|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management
The Bank maintains an Information Security and Cybersecurity Program to support the management of cybersecurity risk as a component of the Bank’s Enterprise Risk Management (“ERM”) framework. The information security and cybersecurity program is designed to manage risks relating to cybersecurity threats and leverages controls, best practices recommendations, and standards from the Federal Financial Institutions Examination Council (“FFIEC”) and the National institute of Standards and Technology (“NIST”) Cybersecurity Framework, and standards set by relevant legal and regulatory authorities.
The Information Security Officer (“ISO”) oversees the Bank's Information Security and Cybersecurity Program and leads the Information Security team. Reporting to the Chief Risk Officer (“CRO”) and Chief Information Officer (“CIO”), the ISO and his team are responsible for identifying, assessing and managing information security and cybersecurity risks, and for implementing and maintaining controls to prevent, detect and respond to cybersecurity threats and incidents, safeguarding the confidentiality, integrity and availability of the Bank's information systems and data.
As part of the Information Security and Cybersecurity Program, the Bank conducts periodic employee training to educate employees on information and cybersecurity risks and to reinforce security management practices and compliance with the Bank's security policies and standards. Training is mandatory for all employees and is supplemented by testing initiatives, including periodic phishing tests.
The Bank's policies and procedures concerning cybersecurity matters include processes to safeguard its information systems, monitor these systems, protect the confidentiality and integrity of its data, detect intrusions into its systems, and respond to cybersecurity incidents. Extensive technical controls are in place for identifying and managing cybersecurity risks and safeguarding Bank information systems and information. The Bank uses sophisticated industry-recognized monitoring and threat detection technologies that continuously monitor its information systems and provide threat detection alerts. The Bank’s strategy for assessing, identifying, and managing cybersecurity risks and for evaluating the effectiveness of its cybersecurity program includes periodic risk assessments and testing of its systems, processes and procedures through audits, penetration testing, vulnerability scans, tabletop exercises, and other related exercises.
The Bank has an incident response program designed to enable the Bank to respond to cybersecurity incidents, coordinate as appropriate with law enforcement and other government agencies, notify clients and customers, as applicable, and recover from such incidents. In addition, the Bank actively partners with appropriate government and law enforcement agencies and peer industry forums to participate in threat intelligence discussions and simulations to assist with understanding the full spectrum of cybersecurity risks and enhancing defenses and improving resiliency in the Bank’s operating environment.
The Bank engages third parties on a regular basis to assess, test, audit or assist with the implementation of risk management strategies, policies, and procedures to enhance the detection and management of cybersecurity risks. Cybersecurity risk management strategies include, but are not limited to: consultants who assist with assessing risks, assessing systems alignment with NIST Cybersecurity Framework, and FFIEC, penetration testing, tabletop exercises and other regulatory agency requirements.
The Bank maintains a process to evaluate and manage risks associated with third-party service providers. We conduct a full vendor due diligence review before engagement, review specific security measures in our contracts, and maintain continued monitoring during the engagement including yearly due diligence reviews.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Bank's policies and procedures concerning cybersecurity matters include processes to safeguard its information systems, monitor these systems, protect the confidentiality and integrity of its data, detect intrusions into its systems, and respond to cybersecurity incidents. Extensive technical controls are in place for identifying and managing cybersecurity risks and safeguarding Bank information systems and information. The Bank uses sophisticated industry-recognized monitoring and threat detection technologies that continuously monitor its information systems and provide threat detection alerts. The Bank’s strategy for assessing, identifying, and managing cybersecurity risks and for evaluating the effectiveness of its cybersecurity program includes periodic risk assessments and testing of its systems, processes and procedures through audits, penetration testing, vulnerability scans, tabletop exercises, and other related exercises.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|The Bank maintains a process to evaluate and manage risks associated with third-party service providers. We conduct a full vendor due diligence review before engagement, review specific security measures in our contracts, and maintain continued monitoring during the engagement including yearly due diligence reviews.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
The IT Committee and Audit Committee are the principal board committees that oversee the Bank’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of the Bank’s Information Security and Cybersecurity Program. Both the IT and Audit Committees are comprised of professionals with risk management and information technology expertise to manage any material risk from a cybersecurity threat standpoint.
The membership of the IT Committee includes members of the executive management team as well as directors of the Bank. The CIO and ISO actively participate in all IT Committee meetings. The CIO has over 20 years of work experience in the development, operation and management of Information Technology at financial institutions. The ISO has over 10 years of work experience in building and overseeing cybersecurity programs at financial institutions. Both CIO and ISO have extensive experience and qualifications in various technology and information security disciplines, including relevant experience at the Bank. Additionally, the Audit Committee has oversight of the management of cybersecurity risk via validation and review of IT and cybersecurity risk assessments and audits. The ISO provides reporting metrics on cybersecurity risks to the IT Committee, which meets at least four times a year. The IT and Audit Committees assist the Board of Directors in its oversight.
As part of its oversight of management’s implementation and maintenance of the Bank’s risk management framework, the Bank’s Board of Directors receives regular updates directly from both IT and Audit Committees concerning cybersecurity matters. These updates generally include information regarding cybersecurity and technology developments, the Bank’s Information Security Program and recommended changes to that program, cybersecurity policies and practices, and ongoing initiatives to improve information security, as well as any significant cybersecurity incidents and the Bank's efforts to address those incidents.
Notwithstanding the Bank's efforts at cybersecurity, the Bank cannot guarantee that those efforts will successfully prevent or mitigate a cybersecurity incident that could have a material adverse effect on it. To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Bank, including its business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A. Risk Factors–Risks Related to Our Business.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The membership of the IT Committee includes members of the executive management team as well as directors of the Bank. The CIO and ISO actively participate in all IT Committee meetings. The CIO has over 20 years of work experience in the development, operation and management of Information Technology at financial institutions. The ISO has over 10 years of work experience in building and overseeing cybersecurity programs at financial institutions. Both CIO and ISO have extensive experience and qualifications in various technology and information security disciplines, including relevant experience at the Bank. Additionally, the Audit Committee has oversight of the management of cybersecurity risk via validation and review of IT and cybersecurity risk assessments and audits. The ISO provides reporting metrics on cybersecurity risks to the IT Committee, which meets at least four times a year. The IT and Audit Committees assist the Board of Directors in its oversight.
|Cybersecurity Risk Role of Management [Text Block]
|As part of its oversight of management’s implementation and maintenance of the Bank’s risk management framework, the Bank’s Board of Directors receives regular updates directly from both IT and Audit Committees concerning cybersecurity matters. These updates generally include information regarding cybersecurity and technology developments, the Bank’s Information Security Program and recommended changes to that program, cybersecurity policies and practices, and ongoing initiatives to improve information security, as well as any significant cybersecurity incidents and the Bank's efforts to address those incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef