|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Bank recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats to safeguard our organization, its assets and the sensitive data entrusted to us. We define cybersecurity risks as risks resulting from the failure of, or insufficiency in, information technology (for example a system outage) or intentional or accidental unauthorized access, disclosure, removal, tampering or disposal of company and customer data and records
The Bank maintains a cyber risk management framework which forms part of our overall enterprise risk management framework as described above and has adopted a conservative risk posture. This means we have developed processes and controls that are designed to be defensive and focus on detection and prevention as we seek to mitigate against the likelihood of circumstances or events which may occur causing an impact on the confidentiality, integrity or availability of our information assets. This includes regular training to help employees recognize information and cybersecurity concerns and respond accordingly, measures to ensure data security (cryptography and encryption, database security, data erasure, and media disposal, etc.) and regular data backups and restoration processes.
Our crisis response structure consists of frameworks, policies and handbooks that work together to manage cybersecurity risks. This structure is intended to coordinate the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents. This includes processes to triage, assess severity of, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The program is regularly reviewed and updated by the CISO through the Group Risk and Compliance Committee to address emerging threats and industry best practices.
As part of our cybersecurity program, our enterprise risk professionals collaborate with third-party subject matter specialists as necessary to gather insights for identifying and assessing material cybersecurity risks, their severity, and potential mitigations, as well as identifying areas for continued focus, improvement and/or compliance. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to inform our professionals’ risk identification and assessment. We also have a cybersecurity-specific risk assessment process in place, which helps identify our cybersecurity risks by comparing our processes to standards set by the National Institute of Standards and Technology and the Center for Internet Security, as well as by engaging experts to attempt to infiltrate our information systems. As part of this process, we regularly have third-party experts review our cybersecurity program, which evaluates our preparedness to respond to crisis-level events, including cybersecurity incidents. The Bank also maintains a third-party risk management program responsible for the oversight of outsourced operations, which enables us to oversee and identify risks related to engaging third-party service providers, including risks from cybersecurity threats to these providers. Management conducts due diligence using a risk-based approach in selecting and monitoring third-party service providers. The Bank obtains contractual assurances from third-party service providers relating to their security responsibilities, controls, reporting, and roles and responsibilities as it pertains to cybersecurity incident response policies and notification requirements. The Bank obtains independent reviews of the third parties’ security through audit reports and testing and conducts verification and validation with third parties to confirm cybersecurity and information security risks are appropriately identified, measured, mitigated, monitored, and reported by the third party to us.
We have experienced, and will continue to experience, cyber incidents in the normal course of our business. These cyberattacks are often intended to disrupt the operations of financial institutions or obtain confidential, proprietary, or other information or assets of the Bank, our customers, employees, or other third parties with whom we transact. Failures or disruptions to these systems, including cloud-based services, or infrastructure from cyberattacks or other events may impede our ability to conduct business and operations and may result in business, reputational, financial, regulatory, or other harm. To date, prior cybersecurity incidents have not had a material adverse effect on our business, financial condition, results of operations, or cash flows. See Item 3.D. "Risk Factors - Cyber-attacks, distributed denial of service attacks and other cybersecurity matters, if successful, could have an adverse effect on our business, financial condition or results of operations" and Item 6.A. "Risk Management - Operational Risk".
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Bank maintains a cyber risk management framework which forms part of our overall enterprise risk management framework as described above and has adopted a conservative risk posture. This means we have developed processes and controls that are designed to be defensive and focus on detection and prevention as we seek to mitigate against the likelihood of circumstances or events which may occur causing an impact on the confidentiality, integrity or availability of our information assets. This includes regular training to help employees recognize information and cybersecurity concerns and respond accordingly, measures to ensure data security (cryptography and encryption, database security, data erasure, and media disposal, etc.) and regular data backups and restoration processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Risk Policy and Compliance Committee of the Board of Directors oversees Butterfield's cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The committee is supported in the execution of its mandate by management's Group Risk and Compliance Committee. The cybersecurity team briefs the Risk Policy and Compliance Committee on the effectiveness of the Bank’s cyber risk management program, typically on a quarterly basis. In addition, the Board of Directors reviews the Bank's cybersecurity risks, at least annually, as part of the Company’s corporate risk mapping exercise, and evaluates whether management has reasonable risk management and control processes in place to address those risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Risk Policy and Compliance Committee of the Board of Directors oversees Butterfield's cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The committee is supported in the execution of its mandate by management's Group Risk and Compliance Committee. The cybersecurity team briefs the Risk Policy and Compliance Committee on the effectiveness of the Bank’s cyber risk management program, typically on a quarterly basis. In addition, the Board of Directors reviews the Bank's cybersecurity risks, at least annually, as part of the Company’s corporate risk mapping exercise, and evaluates whether management has reasonable risk management and control processes in place to address those risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Bank’s CISO is the head of the Bank's cybersecurity team and reports directly to the President and Group Chief Risk Officer. The CISO is responsible for assessing and managing our cyber risk management program, informing senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervising such efforts. The CISO has more than 20 years’ experience in the field of information technology, cyber security and adjacent roles and is supported by a cybersecurity team that has decades of experience in selecting, deploying, and operating cybersecurity technologies, initiatives, and processes. The CISO reports regularly on the Bank’s cybersecurity program to the President & Group Chief Risk Officer as well as the Group Head of Compliance and Operational Risk, and presents information quarterly to the Group Risk and Compliance Committee.
|Cybersecurity Risk Role of Management [Text Block]
|The Bank’s CISO is the head of the Bank's cybersecurity team and reports directly to the President and Group Chief Risk Officer. The CISO is responsible for assessing and managing our cyber risk management program, informing senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervising such efforts.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Bank’s CISO is the head of the Bank's cybersecurity team and reports directly to the President and Group Chief Risk Officer. The CISO is responsible for assessing and managing our cyber risk management program, informing senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervising such efforts.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has more than 20 years’ experience in the field of information technology, cyber security and adjacent roles and is supported by a cybersecurity team that has decades of experience in selecting, deploying, and operating cybersecurity technologies, initiatives, and processes.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Risk Policy and Compliance Committee of the Board of Directors oversees Butterfield's cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The committee is supported in the execution of its mandate by management's Group Risk and Compliance Committee. The cybersecurity team briefs the Risk Policy and Compliance Committee on the effectiveness of the Bank’s cyber risk management program, typically on a quarterly basis. In addition, the Board of Directors reviews the Bank's cybersecurity risks, at least annually, as part of the Company’s corporate risk mapping exercise, and evaluates whether management has reasonable risk management and control processes in place to address those risks.
The Bank’s CISO is the head of the Bank's cybersecurity team and reports directly to the President and Group Chief Risk Officer. The CISO is responsible for assessing and managing our cyber risk management program, informing senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervising such efforts. The CISO has more than 20 years’ experience in the field of information technology, cyber security and adjacent roles and is supported by a cybersecurity team that has decades of experience in selecting, deploying, and operating cybersecurity technologies, initiatives, and processes. The CISO reports regularly on the Bank’s cybersecurity program to the President & Group Chief Risk Officer as well as the Group Head of Compliance and Operational Risk, and presents information quarterly to the Group Risk and Compliance Committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef