|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity risk is overseen by the Board and the Bank’s multiple lines of defense, including front-line bankers, operations teams, Enterprise Risk Management (“ERM”), and internal audit. Information security risk is managed in accordance with an established ERM framework, which includes elements such as key risk indicators, enterprise standards, controls, and self-assessments that comply with established ERM policies. These elements are regularly assessed, measured, and reported to Board-level and Bank senior management-level risk committees, and those committees review such reports.
We engage multiple independent third parties and cyber experts to assess our information security programs and practices. These assessments include, but are not limited to, framework maturity assessments, blind penetration testing, technology health checks, cyber skill and staffing assessments, externally facilitated tabletop exercises, external cyber legal counsel briefings, and strategic assessments. Findings from these assessments are regularly reviewed with management and the ROC. Additionally, we participate in various cybersecurity industry forums and have access to law enforcement analysis regarding current threats.
Our supply chain risk management practices include risk assessments of suppliers, particularly regarding cybersecurity. We monitor our suppliers using commercially available services that provide real-time security scoring of supplier technology services, threat intelligence, financial intelligence, geopolitical risk intelligence, and other cybersecurity-related considerations. Regular reviews are performed to monitor changes in our suppliers’ cybersecurity risk posture. Continuous threat intelligence monitoring is also conducted to identify potential cybersecurity incidents involving third parties. We strive to negotiate appropriate cybersecurity provisions in our contracts with suppliers.
Upon the occurrence of a cybersecurity incident, whether identified internally or through third-party cybersecurity notifications, we assess the incident’s criticality and potential materiality and disclosure. This evaluation considers various factors, including service availability, operational impact, reputational consequences, regulatory and legal implications, data sensitivity, and direct financial impact. The CISO continuously monitors these criteria to determine the incident's potential impact, individually or in aggregate. We have established escalation procedures to promptly inform senior and executive management, the Board (or relevant subcommittees), and regulators, based on the incident's criticality and materiality.
At December 31, 2024, risks from cybersecurity threats, including those arising from any previous cybersecurity incidents, have not materially impacted our business strategy, results of operations, or financial condition. Management has evaluated known cybersecurity incidents for potential materiality and disclosure using formal, documented processes and has determined that there have been no material cybersecurity incidents, either individually or in aggregate. We acknowledge that future cybersecurity incidents could potentially have a material adverse effect on our organization, despite our efforts to prevent or mitigate such events.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Cybersecurity risk is overseen by the Board and the Bank’s multiple lines of defense, including front-line bankers, operations teams, Enterprise Risk Management (“ERM”), and internal audit. Information security risk is managed in accordance with an established ERM framework, which includes elements such as key risk indicators, enterprise standards, controls, and self-assessments that comply with established ERM policies. These elements are regularly assessed, measured, and reported to Board-level and Bank senior management-level risk committees, and those committees review such reports.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The ROC is responsible for reviewing reports from management related to enterprise-wide risk management efforts, including cybersecurity risks. As part of this oversight, the ROC conducts an annual review and approval of information security policies and programs, and receives regular updates on key risk indicators, threat trends, risk remediation activities, and operational events. The ROC regularly reports on this oversight, including cybersecurity, to the Board. Management employs multiple real-time and interval-based monitoring and reporting mechanisms to detect and respond to cybersecurity incidents, and may also engage third parties to assist in these efforts. Documented escalation procedures are regularly tested through tabletop exercises and other activities, including notification to executive management during qualifying cybersecurity incidents.
Management directly responsible for assessing, measuring, and managing cybersecurity risks include the Chief Information Security Officer (“CISO”) and the Chief Technology and Operations Officer (“CTOO”). The current CISO has more than 20 years of technology leadership experience, including significant direct involvement in cybersecurity efforts, and holds multiple industry certifications. The current CTOO has more than 25 years of experience in audit, risk, operations, and technology leadership, including previous roles as Chief Audit Executive and Director of Bank Operations. The CISO and CTOO regularly report cybersecurity risk information to the Board or a Board committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The ROC is responsible for reviewing reports from management related to enterprise-wide risk management efforts, including cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The ROC is responsible for reviewing reports from management related to enterprise-wide risk management efforts, including cybersecurity risks. As part of this oversight, the ROC conducts an annual review and approval of information security policies and programs, and receives regular updates on key risk indicators, threat trends, risk remediation activities, and operational events. The ROC regularly reports on this oversight, including cybersecurity, to the Board. Management employs multiple real-time and interval-based monitoring and reporting mechanisms to detect and respond to cybersecurity incidents, and may also engage third parties to assist in these efforts. Documented escalation procedures are regularly tested through tabletop exercises and other activities, including notification to executive management during qualifying cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
Cybersecurity risk is overseen by the Board and the Bank’s multiple lines of defense, including front-line bankers, operations teams, Enterprise Risk Management (“ERM”), and internal audit. Information security risk is managed in accordance with an established ERM framework, which includes elements such as key risk indicators, enterprise standards, controls, and self-assessments that comply with established ERM policies. These elements are regularly assessed, measured, and reported to Board-level and Bank senior management-level risk committees, and those committees review such reports.
The ROC is responsible for reviewing reports from management related to enterprise-wide risk management efforts, including cybersecurity risks. As part of this oversight, the ROC conducts an annual review and approval of information security policies and programs, and receives regular updates on key risk indicators, threat trends, risk remediation activities, and operational events. The ROC regularly reports on this oversight, including cybersecurity, to the Board. Management employs multiple real-time and interval-based monitoring and reporting mechanisms to detect and respond to cybersecurity incidents, and may also engage third parties to assist in these efforts. Documented escalation procedures are regularly tested through tabletop exercises and other activities, including notification to executive management during qualifying cybersecurity incidents.
Management directly responsible for assessing, measuring, and managing cybersecurity risks include the Chief Information Security Officer (“CISO”) and the Chief Technology and Operations Officer (“CTOO”). The current CISO has more than 20 years of technology leadership experience, including significant direct involvement in cybersecurity efforts, and holds multiple industry certifications. The current CTOO has more than 25 years of experience in audit, risk, operations, and technology leadership, including previous roles as Chief Audit Executive and Director of Bank Operations. The CISO and CTOO regularly report cybersecurity risk information to the Board or a Board committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Management directly responsible for assessing, measuring, and managing cybersecurity risks include the Chief Information Security Officer (“CISO”) and the Chief Technology and Operations Officer (“CTOO”).
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The current CISO has more than 20 years of technology leadership experience, including significant direct involvement in cybersecurity efforts, and holds multiple industry certifications. The current CTOO has more than 25 years of experience in audit, risk, operations, and technology leadership, including previous roles as Chief Audit Executive and Director of Bank Operations.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CISO and CTOO regularly report cybersecurity risk information to the Board or a Board committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef