|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
In the ordinary course of our business, we receive, process, retain, transmit and store proprietary information and sensitive or confidential data, including certain public and nonpublic personal information concerning employees, borrowers and other customers and potential customers. In addition, we enter into relationships with third-party vendors to assist with various aspects of our business, some of which require the exchange of personal employee or customer information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems, including those pertaining to third-party service providers, that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by dedicated information security teams, including technology risk, cybersecurity operations, cybersecurity engineering, and identity and access management, led by our Chief Information Security Officer (“CISO”). These teams collectively manage and monitor mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, access, or other security incidents or vulnerabilities affecting our data, digital assets and systems in furtherance of maintaining a secure information technology environment.
For example, we conduct penetration and vulnerability testing, data recovery testing, security audits, and ongoing risk assessments, including due diligence on and audits of our key technology vendors, and other contractors and suppliers. We also conduct regular employee training on cyber and information security topics, phishing and simulations. In addition, we consult with outside advisors and experts, when appropriate, on a regular basis to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company’s risk environment. We also utilize a third party for cybersecurity incident monitoring and response.
Our CISO, who reports to the Chief Information Officer and has over twenty years of experience managing information technology and cybersecurity matters, together with our senior leadership team, is responsible for assessing and managing cybersecurity risks. The CISO receives regular reports prepared by experienced information security officers on cybersecurity threats, based on data from the Information Security Department and, in conjunction with management, regularly reviews risk management measures implemented by the Company to help identify and mitigate data protection and
cybersecurity risks. Certain risk topics, such as cybersecurity and compliance, are discussed at Enterprise Risk Management Committee (consisting of executive management) meetings, and are included in reports to the Board and Audit Committee.
We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management program. While we have identified risks from cybersecurity threats, such risks have not materially affected us, including our business strategy, results of operations or financial condition, with the exception of the Cybersecurity Incident, as disclosed in a Current Report filed by the Company on Form 8-K on January 8, 2024, as amended on January 22, 2024 and February 27, 2024, and in subsequent filings with the SEC. We recognized $24.6 million of expenses related to the Cybersecurity Incident, net of insurance recoveries during fiscal 2024. In addition, we were named, and may still be named, as a defendant in lawsuits related to this Cybersecurity Incident, which are seeking various remedies, including monetary and injunctive relief. Further, we have engaged with and continue to engage with regulators related to the Cybersecurity Incident. While we cannot presently quantify the full scope of expenses and other related impacts associated with this Cybersecurity Incident, including costs associated with any related current or future litigation or regulatory inquiries or investigations, we currently do not expect that the Cybersecurity Incident will have a material effect on our overall financial condition or on our ongoing results of operations beyond those amounts already accrued. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Cyberattacks, information or security breaches and technology disruptions or failures, including failure of internal operational or security systems or infrastructure, or other cybersecurity incidents of ours or of our third-party vendors, could damage our business operations and increase our costs.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|In the ordinary course of our business, we receive, process, retain, transmit and store proprietary information and sensitive or confidential data, including certain public and nonpublic personal information concerning employees, borrowers and other customers and potential customers. In addition, we enter into relationships with third-party vendors to assist with various aspects of our business, some of which require the exchange of personal employee or customer information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems, including those pertaining to third-party service providers, that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by dedicated information security teams, including technology risk, cybersecurity operations, cybersecurity engineering, and identity and access management, led by our Chief Information Security Officer (“CISO”). These teams collectively manage and monitor mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, access, or other security incidents or vulnerabilities affecting our data, digital assets and systems in furtherance of maintaining a secure information technology environment.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board of Directors, as a whole and at the committee level, oversees our enterprise risk management program, the most significant risks facing us and our processes to identify, prioritize, assess, manage, and mitigate those risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee receives regularly scheduled and as needed updates on cybersecurity and information technology matters and related risk exposures from our CISO and Chief Information Officer. The Board also receives regular updates from our CISO and Chief Information Officer on cybersecurity risks
|Cybersecurity Risk Role of Management [Text Block]
|
Our CISO, who reports to the Chief Information Officer and has over twenty years of experience managing information technology and cybersecurity matters, together with our senior leadership team, is responsible for assessing and managing cybersecurity risks. The CISO receives regular reports prepared by experienced information security officers on cybersecurity threats, based on data from the Information Security Department and, in conjunction with management, regularly reviews risk management measures implemented by the Company to help identify and mitigate data protection andcybersecurity risks. Certain risk topics, such as cybersecurity and compliance, are discussed at Enterprise Risk Management Committee (consisting of executive management) meetings, and are included in reports to the Board and Audit Committee
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our CISO, who reports to the Chief Information Officer and has over twenty years of experience managing information technology and cybersecurity matters, together with our senior leadership team, is responsible for assessing and managing cybersecurity risks. The CISO receives regular reports prepared by experienced information security officers on cybersecurity threats, based on data from the Information Security Department and, in conjunction with management, regularly reviews risk management measures implemented by the Company to help identify and mitigate data protection andcybersecurity risks. Certain risk topics, such as cybersecurity and compliance, are discussed at Enterprise Risk Management Committee (consisting of executive management) meetings, and are included in reports to the Board and Audit Committee.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO, who reports to the Chief Information Officer and has over twenty years of experience managing information technology and cybersecurity matters, together with our senior leadership team, is responsible for assessing and managing cybersecurity risks
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO, who reports to the Chief Information Officer and has over twenty years of experience managing information technology and cybersecurity matters, together with our senior leadership team, is responsible for assessing and managing cybersecurity risks. The CISO receives regular reports prepared by experienced information security officers on cybersecurity threats, based on data from the Information Security Department and, in conjunction with management, regularly reviews risk management measures implemented by the Company to help identify and mitigate data protection and
cybersecurity risks. Certain risk topics, such as cybersecurity and compliance, are discussed at Enterprise Risk Management Committee (consisting of executive management) meetings, and are included in reports to the Board and Audit Committee.
We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management program. While we have identified risks from cybersecurity threats, such risks have not materially affected us, including our business strategy, results of operations or financial condition, with the exception of the Cybersecurity Incident, as disclosed in a Current Report filed by the Company on Form 8-K on January 8, 2024, as amended on January 22, 2024 and February 27, 2024, and in subsequent filings with the SEC. We recognized $24.6 million of expenses related to the Cybersecurity Incident, net of insurance recoveries during fiscal 2024. In addition, we were named, and may still be named, as a defendant in lawsuits related to this Cybersecurity Incident, which are seeking various remedies, including monetary and injunctive relief. Further, we have engaged with and continue to engage with regulators related to the Cybersecurity Incident. While we cannot presently quantify the full scope of expenses and other related impacts associated with this Cybersecurity Incident, including costs associated with any related current or future litigation or regulatory inquiries or investigations, we currently do not expect that the Cybersecurity Incident will have a material effect on our overall financial condition or on our ongoing results of operations beyond those amounts already accrued. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Cyberattacks, information or security breaches and technology disruptions or failures, including failure of internal operational or security systems or infrastructure, or other cybersecurity incidents of ours or of our third-party vendors, could damage our business operations and increase our costs.”
The Board of Directors, as a whole and at the committee level, oversees our enterprise risk management program, the most significant risks facing us and our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. The Audit Committee receives regularly scheduled and as needed updates on cybersecurity and information technology matters and related risk exposures from our CISO and Chief Information Officer. The Board also receives regular updates from our CISO and Chief Information Officer on cybersecurity risks. In addition, we have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported in a timely manner to the Audit Committee and the Board of Directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef