Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Program and Management Oversight

Cybersecurity is an important part of the Company’s risk management. We maintain a layered governance structure to oversee cybersecurity risk as part of its enterprise risk management framework. Our Board, both directly and through its committees, is responsible for overseeing our risk management processes. The Board exercises oversight of cybersecurity risk primarily through its Risk Committee, which receives regular reports and is informed of significant cybersecurity incidents and events and reports to the full Board as appropriate. Management oversight begins with the IT Risk Committee, which meets weekly to identify, monitor, and manage information technology and cybersecurity risks and escalate significant matters as appropriate. Executive oversight is provided by the Technology Management Committee, which is chaired by the Chief Information Officer and reports to the Risk Committee. The Technology Management Committee is responsible for (i) assisting the Board in defining the Company’s risk appetite with regard to technology, security, and data; (ii) evaluating the alignment of technology investments with business objectives and risk tolerance; (iii) overseeing information technology, cybersecurity, and data governance risks, ensuring they are managed in line with the Company’s risk profile and regulatory expectations; (iv) ensuring effective IT governance, including policies, procedures, and internal controls; and (v) tracking the progress and performance of major IT projects. The Technology Management Committee meets quarterly to review significant technology and cybersecurity risks, related management actions, and escalation items. Cybersecurity risk is also reviewed quarterly by the Enterprise Risk Management Committee through key risk indicators and key performance indicators and considered in the context of the Company’s overall enterprise risk profile.

We have adopted comprehensive information security and data privacy policies and standards informed by recognized industry frameworks, including the Center for Internet Security (CIS) Critical Security Controls and applicable International Organization for Standardization (ISO) standards, and regularly benchmarks its information security program against reputable industry assessments to support ongoing effectiveness and maturity. Within this framework, we have established defined management roles responsible for the day‑to‑day oversight and execution of cybersecurity and information security activities. These roles operate within management‑level committees and reporting structures designed to translate governance objectives and risk appetite into operational practices, support regulatory engagement and examination readiness, and ensure timely identification, escalation, and reporting of cybersecurity risks to executive management and the Board, as appropriate. Management involved in cybersecurity and information security activities possess the necessary skills and expertise to manage and enforce our information security and privacy policies and standards. The following descriptions summarize the responsibilities of key management positions with direct oversight of technology, cybersecurity operations, and information security.

Chief Information Officer - Our technology and information systems are overseen by the Chief Information Officer, who is responsible for enterprise technology strategy and operations, including core banking systems, infrastructure, and technology services supporting banking operations. This role provides leadership over technology functions and personnel and works closely with executive management, information security leadership, and risk management stakeholders to support the reliability, resilience, and security of the Company’s technology environment. The Chief Information Officer also contributes to management‑level and Board‑level discussions regarding significant technology initiatives, operational resilience, and emerging technology‑related risks. The Chief Information Officer has more than 35 years of experience working with the development, deployment, and support of IT solutions for financial institutions.

Director of Cybersecurity - Our cybersecurity program is led by the Director of Cybersecurity, who reports within the Company's technology function. In this role, the Director of Cybersecurity is responsible for the design and execution of cybersecurity operations, including security architecture, vulnerability management, identity and access controls, and components of third‑party risk oversight. This role works closely with executive management, technology teams, and information security leadership to enforce cybersecurity controls, support enterprise resilience, and identify and address emerging cyber and technology risks. The Director of Cybersecurity serves as a key liaison between technical security operations and broader governance and risk management functions and supports regulatory engagement, examination readiness, and management‑level and board‑level discussions regarding cybersecurity and technology risk. The Director of Cybersecurity has more than 35 years of experience across technology, infrastructure, and cybersecurity roles of increasing responsibility.

Vice President, Information Security - Our information security function is led by the Vice President, Information Security, who reports to the Chief Risk Officer as part of our Risk Management function. In this role, the Vice President, Information Security oversees the enterprise information security program, including cybersecurity governance, risk management, security awareness, third‑party risk management, and regulatory engagement. This role works closely with executive leadership, technology teams, and risk management stakeholders to oversee cybersecurity controls, support enterprise resilience, and address emerging technology and information security risks. The Vice President, Information Security also serves as a primary liaison with banking regulators and contributes to management‑level and board‑level discussions regarding cybersecurity and technology risk. The Vice President, Information Security has more than 25 years of experience in cybersecurity, systems administration, and technology roles of increasing responsibility.

We are required to protect customer information in compliance with the GLBA and other consumer privacy laws and regulations. Our information security program is regularly audited by Company internal auditors. We engage independent third parties to perform quarterly vulnerability scans and annual penetration testing against system infrastructure. We also maintain insurance commensurate with management’s assessment of the levels of security and privacy risk. All employees are required to take regular training on information security requirements and must acknowledge policies and standards annually. In addition, we conduct frequent phishing campaigns to test and educate all employees on how to spot phishing attacks and to measure the effectiveness of our training program.

We also maintain a Cybersecurity Incident Response Policy which outlines the steps to be taken in the event of a cybersecurity incident. The Cybersecurity Incident Response Policy identifies a cybersecurity incident response team, led by the Director of Cybersecurity, and summarizes the processes regarding the identification of incidents, communication during an incident response process, containment efforts, and recovery and eradication strategy. We actively monitor its systems for cybersecurity threats using a variety of methods, including alerts that can be raised by automated monitoring tools, personal observations of security or operations personnel, employee reports, or notifications from external entities, such as business partners or law enforcement.

Finally, applications, infrastructure components and service providers that handle sensitive information are evaluated annually as part of the information security risk assessment. New applications, infrastructure components and service providers are also assessed prior to integration with existing systems. We have processes in place to oversee and identify the cybersecurity risks associated with third-party service providers before onboarding new providers and on an ongoing basis, and contractually require material service providers, contractors, sub-contractors, or other third parties that process, transmit, access, or store bank or customer data to comply with relevant Company policies (including, but not limited to, retention, encryption, transmission, and application security policies) and safeguards and to be in compliance with applicable laws.

We face cybersecurity risks in connection with its normal business that could have a material adverse effect on its business strategy, results of operations, financial condition, or reputation. Although such risks have not materially affected the Company, it has experienced, and may continue to experience, cybersecurity incidents during the normal course of business. For further discussion about these risks, see “Part I, Item 1A. Risk Factors—Operational Risks—The occurrence of fraudulent activity, breaches or failures of our information security controls or cybersecurity-related incidents could have a material adverse effect on our business, financial condition and results of operations,” in this Annual Report on Form 10-K.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity is an important part of the Company’s risk management. We maintain a layered governance structure to oversee cybersecurity risk as part of its enterprise risk management framework.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board, both directly and through its committees, is responsible for overseeing our risk management processes. The Board exercises oversight of cybersecurity risk primarily through its Risk Committee, which receives regular reports and is informed of significant cybersecurity incidents and events and reports to the full Board as appropriate.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Board, both directly and through its committees, is responsible for overseeing our risk management processes. The Board exercises oversight of cybersecurity risk primarily through its Risk Committee, which receives regular reports and is informed of significant cybersecurity incidents and events and reports to the full Board as appropriate.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Management oversight begins with the IT Risk Committee, which meets weekly to identify, monitor, and manage information technology and cybersecurity risks and escalate significant matters as appropriate. Executive oversight is provided by the Technology Management Committee, which is chaired by the Chief Information Officer and reports to the Risk Committee. The Technology Management Committee is responsible for (i) assisting the Board in defining the Company’s risk appetite with regard to technology, security, and data; (ii) evaluating the alignment of technology investments with business objectives and risk tolerance; (iii) overseeing information technology, cybersecurity, and data governance risks, ensuring they are managed in line with the Company’s risk profile and regulatory expectations; (iv) ensuring effective IT governance, including policies, procedures, and internal controls; and (v) tracking the progress and performance of major IT projects. The Technology Management Committee meets quarterly to review significant technology and cybersecurity risks, related management actions, and escalation items. Cybersecurity risk is also reviewed quarterly by the Enterprise Risk Management Committee through key risk indicators and key performance indicators and considered in the context of the Company’s overall enterprise risk profile.

Cybersecurity Risk Role of Management [Text Block]

Management oversight begins with the IT Risk Committee, which meets weekly to identify, monitor, and manage information technology and cybersecurity risks and escalate significant matters as appropriate. Executive oversight is provided by the Technology Management Committee, which is chaired by the Chief Information Officer and reports to the Risk Committee. The Technology Management Committee is responsible for (i) assisting the Board in defining the Company’s risk appetite with regard to technology, security, and data; (ii) evaluating the alignment of technology investments with business objectives and risk tolerance; (iii) overseeing information technology, cybersecurity, and data governance risks, ensuring they are managed in line with the Company’s risk profile and regulatory expectations; (iv) ensuring effective IT governance, including policies, procedures, and internal controls; and (v) tracking the progress and performance of major IT projects. The Technology Management Committee meets quarterly to review significant technology and cybersecurity risks, related management actions, and escalation items. Cybersecurity risk is also reviewed quarterly by the Enterprise Risk Management Committee through key risk indicators and key performance indicators and considered in the context of the Company’s overall enterprise risk profile.We have adopted comprehensive information security and data privacy policies and standards informed by recognized industry frameworks, including the Center for Internet Security (CIS) Critical Security Controls and applicable International Organization for Standardization (ISO) standards, and regularly benchmarks its information security program against reputable industry assessments to support ongoing effectiveness and maturity. Within this framework, we have established defined management roles responsible for the day‑to‑day oversight and execution of cybersecurity and information security activities. These roles operate within management‑level committees and reporting structures designed to translate governance objectives and risk appetite into operational practices, support regulatory engagement and examination readiness, and ensure timely identification, escalation, and reporting of cybersecurity risks to executive management and the Board, as appropriate. Management involved in cybersecurity and information security activities possess the necessary skills and expertise to manage and enforce our information security and privacy policies and standards.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Management oversight begins with the IT Risk Committee, which meets weekly to identify, monitor, and manage information technology and cybersecurity risks and escalate significant matters as appropriate. Executive oversight is provided by the Technology Management Committee, which is chaired by the Chief Information Officer and reports to the Risk Committee. The Technology Management Committee is responsible for (i) assisting the Board in defining the Company’s risk appetite with regard to technology, security, and data; (ii) evaluating the alignment of technology investments with business objectives and risk tolerance; (iii) overseeing information technology, cybersecurity, and data governance risks, ensuring they are managed in line with the Company’s risk profile and regulatory expectations; (iv) ensuring effective IT governance, including policies, procedures, and internal controls; and (v) tracking the progress and performance of major IT projects. The Technology Management Committee meets quarterly to review significant technology and cybersecurity risks, related management actions, and escalation items. Cybersecurity risk is also reviewed quarterly by the Enterprise Risk Management Committee through key risk indicators and key performance indicators and considered in the context of the Company’s overall enterprise risk profile.

We have adopted comprehensive information security and data privacy policies and standards informed by recognized industry frameworks, including the Center for Internet Security (CIS) Critical Security Controls and applicable International Organization for Standardization (ISO) standards, and regularly benchmarks its information security program against reputable industry assessments to support ongoing effectiveness and maturity. Within this framework, we have established defined management roles responsible for the day‑to‑day oversight and execution of cybersecurity and information security activities. These roles operate within management‑level committees and reporting structures designed to translate governance objectives and risk appetite into operational practices, support regulatory engagement and examination readiness, and ensure timely identification, escalation, and reporting of cybersecurity risks to executive management and the Board, as appropriate. Management involved in cybersecurity and information security activities possess the necessary skills and expertise to manage and enforce our information security and privacy policies and standards. The following descriptions summarize the responsibilities of key management positions with direct oversight of technology, cybersecurity operations, and information security.

Chief Information Officer - Our technology and information systems are overseen by the Chief Information Officer, who is responsible for enterprise technology strategy and operations, including core banking systems, infrastructure, and technology services supporting banking operations. This role provides leadership over technology functions and personnel and works closely with executive management, information security leadership, and risk management stakeholders to support the reliability, resilience, and security of the Company’s technology environment. The Chief Information Officer also contributes to management‑level and Board‑level discussions regarding significant technology initiatives, operational resilience, and emerging technology‑related risks. The Chief Information Officer has more than 35 years of experience working with the development, deployment, and support of IT solutions for financial institutions.

Director of Cybersecurity - Our cybersecurity program is led by the Director of Cybersecurity, who reports within the Company's technology function. In this role, the Director of Cybersecurity is responsible for the design and execution of cybersecurity operations, including security architecture, vulnerability management, identity and access controls, and components of third‑party risk oversight. This role works closely with executive management, technology teams, and information security leadership to enforce cybersecurity controls, support enterprise resilience, and identify and address emerging cyber and technology risks. The Director of Cybersecurity serves as a key liaison between technical security operations and broader governance and risk management functions and supports regulatory engagement, examination readiness, and management‑level and board‑level discussions regarding cybersecurity and technology risk. The Director of Cybersecurity has more than 35 years of experience across technology, infrastructure, and cybersecurity roles of increasing responsibility.

Vice President, Information Security - Our information security function is led by the Vice President, Information Security, who reports to the Chief Risk Officer as part of our Risk Management function. In this role, the Vice President, Information Security oversees the enterprise information security program, including cybersecurity governance, risk management, security awareness, third‑party risk management, and regulatory engagement. This role works closely with executive leadership, technology teams, and risk management stakeholders to oversee cybersecurity controls, support enterprise resilience, and address emerging technology and information security risks. The Vice President, Information Security also serves as a primary liaison with banking regulators and contributes to management‑level and board‑level discussions regarding cybersecurity and technology risk. The Vice President, Information Security has more than 25 years of experience in cybersecurity, systems administration, and technology roles of increasing responsibility.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Chief Information Officer - Our technology and information systems are overseen by the Chief Information Officer, who is responsible for enterprise technology strategy and operations, including core banking systems, infrastructure, and technology services supporting banking operations. This role provides leadership over technology functions and personnel and works closely with executive management, information security leadership, and risk management stakeholders to support the reliability, resilience, and security of the Company’s technology environment. The Chief Information Officer also contributes to management‑level and Board‑level discussions regarding significant technology initiatives, operational resilience, and emerging technology‑related risks. The Chief Information Officer has more than 35 years of experience working with the development, deployment, and support of IT solutions for financial institutions.

Director of Cybersecurity - Our cybersecurity program is led by the Director of Cybersecurity, who reports within the Company's technology function. In this role, the Director of Cybersecurity is responsible for the design and execution of cybersecurity operations, including security architecture, vulnerability management, identity and access controls, and components of third‑party risk oversight. This role works closely with executive management, technology teams, and information security leadership to enforce cybersecurity controls, support enterprise resilience, and identify and address emerging cyber and technology risks. The Director of Cybersecurity serves as a key liaison between technical security operations and broader governance and risk management functions and supports regulatory engagement, examination readiness, and management‑level and board‑level discussions regarding cybersecurity and technology risk. The Director of Cybersecurity has more than 35 years of experience across technology, infrastructure, and cybersecurity roles of increasing responsibility.

Vice President, Information Security - Our information security function is led by the Vice President, Information Security, who reports to the Chief Risk Officer as part of our Risk Management function. In this role, the Vice President, Information Security oversees the enterprise information security program, including cybersecurity governance, risk management, security awareness, third‑party risk management, and regulatory engagement. This role works closely with executive leadership, technology teams, and risk management stakeholders to oversee cybersecurity controls, support enterprise resilience, and address emerging technology and information security risks. The Vice President, Information Security also serves as a primary liaison with banking regulators and contributes to management‑level and board‑level discussions regarding cybersecurity and technology risk. The Vice President, Information Security has more than 25 years of experience in cybersecurity, systems administration, and technology roles of increasing responsibility.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

We also maintain a Cybersecurity Incident Response Policy which outlines the steps to be taken in the event of a cybersecurity incident. The Cybersecurity Incident Response Policy identifies a cybersecurity incident response team, led by the Director of Cybersecurity, and summarizes the processes regarding the identification of incidents, communication during an incident response process, containment efforts, and recovery and eradication strategy. We actively monitor its systems for cybersecurity threats using a variety of methods, including alerts that can be raised by automated monitoring tools, personal observations of security or operations personnel, employee reports, or notifications from external entities, such as business partners or law enforcement.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true