|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity represents a critical component of our overall approach to risk management. Accordingly, cybersecurity risks are subject to oversight by the Company’s Board of Directors (the Board), primary responsibility for which has been delegated by the Board to its Operational Risk Committee (the Board Operational Risk Committee).
Our cybersecurity policies, processes and practices are informed by the cybersecurity framework established by the National Institute of Standards and Technology. We are able to leverage a cross-functional team that includes senior personnel from our technology, operations, legal, risk management and internal audit functions as and when warranted by the particular cybersecurity matter. In managing cybersecurity risks, we strive to: (i) identify, prevent and mitigate cybersecurity threats; (ii) preserve the confidentiality, security and availability of proprietary or confidential information; (iii) protect the Company’s intellectual property; (iv) maintain the confidence of our members, marketplace investors and business partners; and (v) provide appropriate and required disclosure of cybersecurity risks and incidents.
Risk Management and Strategy
Our processes for assessing, identifying, and managing material risks from cybersecurity threats are fully integrated into our enterprise risk management (ERM) program and include the following areas of focus:
•Systems Safeguards: Preventing and mitigating cybersecurity threats, including through the use of firewalls, intrusion prevention and detection systems, anti-malware software, access controls and other system safeguards.
•Incident Response: Identifying and responding to cybersecurity incidents in accordance with our information security incident response plan.
•Collaboration: Collaborating internally and with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks.
•Third-Party Risk Management: Maintaining a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems.
•Training: Reinforcing our information security policies, processes and practices through periodic mandatory training for Company personnel.
•Governance: Designing a comprehensive framework for the oversight of cybersecurity risk, with regular interaction between the Board Operational Risk Committee and the Company’s ERM function, our Chief Information Security Officer (CISO) and members of Company management and relevant management committees, including the Company’s Management Operational Risk Committee (the Management Operational Risk Committee).
A key part of our strategy for managing risks from cybersecurity threats is the assessment and testing of our processes and practices through auditing, assessments, tabletop exercises, threat modeling, vulnerability scanning
and other exercises focused on evaluating the effectiveness of our cybersecurity measures. We engage third parties to perform assessments on our cybersecurity measures, including information security penetration tests, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Board Operational Risk Committee and are used to adjust our cybersecurity policies, standards, processes and practices, as necessary.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Cybersecurity represents a critical component of our overall approach to risk management. Accordingly, cybersecurity risks are subject to oversight by the Company’s Board of Directors (the Board), primary responsibility for which has been delegated by the Board to its Operational Risk Committee (the Board Operational Risk Committee).
Our cybersecurity policies, processes and practices are informed by the cybersecurity framework established by the National Institute of Standards and Technology. We are able to leverage a cross-functional team that includes senior personnel from our technology, operations, legal, risk management and internal audit functions as and when warranted by the particular cybersecurity matter. In managing cybersecurity risks, we strive to: (i) identify, prevent and mitigate cybersecurity threats; (ii) preserve the confidentiality, security and availability of proprietary or confidential information; (iii) protect the Company’s intellectual property; (iv) maintain the confidence of our members, marketplace investors and business partners; and (v) provide appropriate and required disclosure of cybersecurity risks and incidents.
Risk Management and Strategy
Our processes for assessing, identifying, and managing material risks from cybersecurity threats are fully integrated into our enterprise risk management (ERM) program and include the following areas of focus:
•Systems Safeguards: Preventing and mitigating cybersecurity threats, including through the use of firewalls, intrusion prevention and detection systems, anti-malware software, access controls and other system safeguards.
•Incident Response: Identifying and responding to cybersecurity incidents in accordance with our information security incident response plan.
•Collaboration: Collaborating internally and with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks.
•Third-Party Risk Management: Maintaining a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems.
•Training: Reinforcing our information security policies, processes and practices through periodic mandatory training for Company personnel.
•Governance: Designing a comprehensive framework for the oversight of cybersecurity risk, with regular interaction between the Board Operational Risk Committee and the Company’s ERM function, our Chief Information Security Officer (CISO) and members of Company management and relevant management committees, including the Company’s Management Operational Risk Committee (the Management Operational Risk Committee).
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board Operational Risk Committee oversees the management of risks from cybersecurity threats, including policies, processes and practices implemented by Company management to address such risks. The Board Operational Risk Committee receives presentations and reports on cybersecurity risks and information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates until such incident has been addressed. At least once each year, the Board Operational Risk Committee discusses the Company’s approach to cybersecurity risk management with our CISO. Further, the Board periodically, as warranted, receives reports with respect to and engages in discussions with Company management on cybersecurity matters.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our CISO is principally responsible for overseeing our cybersecurity risk management program, in partnership with other senior personnel across the Company.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our CISO works in coordination with the other members of the Company’s Management Operational Risk Committee, which includes our Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, Chief Risk Officer and General Counsel. Our CISO has served in that role for over 5 years and in various roles in information technology and information security for over 20 years.
|Cybersecurity Risk Role of Management [Text Block]
|
Our CISO is principally responsible for overseeing our cybersecurity risk management program, in partnership with other senior personnel across the Company. Our CISO works in coordination with the other members of the Company’s Management Operational Risk Committee, which includes our Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, Chief Risk Officer and General Counsel. Our CISO has served in that role for over 5 years and in various roles in information technology and information security for over 20 years. Our CISO holds an undergraduate degree in computer information systems and has attained the professional certification of Certified Information Systems Security Professional. The other members of the Management Operational Risk Committee each have relevant qualifications and over 10 years of experience managing risk in the technology and/or financial services industry.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CISO is principally responsible for overseeing our cybersecurity risk management program, in partnership with other senior personnel across the Company. Our CISO works in coordination with the other members of the Company’s Management Operational Risk Committee, which includes our Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, Chief Risk Officer and General Counsel.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has served in that role for over 5 years and in various roles in information technology and information security for over 20 years. Our CISO holds an undergraduate degree in computer information systems and has attained the professional certification of Certified Information Systems Security Professional. The other members of the Management Operational Risk Committee each have relevant qualifications and over 10 years of experience managing risk in the technology and/or financial services industry.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO is principally responsible for overseeing our cybersecurity risk management program, in partnership with other senior personnel across the Company. Our CISO works in coordination with the other members of the Company’s Management Operational Risk Committee, which includes our Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, Chief Risk Officer and General Counsel. Our CISO has served in that role for over 5 years and in various roles in information technology and information security for over 20 years. Our CISO holds an undergraduate degree in computer information systems and has attained the professional certification of Certified Information Systems Security Professional. The other members of the Management Operational Risk Committee each have relevant qualifications and over 10 years of experience managing risk in the technology and/or financial services industry.Our CISO, in coordination with the Management Operational Risk Committee, works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of this program, cross-functional teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with our information security incident response plan. Our CISO, through his team and use of accompanying technology, monitors the prevention, detection, mitigation and remediation of cybersecurity incidents, and report such incidents to the Management Operational Risk Committee and/or the Board Operational Risk Committee, as and when appropriate.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef