|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
Our cybersecurity risk management program is guided by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Key elements of our cybersecurity risk management program include, but are not limited to, the following:
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Key elements of our cybersecurity risk management program include, but are not limited to, the following:
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit and Risk Committee oversight of cybersecurity risks and the steps that management has taken to monitor and control exposure to such risks.
The Audit and Risk Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) and our Chief Information Officer on our cybersecurity risks and meets in executive session with our CISO following such reports. In addition, management updates the Audit and Risk Committee, as necessary, regarding significant cybersecurity incidents.
The Audit and Risk Committee reports to the full Board regarding its activities, including those related to cybersecurity.
In 2024, we created a new position for a full time Chief Risk Officer. Our Chief Risk Officer has primary responsibility for our enterprise risk management program and works with our CISO in the oversight of our cybersecurity risk management program.
Our management team, including our CISO, is responsible for assessing and managing our material risks from cybersecurity threats. Our information technology risk committee is comprised of senior managers in our information technology, loan origination, loan servicing, accounting, and legal groups that meet monthly to review information security risks and the development and implementation of policies and procedures and other controls to mitigate cybersecurity and other information security risks. Our CISO provides a report to our management risk committee on the activities of the information technology risk committee, which committee, in turn, reports regularly to the full Board on its activities.
The CISO manages a team of employees, which has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained managed service providers. The CISO brings over 30 years of technology, cybersecurity, and risk management experience from the finance and healthcare industries. His work experience includes the design, implementation, and oversight of control and governance frameworks in complex, hybrid-cloud, and data intensive environments operating in highly regulated entities in the financial services and healthcare insurance industries.
Our information security management team is informed about and monitors efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public, or private sources, including managed service providers engaged by us, and alerts and reports produced by security tools deployed in our information technology environment.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit and Risk Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Audit and Risk Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) and our Chief Information Officer on our cybersecurity risks and meets in executive session with our CISO following such reports. In addition, management updates the Audit and Risk Committee, as necessary, regarding significant cybersecurity incidents.
The Audit and Risk Committee reports to the full Board regarding its activities, including those related to cybersecurity.
In 2024, we created a new position for a full time Chief Risk Officer. Our Chief Risk Officer has primary responsibility for our enterprise risk management program and works with our CISO in the oversight of our cybersecurity risk management program.
Our management team, including our CISO, is responsible for assessing and managing our material risks from cybersecurity threats. Our information technology risk committee is comprised of senior managers in our information technology, loan origination, loan servicing, accounting, and legal groups that meet monthly to review information security risks and the development and implementation of policies and procedures and other controls to mitigate cybersecurity and other information security risks. Our CISO provides a report to our management risk committee on the activities of the information technology risk committee, which committee, in turn, reports regularly to the full Board on its activities.
|Cybersecurity Risk Role of Management [Text Block]
|
In 2024, we created a new position for a full time Chief Risk Officer. Our Chief Risk Officer has primary responsibility for our enterprise risk management program and works with our CISO in the oversight of our cybersecurity risk management program.
Our management team, including our CISO, is responsible for assessing and managing our material risks from cybersecurity threats. Our information technology risk committee is comprised of senior managers in our information technology, loan origination, loan servicing, accounting, and legal groups that meet monthly to review information security risks and the development and implementation of policies and procedures and other controls to mitigate cybersecurity and other information security risks. Our CISO provides a report to our management risk committee on the activities of the information technology risk committee, which committee, in turn, reports regularly to the full Board on its activities.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Chief Information Security Officer (“CISO”)
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO brings over 30 years of technology, cybersecurity, and risk management experience from the finance and healthcare industries. His work experience includes the design, implementation, and oversight of control and governance frameworks in complex, hybrid-cloud, and data intensive environments operating in highly regulated entities in the financial services and healthcare insurance industries.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
In 2024, we created a new position for a full time Chief Risk Officer. Our Chief Risk Officer has primary responsibility for our enterprise risk management program and works with our CISO in the oversight of our cybersecurity risk management program.
Our management team, including our CISO, is responsible for assessing and managing our material risks from cybersecurity threats. Our information technology risk committee is comprised of senior managers in our information technology, loan origination, loan servicing, accounting, and legal groups that meet monthly to review information security risks and the development and implementation of policies and procedures and other controls to mitigate cybersecurity and other information security risks. Our CISO provides a report to our management risk committee on the activities of the information technology risk committee, which committee, in turn, reports regularly to the full Board on its activities.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef