|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
As a financial institution, we believe that the risk of cybersecurity incidents is a significant, increasing, and always evolving risk for our business. Federal law and regulations require us to maintain a comprehensive written information security program, and federal banking regulators regularly issue guidance regarding cybersecurity threats intended to enhance our cybersecurity risk management. Accordingly, we have developed and implemented processes for assessing, identifying and managing material risks from cybersecurity threats designed to comply with federal law and regulations and protect against cybersecurity threats to our business. Our program is supported by management and the Board. The Company maintains an active cyber insurance policy to enhance protections against material data intrusions or loss of privacy. For an overview of the federal banking laws and regulations that govern our management and oversight of cybersecurity risks, refer to Item 1. Business – Supervision and Regulation – “Financial Privacy and Cybersecurity Requirements,” incorporated by reference into this Item 1C.
The Company’s IS Program is comprised of five pillars: the Information Security Policy, the Enterprise Information Security Risk Assessment, the Incident Response Plan, a formalized Security Awareness Campaign, and an enterprise monitoring and reporting program.
The IS Program is monitored each year through various internal and external audits, as well as OCC regulatory exams. Vulnerability and penetration testing are also conducted at least annually by an independent third party to supplement the vulnerability and patching program routinely performed by internal staff. Third-party vendors supplement the Company’s internal patching program as necessary. The Company also utilizes a-party “SOC as a Service” to monitor extended detection and response logs and network traffic.
Third-party service provider risk is evaluated prior to and throughout the relationship. Third-party service providers must meet a minimum set of baseline security standards prior to being onboarded. During onboarding, theparty and the services they provide are added to the Information Security Risk Assessment, including consideration of inherent risk factors and mitigating controls. Alternative vendors and the effort to transition between vendors are identified during onboarding as well as in the event that the selected provider may fail in providing contracted services at any time. After a third party is onboarded, they are subject to the annual third-party risk management program, specific to their assigned risk criticality. This effort includes the review of service organization controls reports, business continuity and disaster recovery efforts, insurance certificates, and other compliance related concerns when applicable.
We have not experienced any cybersecurity incidents that have materially affected our Company, including our business, strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats may be reasonably likely to materially affect us, refer to Item 1A. Risk Factors – Risks Related to our Business – “We rely on information technology and telecommunications systems, many of which are provided by third-party vendors” and – “Cyberattacks or other security breaches could adversely affect our operations, net income or reputation,” incorporated by reference into this Item 1C.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Company’s IS Program is comprised of five pillars: the Information Security Policy, the Enterprise Information Security Risk Assessment, the Incident Response Plan, a formalized Security Awareness Campaign, and an enterprise monitoring and reporting program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|We have not experienced any cybersecurity incidents that have materially affected our Company, including our business, strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats may be reasonably likely to materially affect us, refer to Item 1A. Risk Factors – Risks Related to our Business – “We rely on information technology and telecommunications systems, many of which are provided by third-party vendors” and – “Cyberattacks or other security breaches could adversely affect our operations, net income or reputation,” incorporated by reference into this Item 1C.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
The Board is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board and the IT Committee. The IT Committee’s primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. Of the IT Committee members who are not Board members, only our CIO and CISO are responsible for assessing and managing cybersecurity risks, and the other committee members are responsible for oversight. The CISO provides monthly information security reports to the Board and IT Committee on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board. The CISO also provides the Board with an annual Information Security Program Summary Report in compliance with federal banking guidelines.
The IS Program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. An information security analyst reports to the CISO and performs security and assurance functions daily. The CIO and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company's technology infrastructure. The CISO holds two cybersecurity industry leading certifications (Certified Information Systems Security Professional and Certified Cloud Security Professional) and has more than 20 years of technology experience. The CIO has been in the information technology field for over 30 years and at various points held the following certifications: Cisco Certified Internetwork Expert, Cisco Certified Network Professional, Cisco Certified Voice Professional, Cisco Certified Design Professional, and Microsoft Certified Systems Engineer. The information security analyst has over five years of experience and holds ISC2’s “Certified in Cybersecurity” certification. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board and the IT Committee. The IT Committee’s primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. Of the IT Committee members who are not Board members, only our CIO and CISO are responsible for assessing and managing cybersecurity risks, and the other committee members are responsible for oversight. The CISO provides monthly information security reports to the Board and IT Committee on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board. The CISO also provides the Board with an annual Information Security Program Summary Report in compliance with federal banking guidelines.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|false
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The IS Program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. An information security analyst reports to the CISO and performs security and assurance functions daily. The CIO and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company's technology infrastructure. The CISO holds two cybersecurity industry leading certifications (Certified Information Systems Security Professional and Certified Cloud Security Professional) and has more than 20 years of technology experience. The CIO has been in the information technology field for over 30 years and at various points held the following certifications: Cisco Certified Internetwork Expert, Cisco Certified Network Professional, Cisco Certified Voice Professional, Cisco Certified Design Professional, and Microsoft Certified Systems Engineer. The information security analyst has over five years of experience and holds ISC2’s “Certified in Cybersecurity” certification. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|false
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef