|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
To combat the ever-present cyber risks, the Company maintains a comprehensive ISP, which includes continuous risk assessments, an Incident Response Plan, and a multilayered control environment meant to protect, detect, respond to, and limit unauthorized or harmful actions across our information environment. The control environment is based off industry leading recommendations, including the Center for Internet Security (CIS) Critical Security Controls and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Our Information Security Officer (ISO) is primarily responsible for coordinating the various aspects of the ISP with cross-functional support teams across various teams within the Company.
Standards over information security are Board-approved and various types of control testing is conducted throughout the year, by internal and external parties. Recommendations are implemented and reported to various committees. These security and privacy policies and procedures, aimed at protecting personal and confidential
information, are in effect across all businesses and geographic locations. Board-approved policies are in place to effectively mitigate risks linked to third-party service providers, encompassing factors such as availability, confidentiality, and governance and compliance. As part of this risk mitigation, the Company actively monitors vendors’ cybersecurity practices through periodic assessments and contractual security requirements. This ensures that vendors adhere to our security standards and promptly address emerging threats or vulnerabilities.
The Company employes a defense in depth posture, designed to safeguard information, prevent unauthorized access, detect, and respond to threats, and maintain the confidentiality, integrity, and availability of data. The ISP establishes controls across many domains including but not limited to: Information Security Governance, Inventory and Control of Enterprise Assets and Software, Data Protection, Secure Configuration of Enterprise Assets and Software, Account and Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Network Monitoring and Defense, Security Awareness and Skills Training, Service Provider Management, Application Software Security, Incident Response Management, and Penetration Testing.
Recognizing people as a key component of an effective information security program, the Merchants Information Security Program strives to enhance education and awareness at all levels of the Company. One critical component of education and awareness is an internal cybersecurity committee, comprised of employees from all levels and departments, who act as embedded security representatives for their business units.
However, it is difficult or impossible to defend against every risk being posed by evolving technologies as well as criminal intent on committing cyber-crime. Increasing sophistication of criminal organizations and advanced persistent threats makes staying ahead of new dangers difficult and could result in a security breach. Controls employed by our information technology department and cloud vendors could prove inadequate. A breach of our security that results in unauthorized access to our data could expose us to a disruption or challenges relating to our daily operations, as well as to data loss, litigation, damages, fines and penalties, significant increases in compliance costs and reputational damage, any of which could have an adverse effect on our business, financial condition, and results of operations. The Company has established conditions to quickly respond to a cyber incident, ensuring a resilient, information environment.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
To combat the ever-present cyber risks, the Company maintains a comprehensive ISP, which includes continuous risk assessments, an Incident Response Plan, and a multilayered control environment meant to protect, detect, respond to, and limit unauthorized or harmful actions across our information environment. The control environment is based off industry leading recommendations, including the Center for Internet Security (CIS) Critical Security Controls and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Our Information Security Officer (ISO) is primarily responsible for coordinating the various aspects of the ISP with cross-functional support teams across various teams within the Company.
Standards over information security are Board-approved and various types of control testing is conducted throughout the year, by internal and external parties. Recommendations are implemented and reported to various committees. These security and privacy policies and procedures, aimed at protecting personal and confidential
information, are in effect across all businesses and geographic locations. Board-approved policies are in place to effectively mitigate risks linked to third-party service providers, encompassing factors such as availability, confidentiality, and governance and compliance. As part of this risk mitigation, the Company actively monitors vendors’ cybersecurity practices through periodic assessments and contractual security requirements. This ensures that vendors adhere to our security standards and promptly address emerging threats or vulnerabilities.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
The Board established an IT Committee to assist executive management and the Board of Directors of the Bank in fulfilling their oversight responsibilities related to information security. The IT committee membership includes senior management from business units, as well as information security risk experts such as the Information Security Officer, experts from Enterprise Risk Management, Internal Audit, and Information Technology Leaders. At the IT Committee meetings, security-related policies and standards are reviewed and approved, annual risk assessment results and action plans are noted, annual penetration test reports shared, current security incidents discussed, emerging threats reported on, and relevant cyber risks and trends are presented. The IT Committee is responsible for governing the assessment and treatment of cyber risks. The Committee reports its activities, key conclusions, and recommendations to the Board on a quarterly basis.
The Chief Administrative Officer is responsible for the appointment of the Information Security Officer. The Information Security Officer serves as the focal point for the information security program and is responsible and accountable for its implementation and monitoring, and management of the Information Security team. The current Information Security Officer has over a decade of experience in the cyber security field, including critical roles in security operations, security governance, risk, and compliance, and cyber threat intelligence. They have multiple industry leading certifications, including nine GIAC and CISSP from the ISC2 and a Master of Engineering in Cybersecurity Policy and Compliance.
The Information Security Officer presents an Annual Information Security Review to the board which summarizes the previous year’s threat landscape, risk assessment, service provider, and audit testing activities, results of security incidents, information security program changes, and future strategies and recommendations.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|IT Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board established an IT Committee to assist executive management and the Board of Directors of the Bank in fulfilling their oversight responsibilities related to information security. The IT committee membership includes senior management from business units, as well as information security risk experts such as the Information Security Officer, experts from Enterprise Risk Management, Internal Audit, and Information Technology Leaders. At the IT Committee meetings, security-related policies and standards are reviewed and approved, annual risk assessment results and action plans are noted, annual penetration test reports shared, current security incidents discussed, emerging threats reported on, and relevant cyber risks and trends are presented. The IT Committee is responsible for governing the assessment and treatment of cyber risks. The Committee reports its activities, key conclusions, and recommendations to the Board on a quarterly basis.
|Cybersecurity Risk Role of Management [Text Block]
|The Chief Administrative Officer is responsible for the appointment of the Information Security Officer. The Information Security Officer serves as the focal point for the information security program and is responsible and accountable for its implementation and monitoring, and management of the Information Security team. The current Information Security Officer has over a decade of experience in the cyber security field, including critical roles in security operations, security governance, risk, and compliance, and cyber threat intelligence. They have multiple industry leading certifications, including nine GIAC and CISSP from the ISC2 and a Master of Engineering in Cybersecurity Policy and Compliance.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Information Security Officer
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The current Information Security Officer has over a decade of experience in the cyber security field, including critical roles in security operations, security governance, risk, and compliance, and cyber threat intelligence. They have multiple industry leading certifications, including nine GIAC and CISSP from the ISC2 and a Master of Engineering in Cybersecurity Policy and Compliance.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Information Security Officer presents an Annual Information Security Review to the board which summarizes the previous year’s threat landscape, risk assessment, service provider, and audit testing activities, results of security incidents, information security program changes, and future strategies and recommendations.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef