|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Assessment, Identification, and Management Processes
Our cybersecurity processes have been integrated into our risk management system.
We employ a comprehensive cybersecurity risk assessment program designed to evaluate threats, vulnerabilities, and the potential impact on our operations, data, and financial condition. This program is regularly reviewed and updated to address emerging risks. Our process for addressing risk is based on banking industry best practices outlined in FFIEC and National Institute of Standards and Technology (“NIST”) frameworks.
We engage various third-party service providers in connection with our cybersecurity processes.
We routinely engage consultants and other third parties to assist in the continued improvement and maintenance of our cybersecurity risk assessment program. These engagements are designed to enhance our cybersecurity posture, and we work closely with these experts to help us identify and address risks and vulnerabilities. Examples of these engagements include third party security assessments, security monitoring, and program review.
We closely oversee and monitor third-party cybersecurity service providers.
We maintain policies and procedures to oversee and identify cybersecurity risks associated with our third-party service providers, especially those with access to customer and employee data. Our selection and oversight of these providers incorporate cybersecurity considerations, including contractual and other mechanisms to mitigate risks. Our third-party oversight process follows published frameworks from NIST and FFIEC to account for risks throughout the entire engagement with our third-party vendors.
We consistently engage in proactive measures aimed at preventing, detecting, and effectively minimizing the impact of cybersecurity incidents. We maintain an incident response plan to swiftly respond to breaches, protect customer data, and minimize disruption to our operations. The incident response process is consistently tested and reviewed through simulated incidents and tabletop exercises with key stakeholders. To bolster our incident response process, we have robust business continuity, contingency, and recovery plans to ensure operational resilience during a cybersecurity incident.
We have not experienced a material cybersecurity breach, but risks from cybersecurity threats may impact our business strategy, results of operations, and financial condition.
No risks from any current or previous cybersecurity threats have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition, except to the extent that such strategy, operations, and conditions are affected by our employment of the cybersecurity risk assessment programs and procedures discussed in this Item. We have not, as of the date of this filing, experienced a cybersecurity breach that has materially affected our business or financial condition. However, because our business involves the collection, transmission, and storage of sensitive customer and employee data, we are susceptible to various cybersecurity threats, including cyberattacks, unauthorized access, and similar events. We employ ongoing processes and strategies to guard against those threats, as discussed in this Item.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity processes have been integrated into our risk management system.
We employ a comprehensive cybersecurity risk assessment program designed to evaluate threats, vulnerabilities, and the potential impact on our operations, data, and financial condition. This program is regularly reviewed and updated to address emerging risks. Our process for addressing risk is based on banking industry best practices outlined in FFIEC and National Institute of Standards and Technology (“NIST”) frameworks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors and Chief Executive Officer, in collaboration with our Chief Information Officer and Chief Risk Officer, oversee cybersecurity processes, risks, and threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Board of Directors and Chief Executive Officer, in collaboration with our Chief Information Officer and Chief Risk Officer, oversee cybersecurity processes, risks, and threats.Rather than designate one specific board committee to cybersecurity risk management, our entire Board of Directors is responsible for overseeing our risk management.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
As noted above, our Chief Risk Officer, Chief Information Security Officer, and cybersecurity team provide regular reports to the Board regarding cybersecurity risks, as well as a review of the processes described above. In particular, our Chief Risk Officer provides reports at every regularly scheduled Board meeting regarding our most material risks and the degree of exposure to these risks. Our management personnel are also required to provide more frequent updates to the Enterprise Risk Committee on major developments regarding cybersecurity matters. The Committee, in turn, provides regular updates to the Board on these matters.
|Cybersecurity Risk Role of Management [Text Block]
|Our Chief Risk Officer is responsible for overseeing our risk management
generally, working closely with our internal audit department. Our Chief Risk Officer regularly reports directly to the Board of Directors with respect to all areas of risk management.
With regard to cybersecurity specifically, we have a Chief Information Security Officer who reports to our Chief Information Officer, with a dotted-line reporting relationship to our Chief Executive Officer, and collaborates regularly with our Chief Risk Officer and Risk Team. Our Chief Information Security Officer meets with the Chief Executive Officer on a standard cadence and chairs a committee focused on cybersecurity with monthly reports made to our Risk Committee. Minutes from these meetings as well as select materials are shared with the full Board of Directors, and our Chief Information Security Officer delivers an annual report to our Board of Directors.
In addition, our entire management team is actively engaged in assessing and managing material risks from cybersecurity threats. We have established a robust framework for identifying, preventing, mitigating, and remediating such risks.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
With regard to cybersecurity specifically, we have a Chief Information Security Officer who reports to our Chief Information Officer, with a dotted-line reporting relationship to our Chief Executive Officer, and collaborates regularly with our Chief Risk Officer and Risk Team. Our Chief Information Security Officer meets with the Chief Executive Officer on a standard cadence and chairs a committee focused on cybersecurity with monthly reports made to our Risk Committee. Minutes from these meetings as well as select materials are shared with the full Board of Directors, and our Chief Information Security Officer delivers an annual report to our Board of Directors.
In addition, our entire management team is actively engaged in assessing and managing material risks from cybersecurity threats. We have established a robust framework for identifying, preventing, mitigating, and remediating such risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our current Chief Information Security Officer has a comprehensive information security background with over 20 years of experience in managing or assisting in managing cybersecurity risks across multiple industries with the majority of that experience at community banking institutions. Our Chief Information Security Officer holds multiple industry certifications from groups such as ISC2 and GIAC.To support the Chief Information Security Officer in managing cybersecurity and our Chief Risk Officer in managing cybersecurity risks, we have established a cross-functional cybersecurity team that includes experts in various aspects of information security. This team of employees includes individuals with many years of prior combined work experience in cybersecurity and data protection. These individuals are responsible for the day-to-day implementation of our cybersecurity program, including providing immediate notice to our Chief Information Security Officer and our Chief Risk Officer of any potential cybersecurity incidents.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
As noted above, our Chief Risk Officer, Chief Information Security Officer, and cybersecurity team provide regular reports to the Board regarding cybersecurity risks, as well as a review of the processes described above. In particular, our Chief Risk Officer provides reports at every regularly scheduled Board meeting regarding our most material risks and the degree of exposure to these risks. Our management personnel are also required to provide more frequent updates to the Enterprise Risk Committee on major developments regarding cybersecurity matters. The Committee, in turn, provides regular updates to the Board on these matters.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef