XML 50 R34.htm IDEA: XBRL DOCUMENT v3.25.4
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Cybersecurity Risk Management and Strategy
The Company maintains an information security program (the Program) to identify, assess, and manage material risks to its business, operations, and assets related to cybersecurity threats. The Company leverages recognized security frameworks and guidelines, such as the National Institute of Standards and Technology Cybersecurity Framework and Federal Financial Institution Examination Counsel (FFIEC) guidelines, to organize, assess, and improve the Program. Key components of the Program include, among other things:
Risk-based cybersecurity controls: As part of the Program, the Company maintains numerous administrative, technical, and physical controls that are calibrated based on risk and designed to protect the confidentiality, integrity, and availability of our information systems and data stored thereon.
Cybersecurity incident response plan and testing: The Company has incident response plans that establish a structured approach for the Company’s response to cybersecurity incidents. To improve preparedness for a cybersecurity incident, we conduct tabletop exercises at least annually. These exercises are conducted by internal team members and in some instances with assistance from third-party experts.
Training and education: We include cybersecurity training as part of our annual employee training program. Additional cybersecurity and privacy education and awareness are periodically provided to employees utilizing various delivery methods such as phishing campaigns, training sessions, and informational articles.
Third-party service provider risk management: The Company’s third-party risk management program applies a risk-based approach to the assessment, onboarding, and ongoing due diligence of key third-party service providers, including the assessment and mitigation of cybersecurity-related risks.
Engagement of third-party assessors and consultants: We periodically engage third-party experts and consultants to conduct assessments and tests of our security controls, such as penetration tests and framework assessments. The Company also engages a third-party managed detection and response service provider to monitor Company systems for cybersecurity threats.
We also consider cybersecurity-related risks, along with other top risks for the Company, as part of our overall enterprise risk management (ERM) process. Cybersecurity risks are included in the risk universe that the ERM function evaluates, with input from information security subject matter experts at the Company, to assess top risks to the enterprise. The ERM process provides input into our strategic planning process, such as development of action plans to address and mitigate identified risks. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of previously identified cybersecurity incidents, that have materially affected the Company, including our operations, or financial condition, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material cybersecurity incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] The Company maintains an information security program (the Program) to identify, assess, and manage material risks to its business, operations, and assets related to cybersecurity threats.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board of Directors considers cybersecurity risk as part of its risk management oversight function and has delegated to the Audit Committee oversight of cybersecurity risks. The Audit Committee receives updates from the Executive Director Risk, Human Capital, and Operations and other Company management on cybersecurity matters at least annually. The Audit Committee reports findings and recommendations, as appropriate, to the full Board of Directors for consideration. The Audit Committee also receives information about cybersecurity risks as part of the Company’s ERM program and reporting. In addition, any cybersecurity incident assessed as being, or potentially becoming, material is escalated for further assessment and then reported to designated members of our senior management and, if necessary, the Audit Committee.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors considers cybersecurity risk as part of its risk management oversight function and has delegated to the Audit Committee oversight of cybersecurity risks.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee receives updates from the Executive Director Risk, Human Capital, and Operations and other Company management on cybersecurity matters at least annually.
Cybersecurity Risk Role of Management [Text Block]
The Company’s information security officer (ISO) leads the Company’s overall cybersecurity function and reports to our Executive Director Risk, Human Capital, and Operations, who has 23 years of experience in banking and risk management. Our ISO works with stakeholders across the Company, including with our technology group, to maintain the cybersecurity program. Our executive leadership team is actively engaged in the oversight and strategic direction of our Program and meets with the Executive Director Risk, Human Capital, and Operations to review and discuss the Company’s Program, including emerging cybersecurity risks, threats, and industry trends.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
The Company’s information security officer (ISO) leads the Company’s overall cybersecurity function and reports to our Executive Director Risk, Human Capital, and Operations, who has 23 years of experience in banking and risk management. Our ISO works with stakeholders across the Company, including with our technology group, to maintain the cybersecurity program. Our executive leadership team is actively engaged in the oversight and strategic direction of our Program and meets with the Executive Director Risk, Human Capital, and Operations to review and discuss the Company’s Program, including emerging cybersecurity risks, threats, and industry trends.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Company’s information security officer (ISO) leads the Company’s overall cybersecurity function and reports to our Executive Director Risk, Human Capital, and Operations, who has 23 years of experience in banking and risk management.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Audit Committee reports findings and recommendations, as appropriate, to the full Board of Directors for consideration. The Audit Committee also receives information about cybersecurity risks as part of the Company’s ERM program and reporting. In addition, any cybersecurity incident assessed as being, or potentially becoming, material is escalated for further assessment and then reported to designated members of our senior management and, if necessary, the Audit Committee.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true