Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy

Cybersecurity threats have the potential to negatively impact companies of all sizes and complexities. Our normal business operations could be severely disrupted by cyberattacks, both against our own information systems as well as those hosted and managed by our third-party partners. The loss or disclosure of sensitive data as a result of cyberattacks could have a material impact on our business. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A, Risk Factors of this Form 10-K.

We have implemented a comprehensive Information Security and Risk Management Program that is designed and maintained to be compliant with all applicable federal and state regulations, and is regularly audited by independent experts to ensure continuous effectiveness and compliance. Key elements of this program include:

● a comprehensive risk management process, integrated with the Enterprise Risk Management system, that continuously assesses, identifies, and manages current and emerging cybersecurity threats and risks, evaluates the effectiveness of information security controls, and reports the overall risk posture to Executive Management and the Board of Directors.

● assessment of daily cyber threat intelligence from multiple sources;

● the use of third-party information security services for continuous monitoring and alerting of information systems, network. and user activity;

● a Vulnerability Management Program that scans networks, devices, and information systems for known cyber vulnerabilities, and initiates processes to mitigate them;

● a third-party risk management program that evaluates and ensures our key partners adhere to the same level of information security posture as we do internally;

● Business Continuity and Incident Response plans that are designed and tested for anticipated operational failures, natural disasters, cyberattacks, and other disruptive events; and

● an Information Security Awareness program to ensure employees and customers maintain an awareness of information security threats and best practices to prevent them.

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

The loss or disclosure of sensitive data as a result of cyberattacks could have a material impact on our business.

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Key elements of this program include:

● a comprehensive risk management process, integrated with the Enterprise Risk Management system, that continuously assesses, identifies, and manages current and emerging cybersecurity threats and risks, evaluates the effectiveness of information security controls, and reports the overall risk posture to Executive Management and the Board of Directors.

● assessment of daily cyber threat intelligence from multiple sources;

● the use of third-party information security services for continuous monitoring and alerting of information systems, network. and user activity;

● a Vulnerability Management Program that scans networks, devices, and information systems for known cyber vulnerabilities, and initiates processes to mitigate them;

● a third-party risk management program that evaluates and ensures our key partners adhere to the same level of information security posture as we do internally;

● Business Continuity and Incident Response plans that are designed and tested for anticipated operational failures, natural disasters, cyberattacks, and other disruptive events; and

● an Information Security Awareness program to ensure employees and customers maintain an awareness of information security threats and best practices to prevent them.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Information Security Governance

The Chief Information Security Officer is primarily responsible for the Information Security and Cyber Risk Management programs, and reports to the Chief Risk Officer. The Chief Technology Officer that oversees the Information Technology Department plays a key role in cybersecurity, ensuring that information systems, networks, and endpoints are configured and operated according to the requirements of the Information Security Program and related policies and standards. Both the current Chief Information Security Officer and Chief Technology Officer have over 20 years of experience in Information Technology and Information Security.

The Information Security Committee, consisting of senior management and analysts from Information Security and Information Technology, monitors and assesses cyber threat intelligence, responds to cyber incidents at a technical level, and determines whether new controls are needed to address emerging risks or active cyber exploits. Key Risk Indicators for Information Security and Information Technology are reported to the Operations and Information Technology Steering Committees. Key risks and other relevant information are further summarized for the Board Risk and Audit Committees. The Board also receives a full report on the Information Security Program and its effectiveness annually. Other cyber related issues are brought to the attention of the Board as needed.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

The Chief Information Security Officer is primarily responsible for the Information Security and Cyber Risk Management programs, and reports to the Chief Risk Officer. The Chief Technology Officer that oversees the Information Technology Department plays a key role in cybersecurity, ensuring that information systems, networks, and endpoints are configured and operated according to the requirements of the Information Security Program and related policies and standards.

Cybersecurity Risk Role of Management [Text Block]

The Chief Information Security Officer is primarily responsible for the Information Security and Cyber Risk Management programs, and reports to the Chief Risk Officer. The Chief Technology Officer that oversees the Information Technology Department plays a key role in cybersecurity, ensuring that information systems, networks, and endpoints are configured and operated according to the requirements of the Information Security Program and related policies and standards. Both the current Chief Information Security Officer and Chief Technology Officer have over 20 years of experience in Information Technology and Information Security.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Both the current Chief Information Security Officer and Chief Technology Officer have over 20 years of experience in Information Technology and Information Security.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Information Security Committee, consisting of senior management and analysts from Information Security and Information Technology, monitors and assesses cyber threat intelligence, responds to cyber incidents at a technical level, and determines whether new controls are needed to address emerging risks or active cyber exploits. Key Risk Indicators for Information Security and Information Technology are reported to the Operations and Information Technology Steering Committees.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Key risks and other relevant information are further summarized for the Board Risk and Audit Committees. The Board also receives a full report on the Information Security Program and its effectiveness annually. Other cyber related issues are brought to the attention of the Board as needed.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The Board also receives a full report on the Information Security Program and its effectiveness annually. Other cyber related issues are brought to the attention of the Board as needed.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true