|
Cybersecurity Risk Management Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management Strategy and Governance [Line Items]
|
|Cybersecurity Risk Management Processes For Assessing Identifying And Managing Threats [Text Block]
|
Risk Management and Strategy Overview
Customers
depend
on
the
Company
to
properly
protect
nonpublic
personal
information
gathered
and
stored
in
connection with the services we provide. The Company realizes that cyber incidents can have financial, reputational,
legal,
and operational impacts that can
significantly adversely affect our customers, capital, and
earnings. Therefore, we integrate
cybersecurity processes throughout the Company as part of our enterprise-wide governance process. Regulatory agencies
are
charged
with
ensuring
the
Company’s
cybersecurity
controls
and
procedures
are
compliant
with
the
intent
of
the
cybersecurity
expectations
set
forth
by
the
Federal
Financial
Institutions
Examination
Council
(“FFIEC”).
The
FFIEC
framework offers a set of guidelines
and best practices to help
financial institutions manage and mitigate cybersecurity risks
effectively.
It focuses on ensuring the confidentiality,
integrity, and availability
of sensitive information and systems.
The Information
Security Officer
(“ISO”) is
an integral
member of
the Risk
Management and
Compliance Department
(“RMCD”) of
the Bank
and who
provides expert
counsel on
matters of
cybersecurity and
presents periodic
reports to
the
Risk Committee of our Board of Directors.
As part
of the
program, periodic
risk assessments
are performed
to determine
the Company’s
inherent and
residual
cybersecurity risk, the
maturity level of the program,
the risk of cyber
threats, and the effectiveness
of controls currently
in
practice. The
Company utilizes
the National
Institute of
Standards and
Technology
(“NIST”) Framework
and the
FFIEC’s
Cybersecurity
Assessment
Tool
(“Cybersecurity
Assessment”)
to
help
management
identify
its
risks
and
determine
the
Company’s cybersecurity posture.
Through the
implementation
of rigorous procedures
and controls, augmented
by ongoing
training initiatives for both management and staff, the institution cultivates a safe cybersecurity environment. This approach
encompasses
diverse
methodologies
including
defense-in-depth
and
proactive
security
awareness
training
aimed
at
fortifying the institutions cybersecurity controls and fostering
a resilient operational framework.
Assessment and Response to Cybersecurity Threats
It is the policy of
the Company and its
technology service providers
(“TSPs”) to ensure that
they can identify,
mitigate,
and respond to cyber-attacks involving destructive
malware and invasive attacks such
as phishing, ransomware, malware,
DDoS
attacks,
etc.
This
commitment
aligns
with
the
Company’s
risk
appetite,
Incident
Response
Policy,
and
Business
Continuity Plan,
which incorporates
business continuity
planning and
testing activities
to enhance response
and recovery
capabilities.
The Company realizes that it faces a variety of risks from cyber-attacks involving destructive malware, including
capital, operational,
and reputation
risks, due
to events
such as
fraud, data
loss, and
disruption of
customer
service. As
such, it
is the
policy of
the Company
to ensure
that its
risk management
processes, and
business continuity
planning address
these risks by:
●
Establishing
a
comprehensive
governance
program
encompassing
policies
and
procedures
to
administer
and
oversee
the
information/cybersecurity
programs
to
ensure
adherence
to
regulatory
guidance
and
industry
best
practices.
●
Securely configuring systems and services to mitigate the impact of cyberattacks.
This includes measures such as
logical
network
segmentation,
hard
backups,
maintaining
an
inventory
of
authorized
devices
and
software,
and
physical
segmentation
of
critical
systems.
Consistency
in
system
configuration
fosters
a
secure
network
environment by removing or disabling unused applications, functions,
or components.
●
Implementing and testing
controls around critical
systems on a regular
basis to ensure appropriate
access control
and segregation of duties. Limits on sign-on attempts
for critical systems are enforced, with accounts
being locked
upon
threshold
exceedance.
Alert
systems
notify
of
baseline
control
changes
on
critical
systems,
with
the
effectiveness and
adequacy of
controls periodically
tested and
the results
reported to
senior management
and, if
applicable,
the
Risk
Committee,
along
with
recommended
risk
mitigation
strategies
and
progress
to
remediate
findings.
●
Performing security
monitoring, prevention,
and risk
mitigation activities
to ensure
the effectiveness
of protection
and detection systems.
This includes maintaining
up-to-date intrusion detection
systems, antivirus protection,
and
properly configured firewall
rules. Systems are
monitored to identify,
prevent, and contain
attack attempts from
all
sources.
●
Maintaining robust business
continuity planning processes
to swiftly
recover, resume, and maintain
operations post-
cyber-attack incidents
involving destructive
malware. These
processes encompass
data and business
operations
recovery,
network
capability
rebuilding,
and
data
protection
for
offline
backups
in
the
event
of
cyber-attacks
impacting the Company or its critical service providers.
●
Conducting ongoing
information security
risk assessments
to address
new and
evolving threats
to online
deposit
and loan accounts. This involves identifying, prioritizing, and assessing risks to
critical systems, including threats to
applications controlling
various system parameters and implementing
necessary security prevention measures.
●
Reviewing, updating, and testing incident response and business
continuity plans annually to ensure effectiveness.
Testing
encompasses
both
in-house
and
third-party
processor
scenarios
to
validate
employee
understanding
of
responsibilities and adherence to Company protocols.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
As part
of the
program, periodic
risk assessments
are performed
to determine
the Company’s
inherent and
residual
cybersecurity risk, the
maturity level of the program,
the risk of cyber
threats, and the effectiveness
of controls currently
in
practice. The
Company utilizes
the National
Institute of
Standards and
Technology
(“NIST”) Framework
and the
FFIEC’s
Cybersecurity
Assessment
Tool
(“Cybersecurity
Assessment”)
to
help
management
identify
its
risks
and
determine
the
Company’s cybersecurity posture.
Through the
implementation
of rigorous procedures
and controls, augmented
by ongoing
training initiatives for both management and staff, the institution cultivates a safe cybersecurity environment. This approach
encompasses
diverse
methodologies
including
defense-in-depth
and
proactive
security
awareness
training
aimed
at
fortifying the institutions cybersecurity controls and fostering
a resilient operational framework.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight And Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected Or Reasonably Likely To Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected Or Reasonably Likely To Materially Affect Registrant [Text Block]
|
The Company realizes that it faces a variety of risks from cyber-attacks involving destructive malware, including
capital, operational,
and reputation
risks, due
to events
such as
fraud, data
loss, and
disruption of
customer
service. As
such, it
is the
policy of
the Company
to ensure
that its
risk management
processes, and
business continuity
planning address
these risks by:
●
Establishing
a
comprehensive
governance
program
encompassing
policies
and
procedures
to
administer
and
oversee
the
information/cybersecurity
programs
to
ensure
adherence
to
regulatory
guidance
and
industry
best
practices.
●
Securely configuring systems and services to mitigate the impact of cyberattacks.
This includes measures such as
logical
network
segmentation,
hard
backups,
maintaining
an
inventory
of
authorized
devices
and
software,
and
physical
segmentation
of
critical
systems.
Consistency
in
system
configuration
fosters
a
secure
network
environment by removing or disabling unused applications, functions,
or components.
●
Implementing and testing
controls around critical
systems on a regular
basis to ensure appropriate
access control
and segregation of duties. Limits on sign-on attempts
for critical systems are enforced, with accounts
being locked
upon
threshold
exceedance.
Alert
systems
notify
of
baseline
control
changes
on
critical
systems,
with
the
effectiveness and
adequacy of
controls periodically
tested and
the results
reported to
senior management
and, if
applicable,
the
Risk
Committee,
along
with
recommended
risk
mitigation
strategies
and
progress
to
remediate
findings.
●
Performing security
monitoring, prevention,
and risk
mitigation activities
to ensure
the effectiveness
of protection
and detection systems.
This includes maintaining
up-to-date intrusion detection
systems, antivirus protection,
and
properly configured firewall
rules. Systems are
monitored to identify,
prevent, and contain
attack attempts from
all
sources.
●
Maintaining robust business
continuity planning processes
to swiftly
recover, resume, and maintain
operations post-
cyber-attack incidents
involving destructive
malware. These
processes encompass
data and business
operations
recovery,
network
capability
rebuilding,
and
data
protection
for
offline
backups
in
the
event
of
cyber-attacks
impacting the Company or its critical service providers.
●
Conducting ongoing
information security
risk assessments
to address
new and
evolving threats
to online
deposit
and loan accounts. This involves identifying, prioritizing, and assessing risks to
critical systems, including threats to
applications controlling
various system parameters and implementing
necessary security prevention measures.
●
Reviewing, updating, and testing incident response and business
continuity plans annually to ensure effectiveness.
Testing
encompasses
both
in-house
and
third-party
processor
scenarios
to
validate
employee
understanding
of
responsibilities and adherence to Company protocols.
|Cybersecurity Risk Board Of Directors Oversight [Text Block]
|
Executive Oversight and Roles
The
responsibility
for
adopting
and
maintaining
an
effective
cybersecurity
program
is
assigned
to
the
RMCD,
who
collaborates
with
functional
area
management,
departmental
level
managers,
and
other
relevant
staff.
Management
committees and
the Board
of Directors
review reports submitted
by the
RMCD detailing the
Company’s inherent and
residual
cybersecurity risk, program sophistication level, and high-risk
threats identified in the cybersecurity risk assessment.
The
Board
oversees
the
development
and
maintenance
of
the
information
security
program,
holding
management
accountable.
Management
committees
ensure
program
integration
and
effectiveness,
with
the
RMCD
responsible
for
cybersecurity controls and procedures.
The Board receives regular
reports
on cybersecurity risk assessment
and program
updates,
providing
expectations
and
requirements
to
management
and
holding
them
accountable
for
oversight
and
coordination, assignment of responsibility,
and the effectiveness of the information and cybersecurity
security program.
Annually, or as required, the RMCD
provides a comprehensive report
to the Board or
a designated committee regarding
the status
of
the
cybersecurity
program
. This
report
encompasses
internal
assessments,
utilization
of
the
Cybersecurity
Assessment, discussion
of significant
program matters
such as
the annual
risk assessment,
risk management
decisions,
monitoring of
service provider
compliance, results
of key
controls testing,
security breaches
or violations,
management's
responses, and recommendations for program enhancements.
|Cybersecurity Risk Board Committee Or Subcommittee Responsible For Oversight [Text Block]
|
The
responsibility
for
adopting
and
maintaining
an
effective
cybersecurity
program
is
assigned
to
the
RMCD,
who
collaborates
with
functional
area
management,
departmental
level
managers,
and
other
relevant
staff.
Management
committees and
the Board
of Directors
review reports submitted
by the
RMCD detailing the
Company’s inherent and
residual
cybersecurity risk, program sophistication level, and high-risk
threats identified in the cybersecurity risk assessment.
|Cybersecurity Risk Process For Informing Board Committee Or Subcommittee Responsible For Oversight [Text Block]
|
The
Board
oversees
the
development
and
maintenance
of
the
information
security
program,
holding
management
accountable.
Management
committees
ensure
program
integration
and
effectiveness,
with
the
RMCD
responsible
for
cybersecurity controls and procedures.
The Board receives regular
reports
on cybersecurity risk assessment
and program
updates,
providing
expectations
and
requirements
to
management
and
holding
them
accountable
for
oversight
and
coordination, assignment of responsibility,
and the effectiveness of the information and cybersecurity
security program.
|Cybersecurity Risk Role Of Management [Text Block]
|
Annually, or as required, the RMCD
provides a comprehensive report
to the Board or
a designated committee regarding
the status
of
the
cybersecurity
program
. This
report
encompasses
internal
assessments,
utilization
of
the
Cybersecurity
Assessment, discussion
of significant
program matters
such as
the annual
risk assessment,
risk management
decisions,
monitoring of
service provider
compliance, results
of key
controls testing,
security breaches
or violations,
management's
responses, and recommendations for program enhancements.
|Cybersecurity Risk Management Positions Or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions Or Committees Responsible [Text Block]
|
Annually, or as required, the RMCD
provides a comprehensive report
to the Board or
a designated committee regarding
the status
of
the
cybersecurity
program
|Cybersecurity Risk Management Expertise Of Management Responsible [Text Block]
|
The Information
Security Officer
(“ISO”) is
an integral
member of
the Risk
Management and
Compliance Department
(“RMCD”) of
the Bank
and who
provides expert
counsel on
matters of
cybersecurity and
presents periodic
reports to
the
Risk Committee of our Board of Directors.
As part
of the
program, periodic
risk assessments
are performed
to determine
the Company’s
inherent and
residual
cybersecurity risk, the
maturity level of the program,
the risk of cyber
threats, and the effectiveness
of controls currently
in
practice. The
Company utilizes
the National
Institute of
Standards and
Technology
(“NIST”) Framework
and the
FFIEC’s
Cybersecurity
Assessment
Tool
(“Cybersecurity
Assessment”)
to
help
management
identify
its
risks
and
determine
the
Company’s cybersecurity posture.
Through the
implementation
of rigorous procedures
and controls, augmented
by ongoing
training initiatives for both management and staff, the institution cultivates a safe cybersecurity environment. This approach
encompasses
diverse
methodologies
including
defense-in-depth
and
proactive
security
awareness
training
aimed
at
fortifying the institutions cybersecurity controls and fostering
a resilient operational framework.
|Cybersecurity Risk Process For Informing Management Or Committees Responsible [Text Block]
|
Management
committees and
the Board
of Directors
review reports submitted
by the
RMCD detailing the
Company’s inherent and
residual
cybersecurity risk, program sophistication level, and high-risk
threats identified in the cybersecurity risk assessment.
|Cybersecurity Risk Management Positions Or Committees Responsible Report To Board [Flag]
|true