XML 23 R9.htm IDEA: XBRL DOCUMENT

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Information Security Program

The Company's program aims to identify, protect, detect, respond, and recover from cyber threats, striving to prevent cybersecurity incidents to the extent feasible. Simultaneously, it enhances our resilience to minimize the impact of a cybersecurity event. The program is designed to be agile, proactive, and responsive to changes in the evolving threat landscape. It employs a layered cybersecurity approach, encompassing the following key elements:

	●	A Security Incident Response Plan (SIRP) detailing procedures and protocols to respond effectively and efficiently to cybersecurity events.
	●	A user awareness program featuring regular social engineering testing and training to keep our employees informed about cybersecurity best practices, potential threats, and effective responses to mitigate risks.
	●	A continuous vulnerability management program designed to validate the efficacy of our patch management strategy. It prioritizes the remediation of vulnerabilities posing risks to the organization, our customers, and partners.
	●	Protective technical security controls, reducing the likelihood of a cybersecurity incident.
	●	Detection, response, and recovery capabilities, mitigating the impact of cybersecurity incidents.
	●	A vendor management program, designed to manage and mitigate risks associated with leveraging suppliers and third-party service providers.
	●	Third-party penetration testing and internal and external vulnerability assessments, validating the effectiveness of our security controls.
	●	IT controls audits conducted by both internal and external auditors to ensure compliance with regulatory requirements, as well as our internal corporate policies and procedures.
	●	Regular reporting to the Board of Directors, providing insights into our cybersecurity posture and ongoing initiatives.

By implementing these measures, the Company strives to maintain a strong cybersecurity posture, safeguarding the organization, customers, and partners from potential threats while ensuring compliance with industry standards and regulations.

Notwithstanding the Company's defensive measures and processes, the threat posed by cyber-attacks is extremely serious. The Company may not be successful in preventing or mitigating all cybersecurity incidents that could have a material adverse effect on the Company. While the Company has not, to date, detected a significant compromise, significant data loss, or any material financial loss related to cybersecurity attacks, our internal systems and those of our customers and third-party service providers are under constant threat. It is possible that the Company could experience a future significant cybersecurity event. The Company expects risks and exposures related to cybersecurity attacks to remain high for the foreseeable future. For further discussion of risks related to cybersecurity, see "Item 1A Risk Factors."

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Cybersecurity Risk Board of Directors Oversight [Text Block]

ITEM 1C: CYBERSECURITY

Being a financial services company, the Company encounters inherent cybersecurity risks and threats, which also affect its customers, suppliers, and third-party service providers. Throughout operations, the Company handles and processes data for its customers, employees, partners, and suppliers, understanding that a cybersecurity incident impacting any of these entities could significantly impact its operations and performance. As part of the financial services sector, the Company is held to rigorous regulatory compliance standards. To effectively manage these risks and meet regulatory demands, the Company has implemented a comprehensive, risk-based information security program. This program is designed in alignment with regulatory requirements and the guiding principles of the Federal Financial Institutions Examination Council (FFIEC) handbook and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

Information Security Governance and Oversight

The Board of Directors assumes ultimate responsibility for overseeing the Company's information security program. The Company has established an Information Technology Steering Committee (ITSC), comprised of leaders from various departments across the organization, tasked with governing and overseeing the information security program. The ITSC underscores its commitment to treating cybersecurity as a business risk rather than solely a technical concern. The Chief Information Security Officer, reporting to the SVP, General Counsel, is entrusted with leading the cybersecurity risk assessment process. This includes identifying risks, assessing inherent likelihood and impact, evaluating existing mitigating controls, calculating residual risk scores, and recommending risk responses to both the ITSC and the Board of Directors.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true