|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Coastal recognizes the critical importance of identifying, assessing and managing material risks from information security threats. One key way that Coastal mitigates information security threats is through the Company’s information security program (the “Information Security Program”). Cybersecurity is an integral subset of information security and the Information Security Program is designed to protect the Company from cybersecurity attacks, breaches, incidents and resulting consequences.
As part of the Information Security Program, the Company has implemented preventative controls to minimize data loss, exposure and misuse. These controls are designed to be implemented before a threat event to avoid the likelihood and potential impact of inadvertent or intentional misuse, improper disclosure, damage or loss. In addition, the Information Security Program includes internal and external penetration testing, regular vulnerability assessments, detailed vulnerability management, data loss prevention controls, file access, controls, data integrity monitoring and reporting, and threat intelligence. The Information Security Program is coordinated and primarily executed by our information security, technology, and operations personnel. The IT department is responsible for the oversight of all managed systems and implements and maintains appropriate controls to protect the confidentiality, integrity and availability of computerized data and information resources. Coastal applies a layered defense strategy for protecting information systems and customer information, including the implementation of zero-trust principles, which require authenticated, authorized, and validated users and devices to access applications and data. Security logs are correlated and monitored by an internal security team as well as an augmented third-party Security Operation Center. Network vulnerability scans are conducted daily.
Coastal engages third party auditors and consultants in connection with the Information Security Program, including conducting external penetration testing, independent audits and risk assessments. Coastal also utilizes third party service providers in the ordinary course of business to provide services to customers and partners. These third-party service providers may store or process confidential information and personally identifiable information related to our customers or on behalf of our partners to perform those services for which they were engaged. Coastal has implemented a vendor management program to help ensure third-party relationships are effectively managed. Under this program, we have established risk-focused controls and processes that are designed to monitor our vendors’ compliance with relevant laws, regulations, and industry standards, such as data privacy regulations and anti-corruption laws, as well as relevant contractual obligations.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Coastal recognizes the critical importance of identifying, assessing and managing material risks from information security threats. One key way that Coastal mitigates information security threats is through the Company’s information security program (the “Information Security Program”). Cybersecurity is an integral subset of information security and the Information Security Program is designed to protect the Company from cybersecurity attacks, breaches, incidents and resulting consequences.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board exercises oversight over the Information Security Program and reviews and approves the Information Security Program at least annually. Cybersecurity risk management is also incorporated into Coastal’s overall enterprise risk management framework, which is updated on an annual basis and subject to oversight by the Management Risk Committee and the Board.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Board exercises oversight over the Information Security Program and reviews and approves the Information Security Program at least annually. Cybersecurity risk management is also incorporated into Coastal’s overall enterprise risk management framework, which is updated on an annual basis and subject to oversight by the Management Risk Committee and the Board.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Executive Management is responsible for managing the Information Security Program’s operations for identifying and assessing external and internal risks to the security, confidentiality, and integrity of nonpublic information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. Coastal’s Information Security Officer (“ISO”) is designated by the Board and is responsible for implementing and monitoring the Information Security Program. The ISO is a Senior Vice President and has served in such role since 2010. The ISO has over 38-years of combined financial institution experience, which includes compliance, BSA, operations, physical security and information security. The ISO provides an annual report to the Board on the overall status of the Information Security Program and information technology incidents as necessary. The SVP of Technology also has responsibility for cybersecurity matters and reports to the Management Risk Committee, which consists of members of senior management.
The Technology Subcommittee of the Management Risk Committee focuses on three pillars: Technology Strategy, InfoSec/Cyber, and Data.
|Cybersecurity Risk Role of Management [Text Block]
|
Executive Management is responsible for managing the Information Security Program’s operations for identifying and assessing external and internal risks to the security, confidentiality, and integrity of nonpublic information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. Coastal’s Information Security Officer (“ISO”) is designated by the Board and is responsible for implementing and monitoring the Information Security Program. The ISO is a Senior Vice President and has served in such role since 2010. The ISO has over 38-years of combined financial institution experience, which includes compliance, BSA, operations, physical security and information security. The ISO provides an annual report to the Board on the overall status of the Information Security Program and information technology incidents as necessary. The SVP of Technology also has responsibility for cybersecurity matters and reports to the Management Risk Committee, which consists of members of senior management.
The Technology Subcommittee of the Management Risk Committee focuses on three pillars: Technology Strategy, InfoSec/Cyber, and Data.
The Board exercises oversight over the Information Security Program and reviews and approves the Information Security Program at least annually. Cybersecurity risk management is also incorporated into Coastal’s overall enterprise risk management framework, which is updated on an annual basis and subject to oversight by the Management Risk Committee and the Board.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Coastal’s Information Security Officer (“ISO”) is designated by the Board and is responsible for implementing and monitoring the Information Security Program. The ISO is a Senior Vice President and has served in such role since 2010.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The ISO has over 38-years of combined financial institution experience, which includes compliance, BSA, operations, physical security and information security. The ISO provides an annual report to the Board on the overall status of the Information Security Program and information technology incidents as necessary. The SVP of Technology also has responsibility for cybersecurity matters and reports to the Management Risk Committee, which consists of members of senior management.
The Technology Subcommittee of the Management Risk Committee focuses on three pillars: Technology Strategy, InfoSec/Cyber, and Data.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Coastal’s Information Security Officer (“ISO”) is designated by the Board and is responsible for implementing and monitoring the Information Security Program. The ISO is a Senior Vice President and has served in such role since 2010. The ISO has over 38-years of combined financial institution experience, which includes compliance, BSA, operations, physical security and information security. The ISO provides an annual report to the Board on the overall status of the Information Security Program and information technology incidents as necessary. The SVP of Technology also has responsibility for cybersecurity matters and reports to the Management Risk Committee, which consists of members of senior management.
The Technology Subcommittee of the Management Risk Committee focuses on three pillars: Technology Strategy, InfoSec/Cyber, and Data.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef