|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Role of Management
The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
The Company has also established a governance structure and organization to manage cybersecurity risk. This includes escalation and reporting of cybersecurity incidents through the Chief Risk Officer’s organization to an Executive Response Team and the Board, and periodic reporting on the Information Security Program to the Information Security Subcommittee of the Enterprise Risk Management Committee, an executive committee that oversees the Information Security Program, and the Enterprise Risk Oversight Committee (the “EROC”), the Board committee that oversees the ERM framework.
The Chief Information Security Officer (“CISO”), under the supervision of the Company’s Chief Risk Officer (“CRO”) in coordination with the Company’s executive team, which includes our CEO, CFO, Chief Technology Officer (“CTO”) and Chief Legal Officer (“CLO”), works collaboratively across the Company to implement the Information Security Program, which is designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans.
The CISO coordinates all aspects of the Information Security Program and presents a report on the Information Security Program to the Information Cyber Security Subcommittee on a quarterly basis so that the Subcommittee is made aware of a wide range of topics including recent developments in the Information Security Program, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
In 2024, the Company appointed a new Chief Information Security Officer (CISO). The new CISO has over 25 years of experience in Cyber Security, Information Security, Risk Management, and Information Technology. He has served as CISO and SVP at a financial institution, overseeing cyber and information security policies and ensuring compliance and security for new product implementations. Previously, he was VP, Head of Cybersecurity at another financial institution and held key roles at a financial services company. He is actively involved in advisory roles and professional boards, and he holds advanced degrees and certifications in information systems
and security. The CISO holds a Bachelor’s in Science in Managed Information Systems from Saint Peter’s University, a Master of Science in Information Systems with a concentration in Information Security from Stevens Institute of Technology, Hoboken, NJ, and a Graduate Certificate in Business Process Management and Service Innovation from Stevens Institute of Technology, Hoboken, NJ.
Role of the Board of Directors
The Board’s oversight of cybersecurity risk management is supported by the EROC, which regularly interacts with the Company’s ERM function and the CISO.
The EROC oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The EROC receives regular presentations and reports on the Information Security Program, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
The EROC receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Although we have not historically experienced significant cybersecurity incidents, we and other banks are subject to attacks of increasing frequency and sophistication. Any significant breach, interruption or failure of our information systems could adversely affect our business operations and our financial condition, operating results and liquidity.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company’s cybersecurity policies, standards, processes and practices are fully integrated into the Company’s ERM program and are based on recognized frameworks established by the Federal Financial Institutions Examination Council (the “FFIEC”), and other applicable industry standards and regulations, including regulations promulgated by the NYDFS. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the data and information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. The Company’s strategy is informed by determinations of inherent risk and risk maturity level that are made in connection with an independent cybersecurity awareness assessment prepared for the FFIEC.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company has also established a governance structure and organization to manage cybersecurity risk. This includes escalation and reporting of cybersecurity incidents through the Chief Risk Officer’s organization to an Executive Response Team and the Board, and periodic reporting on the Information Security Program to the Information Security Subcommittee of the Enterprise Risk Management Committee, an executive committee that oversees the Information Security Program, and the Enterprise Risk Oversight Committee (the “EROC”), the Board committee that oversees the ERM framework.The Company deploys technical safeguards that are designed to protect Company’s data and information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Chief Information Security Officer (“CISO”), under the supervision of the Company’s Chief Risk Officer (“CRO”) in coordination with the Company’s executive team, which includes our CEO, CFO, Chief Technology Officer (“CTO”) and Chief Legal Officer (“CLO”), works collaboratively across the Company to implement the Information Security Program, which is designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
The Company has also established a governance structure and organization to manage cybersecurity risk. This includes escalation and reporting of cybersecurity incidents through the Chief Risk Officer’s organization to an Executive Response Team and the Board, and periodic reporting on the Information Security Program to the Information Security Subcommittee of the Enterprise Risk Management Committee, an executive committee that oversees the Information Security Program, and the Enterprise Risk Oversight Committee (the “EROC”), the Board committee that oversees the ERM framework.
The Chief Information Security Officer (“CISO”), under the supervision of the Company’s Chief Risk Officer (“CRO”) in coordination with the Company’s executive team, which includes our CEO, CFO, Chief Technology Officer (“CTO”) and Chief Legal Officer (“CLO”), works collaboratively across the Company to implement the Information Security Program, which is designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans.
The CISO coordinates all aspects of the Information Security Program and presents a report on the Information Security Program to the Information Cyber Security Subcommittee on a quarterly basis so that the Subcommittee is made aware of a wide range of topics including recent developments in the Information Security Program, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
In 2024, the Company appointed a new Chief Information Security Officer (CISO). The new CISO has over 25 years of experience in Cyber Security, Information Security, Risk Management, and Information Technology. He has served as CISO and SVP at a financial institution, overseeing cyber and information security policies and ensuring compliance and security for new product implementations. Previously, he was VP, Head of Cybersecurity at another financial institution and held key roles at a financial services company. He is actively involved in advisory roles and professional boards, and he holds advanced degrees and certifications in information systemsand security. The CISO holds a Bachelor’s in Science in Managed Information Systems from Saint Peter’s University, a Master of Science in Information Systems with a concentration in Information Security from Stevens Institute of Technology, Hoboken, NJ, and a Graduate Certificate in Business Process Management and Service Innovation from Stevens Institute of Technology, Hoboken, NJ.
|Cybersecurity Risk Role of Management [Text Block]
|
Role of the Board of Directors
The Board’s oversight of cybersecurity risk management is supported by the EROC, which regularly interacts with the Company’s ERM function and the CISO.
The EROC oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The EROC receives regular presentations and reports on the Information Security Program, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
The EROC receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Although we have not historically experienced significant cybersecurity incidents, we and other banks are subject to attacks of increasing frequency and sophistication. Any significant breach, interruption or failure of our information systems could adversely affect our business operations and our financial condition, operating results and liquidity.
Incident Response and Recovery Planning
The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company’s timely and effective response to a cybersecurity incident, and such plans are tested and evaluated on an annual basis. Multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the Executive Response Team of the Company and as guided by the Company’s Chief Risk Officer, to the Risk Committee when appropriate.
The Company’s Security Incident Response Team (“SIRT”) structure includes an Executive Response Team (“ERT”). The ERT is composed of all members of the Executive Management Team, the Head of Business Continuity Management, and the CISO (if the incident is due to a cyber breach), and it oversees a Management Response Team (“MRT”). In the event of a security incident, the Company’s designated Response Coordinator, who is the Information Security Manager or the CISO’s designee, shall investigate the reported security incident and assign an initial severity level. They will gather initial facts about the security incident, analyze information it has received, identify those entities affected by the security incident, assess the preliminary severity and extent of the damage (which can be financial or reputational).
If the severity is assessed as Low or Medium in accordance with criteria identified in the incident response and recovery plans, the Response Coordinator will report the incident to the CISO and complete the remediation actions for the cybersecurity incident and report the final outcome to the CISO. The CISO will report to the ERT remediation of Low or Medium cybersecurity incidents at least on a quarterly basis. If the cybersecurity incident is classified as a High, or at the Response Coordinator’s discretion, the Response Coordinator will report the cybersecurity incident to the CISO and promptly convene the ERT. The ERT will determine the
appropriate steps necessary to respond to the cybersecurity incident and oversee the MRT’s execution of the response. The ERT will determine whether the cybersecurity incident needs to be escalated to the Board.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Chief Information Security Officer (“CISO”), under the supervision of the Company’s Chief Risk Officer (“CRO”) in coordination with the Company’s executive team, which includes our CEO, CFO, Chief Technology Officer (“CTO”) and Chief Legal Officer (“CLO”), works collaboratively across the Company to implement the Information Security Program, which is designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans.
The CISO coordinates all aspects of the Information Security Program and presents a report on the Information Security Program to the Information Cyber Security Subcommittee on a quarterly basis so that the Subcommittee is made aware of a wide range of topics including recent developments in the Information Security Program, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
In 2024, the Company appointed a new Chief Information Security Officer (CISO). The new CISO has over 25 years of experience in Cyber Security, Information Security, Risk Management, and Information Technology. He has served as CISO and SVP at a financial institution, overseeing cyber and information security policies and ensuring compliance and security for new product implementations. Previously, he was VP, Head of Cybersecurity at another financial institution and held key roles at a financial services company. He is actively involved in advisory roles and professional boards, and he holds advanced degrees and certifications in information systemsand security. The CISO holds a Bachelor’s in Science in Managed Information Systems from Saint Peter’s University, a Master of Science in Information Systems with a concentration in Information Security from Stevens Institute of Technology, Hoboken, NJ, and a Graduate Certificate in Business Process Management and Service Innovation from Stevens Institute of Technology, Hoboken, NJ.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The EROC oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The EROC receives regular presentations and reports on the Information Security Program, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Chief Information Security Officer (“CISO”), under the supervision of the Company’s Chief Risk Officer (“CRO”) in coordination with the Company’s executive team, which includes our CEO, CFO, Chief Technology Officer (“CTO”) and Chief Legal Officer (“CLO”), works collaboratively across the Company to implement the Information Security Program, which is designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans.
The CISO coordinates all aspects of the Information Security Program and presents a report on the Information Security Program to the Information Cyber Security Subcommittee on a quarterly basis so that the Subcommittee is made aware of a wide range of topics including recent developments in the Information Security Program, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
In 2024, the Company appointed a new Chief Information Security Officer (CISO). The new CISO has over 25 years of experience in Cyber Security, Information Security, Risk Management, and Information Technology. He has served as CISO and SVP at a financial institution, overseeing cyber and information security policies and ensuring compliance and security for new product implementations. Previously, he was VP, Head of Cybersecurity at another financial institution and held key roles at a financial services company. He is actively involved in advisory roles and professional boards, and he holds advanced degrees and certifications in information systems
and security. The CISO holds a Bachelor’s in Science in Managed Information Systems from Saint Peter’s University, a Master of Science in Information Systems with a concentration in Information Security from Stevens Institute of Technology, Hoboken, NJ, and a Graduate Certificate in Business Process Management and Service Innovation from Stevens Institute of Technology, Hoboken, NJ.
Role of the Board of Directors
The Board’s oversight of cybersecurity risk management is supported by the EROC, which regularly interacts with the Company’s ERM function and the CISO.
The EROC oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The EROC receives regular presentations and reports on the Information Security Program, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
The EROC receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Although we have not historically experienced significant cybersecurity incidents, we and other banks are subject to attacks of increasing frequency and sophistication. Any significant breach, interruption or failure of our information systems could adversely affect our business operations and our financial condition, operating results and liquidity.
Technical Safeguards
The Company deploys technical safeguards that are designed to protect Company’s data and information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, vulnerability testing, stress testing based on top cyberattack scenarios and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning and by leveraging the Federal Reserve Bank of New York methodology for cyber risk (“FFIEC CyberSecurity Assessment Tool”). The Company regularly engages third parties to perform independent assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the EROC, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
Incident Response and Recovery Planning
The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company’s timely and effective response to a cybersecurity incident, and such plans are tested and evaluated on an annual basis. Multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the Executive Response Team of the Company and as guided by the Company’s Chief Risk Officer, to the Risk Committee when appropriate.
The Company’s Security Incident Response Team (“SIRT”) structure includes an Executive Response Team (“ERT”). The ERT is composed of all members of the Executive Management Team, the Head of Business Continuity Management, and the CISO (if the incident is due to a cyber breach), and it oversees a Management Response Team (“MRT”). In the event of a security incident, the Company’s designated Response Coordinator, who is the Information Security Manager or the CISO’s designee, shall investigate the reported security incident and assign an initial severity level. They will gather initial facts about the security incident, analyze information it has received, identify those entities affected by the security incident, assess the preliminary severity and extent of the damage (which can be financial or reputational).
If the severity is assessed as Low or Medium in accordance with criteria identified in the incident response and recovery plans, the Response Coordinator will report the incident to the CISO and complete the remediation actions for the cybersecurity incident and report the final outcome to the CISO. The CISO will report to the ERT remediation of Low or Medium cybersecurity incidents at least on a quarterly basis. If the cybersecurity incident is classified as a High, or at the Response Coordinator’s discretion, the Response Coordinator will report the cybersecurity incident to the CISO and promptly convene the ERT. The ERT will determine the
appropriate steps necessary to respond to the cybersecurity incident and oversee the MRT’s execution of the response. The ERT will determine whether the cybersecurity incident needs to be escalated to the Board.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef