|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats. The Committee receives reports from, and oversees, IT Risk Assessment, Cybersecurity Risk Assessment, Annual IT Program Status Report, Vendor Management Risk Assessment, and Quarterly Internal Vulnerability Reports and current Cyber Events briefings. The Committee also makes budgeting, procedure, and policy decisions designed and intended to improve the Company’s residual risk.
The IT Steering Committee consists of the Company’s senior management, the entire IT team, and various operations personnel. The primary function of the IT Steering Committee is to perform Strategic Planning, discuss hardware and software replacement, new projects, current cybersecurity threats, and ongoing cybersecurity issues and threats. The IT manager provides an IT status report to the Risk Management committee on a quarterly basis.
Our IT department performs annual risk assessments to evaluate the effectiveness of the controls to support the requirements under Gramm-Leach Bliley Act ("GLBA"), and Federal Institutions Examination Council ("FFIEC") Guidance on Securing Customer Information. The focus areas include:
•technology systems used for information that is collected, processed, and stored;
•assessing internal and external cybersecurity threats and vulnerabilities;
•performing regular penetration and controls testing;
•evaluation and assessment of impact should the information or systems become compromised;
•evaluation for the effectiveness of the governance structure for Information security risk management.
Internal and external Penetration Testing is performed annually. Tests are conducted or reviewed by independent third parties or qualified Associates independent of those that develop or maintain the security program. Testing is performed annually by third party auditors contracted through the company's IT department. Management reviews test results promptly and ensures that appropriate steps are taken to address adverse test results. Remediation efforts are organized and made available to the Committee as well as for review by third party auditors and examiners.
The Company has adopted an Incident Response Plan (the “Plan”) to monitor, detect, mitigate and remediate cybersecurity incidents. The Plan requires all employees to have a working knowledge of the Company’s Information Security Program and Incident Response Policies. Pursuant to the Plan, the Information Technology Administrator and Senior\Compliance Management identify information owners for sensitive customer information and create an incident response team. Each Department Manager, upon notification of a potential unauthorized access, manipulation of data or theft of any item identified under GLBA Inventory and Asset Classification, is responsible for further assessing the situation in order to document the suspected or actual breech, and forward the appropriate documentation to the Information Technology Administrator. The documentation of the suspected or actual incident includes the following:
a.Identify the nature and scope of the incident.
b.Identify the information systems affected.
c.Identify the types of customer information potentially affected.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats. The Committee receives reports from, and oversees, IT Risk Assessment, Cybersecurity Risk Assessment, Annual IT Program Status Report, Vendor Management Risk Assessment, and Quarterly Internal Vulnerability Reports and current Cyber Events briefings. The Committee also makes budgeting, procedure, and policy decisions designed and intended to improve the Company’s residual risk.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats. The Committee receives reports from, and oversees, IT Risk Assessment, Cybersecurity Risk Assessment, Annual IT Program Status Report, Vendor Management Risk Assessment, and Quarterly Internal Vulnerability Reports and current Cyber Events briefings. The Committee also makes budgeting, procedure, and policy decisions designed and intended to improve the Company’s residual risk.
|Cybersecurity Risk Role of Management [Text Block]
|
The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats. The Committee receives reports from, and oversees, IT Risk Assessment, Cybersecurity Risk Assessment, Annual IT Program Status Report, Vendor Management Risk Assessment, and Quarterly Internal Vulnerability Reports and current Cyber Events briefings. The Committee also makes budgeting, procedure, and policy decisions designed and intended to improve the Company’s residual risk.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Risk Management Committee of the Board of Directors (the “Committee”) is responsible for overseeing the risks from cybersecurity threats.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The IT Steering Committee consists of the Company’s senior management, the entire IT team, and various operations personnel. The primary function of the IT Steering Committee is to perform Strategic Planning, discuss hardware and software replacement, new projects, current cybersecurity threats, and ongoing cybersecurity issues and threats.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The IT Steering Committee consists of the Company’s senior management, the entire IT team, and various operations personnel. The primary function of the IT Steering Committee is to perform Strategic Planning, discuss hardware and software replacement, new projects, current cybersecurity threats, and ongoing cybersecurity issues and threats. The IT manager provides an IT status report to the Risk Management committee on a quarterly basis.
Our IT department performs annual risk assessments to evaluate the effectiveness of the controls to support the requirements under Gramm-Leach Bliley Act ("GLBA"), and Federal Institutions Examination Council ("FFIEC") Guidance on Securing Customer Information. The focus areas include:
•technology systems used for information that is collected, processed, and stored;
•assessing internal and external cybersecurity threats and vulnerabilities;
•performing regular penetration and controls testing;
•evaluation and assessment of impact should the information or systems become compromised;
•evaluation for the effectiveness of the governance structure for Information security risk management.
Internal and external Penetration Testing is performed annually. Tests are conducted or reviewed by independent third parties or qualified Associates independent of those that develop or maintain the security program. Testing is performed annually by third party auditors contracted through the company's IT department. Management reviews test results promptly and ensures that appropriate steps are taken to address adverse test results. Remediation efforts are organized and made available to the Committee as well as for review by third party auditors and examiners.
The Company has adopted an Incident Response Plan (the “Plan”) to monitor, detect, mitigate and remediate cybersecurity incidents. The Plan requires all employees to have a working knowledge of the Company’s Information Security Program and Incident Response Policies. Pursuant to the Plan, the Information Technology Administrator and Senior\Compliance Management identify information owners for sensitive customer information and create an incident response team. Each Department Manager, upon notification of a potential unauthorized access, manipulation of data or theft of any item identified under GLBA Inventory and Asset Classification, is responsible for further assessing the situation in order to document the suspected or actual breech, and forward the appropriate documentation to the Information Technology Administrator. The documentation of the suspected or actual incident includes the following:
a.Identify the nature and scope of the incident.
b.Identify the information systems affected.
c.Identify the types of customer information potentially affected.
Once the Department Manager has determined that unauthorized access, manipulation of data or theft of any item identified under GLBA Inventory and Asset Classification has occurred, Senior Management, the Compliance Officer and the Information Technology Administrator must be contacted immediately.
If theft of any item identified under GLBA Inventory and Asset Classification has occurred, and it cannot be determined what specific information was included on the Asset, the Asset is treated as if it contained sensitive customer information and Senior Management, the Compliance Officer and the Information Technology Administrator must be contacted immediately. If the Information Technology Administrator and Senior\Compliance Management declare an incident or if there is a confirmed theft or loss of customer information, appropriate regulatory authorities, law enforcement, and legal counsel are notified.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef