
prevent
disclosure
to
unauthorized
individuals;
prioritize
the
use
of
information
security
resources
by
concentrating
on
critical
business
applications;
develop
quality,
cost-effective,
and
reliable
systems;
ensure
the
proper
and
secure
disposal
of
sensitive
information; and implement adequate processes to ensure compliance.
The
ERM
Program
includes
a
Corporate
Incident
Response
Program,
which
features
a
risk-based
escalation
process
to
manage
corporate
incidents,
including
cybersecurity
incidents,
and
notify
the
Risk
Committee
of
the
Board
of
Directors
and
applicable
stakeholders
as
appropriate.
The
Corporation
incorporates
the
Information
Technology
(“IT”)
Risk
Unit
of
the
ERM
Department,
which is comprised of several members such as IT
Risk Managers and the ERM Director who is part
of senior management, as well as
external expertise, in the review of
its processes, including an independent
internal assessment of cybersecurity measures
and controls.
The
Corporation
also
invests
in
threat
intelligence,
vulnerability
management,
and
incident
response
drills.
Furthermore,
all
of
the
Corporation’s
employees
and
consultants
with
access
to
the
Corporation’s
network
are
required
to
complete
a
comprehensive
cybersecurity
awareness
program
on
an
annual
basis.
Additionally,
awareness
and
training
on
information
technology
and
cybersecurity risk is provided to the Board on a regular basis.
The
Corporation
has
a
Vendor
Management
Program
and
a
Third-Party
Risk
Management
function
to
manage
the
cybersecurity
risks
associated
with
conducting
business
with
third-party
vendors,
which
includes
the
requirement
for
third-party
vendors
to
implement
appropriate
measures
to
ascertain
security
and
confidentiality
of
the
Corporation’s
resources.
The
Corporation
places
vendors into tiers
based on the
inherent risk due
to the nature
of the relationship
with that vendor
to determine any
additional security
requirements commensurate to such level of risk.
The Corporation does not believe
that risks from cybersecurity threats or
attacks, including as a result of any
previous cybersecurity
incidents, have
materially
affected the Corporation’s
business strategy,
results of operations or
financial condition as
of December 31,
2024.
While
the
Corporation
continues
to
closely
monitor
cyber
risk
and
has
implemented
processes
that
are
intended
to
assess,
identify,
and manage
material risks
from cybersecurity
threats, security
controls, no
matter how
well designed
or implemented,
may
only partially
mitigate and
not fully eliminate
these risks.
Events, when
detected by
security tools
or third parties,
may not
always be
immediately
understood
or
acted
upon.
See
Item
1A,
“Risk
Factors
–
Risks
Relating
to
Cybersecurity
and
Technology”
for
more
information on how cybersecurity risk could adversely affect the
Corporation, which should be read in conjunction with this Item 1C.
|Cybersecurity Risk Management Processes Integrated Flag
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Corporation’s
processes to identify,
assess,
and
monitor
material
risks
from
cybersecurity
threats
are
part
of
its
Enterprise
Risk
Management
(“ERM”)
Program,
under
which
the
Corporation
has
implemented
a
comprehensive
Corporate
Information
Security
Program
(“CISP”).
|Cybersecurity Risk Management Third Party Engaged Flag
|true
|Cybersecurity Risk Third Party Oversight And Identification Processes Flag
|true
|Cybersecurity Risk Materially Affected Or Reasonably Likely To Materially Affect Registrant Flag
|true
|Cybersecurity Risk Materially Affected Or Reasonably Likely To Materially Affect Registrant [Text Block]
|
The Corporation does not believe
that risks from cybersecurity threats or
attacks, including as a result of any
previous cybersecurity
incidents, have
materially
affected the Corporation’s
business strategy,
results of operations or
financial condition as
of December 31,
2024.
While
the
Corporation
continues
to
closely
monitor
cyber
risk
and
has
implemented
processes
that
are
intended
to
assess,
identify,
and manage
material risks
from cybersecurity
threats, security
controls, no
matter how
well designed
or implemented,
may
only partially
mitigate and
not fully eliminate
these risks.
Events, when
detected by
security tools
or third parties,
may not
always be
immediately
understood
or
acted
upon.
See
Item
1A,
“Risk
Factors
–
Risks
Relating
to
Cybersecurity
and
Technology”
for
more
information on how cybersecurity risk could adversely affect the
Corporation, which should be read in conjunction with this Item 1C.
|Cybersecurity Risk Board Of Directors Oversight [Text Block]
|
Responsibility for
risk oversight
and management
generally lies
with the
Corporation’s
Board of
Directors
|Cybersecurity Risk Board Committee Or Subcommittee Responsible For Oversight [Text Block]
|
oversight
of
the
CISP’s
governance
and
cybersecurity
risk
management,
the
Board
has
delegated
such
responsibility
to
the
Risk
Committee.
|Cybersecurity Risk Process For Informing Board Committee Or Subcommittee Responsible For Oversight [Text Block]
|
As part
of
its oversight,
the
Risk Committee
receives
reports
from
the
Executive
Risk Management
Committee
and
IT
Steering
Committee,
which
are
committees
at
the
management
level,
on
the
Corporation’s
cybersecurity
processes.
|Cybersecurity Risk Role Of Management [Text Block]
|
Internal Audit Department
performs periodic audits of
the Corporation’s
information security practices and
presents them to the
Audit
|Cybersecurity Risk Management Positions Or Committees Responsible Flag
|true
|Cybersecurity Risk Management Positions Or Committees Responsible [Text Block]
|
provides
with
updated
information
on
the
matters
discussed
in
the
Risk
Committee
meetings
as
it
relates
to
the
CISP
and
the
overall
information security
strategic direction
and evaluates
and approves
(if necessary)
reports presented
by executive
management related
to the information security strategic direction of the Corporation.
|Cybersecurity Risk Management Expertise Of Management Responsible [Text Block]
|
The
CSO,
led
by
the
CSO
Officer,
oversees
the
CISP,
its
development,
and
any
applicable
updates
in
response
to
changes
in
operations and other circumstances,
and reports on a quarterly
basis to the IT Steering
Committee and to the
Board’s Risk Committee.
The CSO Officer,
who has been in charge since
2016, has over 20 years of experience
in functional expertise concerning all
aspects of
information
security,
integrity
and
privacy
of
systems,
and
data
resources,
and
holds
several
relevant
licenses
and/or
certifications.
Also, certain
topics related
to information
security are
presented on
an ad
hoc basis
to the
Executive
Risk Management
Committee.
The CSO provides
the Board’s
Risk Committee regular
reports and engages in
discussions on the effectiveness
of the CISP,
including
risk mitigation
strategy and
progress. The
Board’s
Risk Committee
reviews and
approves the
CISP annually
and receives
a report
on
the security safeguards annually.
|Cybersecurity Risk Process For Informing Management Or Committees Responsible [Text Block]
|
internal
audit
procedures
are
reported
to
Management
and
the
Audit
Committee.
|Cybersecurity Risk Management Positions Or Committees Responsible Report To Board Flag
|true