|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Corporation's cybersecurity risk management program is integrated into our enterprise risk management program and is designed to expeditiously identify, analyze and protect against security threats to its computer systems, software, networks, storage devices and other technology assets. Our management team, with oversight from our Board of Directors, proactively manages the Corporation's cybersecurity risks to avoid or minimize the impacts of attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt service, sabotage systems or cause other damage. Specifically, the Corporation has appointed a CISO to maintain a comprehensive information security program. Our strategy includes a continuous improvement mindset along with a defense in depth approach to cybersecurity. We utilize industry standards that include the NIST Cybersecurity Framework and the Financial Services Sector Cybersecurity Profile. Our layered security architecture consists of innovative technology to detect, prevent, and mitigate cybersecurity threats. Ongoing proactive analysis of cyber threat intelligence ensures that we are taking the appropriate counter measures to defend against the latest threats. We use monitoring and preventive controls to detect and respond swiftly to data breaches and cyber threats involving our systems. We regularly evaluate our systems and controls and implement upgrades as necessary. We also attempt to reduce our exposure to our vendors' data privacy and cyber incidents by performing initial vendor due diligence that is updated periodically for critical vendors, negotiating service level standards with vendors, negotiating for indemnification from vendors for confidentiality and data breaches, and limiting third-party access to the least privileged level necessary to perform outsourced functions. The additional cost to us of data and cybersecurity monitoring and protection systems and controls includes the cost of hardware and software, third-party technology providers, consulting and forensic testing firms, insurance premium costs, legal fees and the cost of personnel who focus a substantial portion of their responsibilities on data security and cybersecurity.
The Corporation uses an integrated cybersecurity incident response plan ICIRP designed to enable management to respond timely to cybersecurity incidents, coordinate such responses within the Corporation and with our Board of Directors, notify law enforcement and other government agencies, and notify customers and employees. The ICIRP provides a documented framework for identifying and responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the CIRST. The CIRST facilitates coordination across key stakeholders of the Corporation. The Corporation's CISO and key members of management are members of the ICIRP. The Corporation provides the CISO and the information security team with a comprehensive suite of security tools and techniques to protect the confidentiality, integrity and availability of the Corporation's data for the benefit of our customers, employees and shareholders. We periodically engage third-party consultants to assess the effectiveness of our strategy, tools and techniques, and overall information security program. Independent oversight and assurance activities include internal audits, vulnerability assessments and penetration testing. The Corporation's cybersecurity professionals are well-trained on how to protect customer and employee information through ongoing education and awareness initiatives.The Corporation maintains a third-party risk management program designed to identify, analyze and monitor risks, including cybersecurity risks, associated with vendors and outside service providers. Our vendor risk management team collaborates closely with the information security team to ensure third parties meet certain information security control requirements. Our information security team proactively monitors our internal systems and email gateways for phishing email attacks. Remote connections are also assessed and monitored given a portion of our workforce works remotely.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Corporation's cybersecurity risk management program is integrated into our enterprise risk management program and is designed to expeditiously identify, analyze and protect against security threats to its computer systems, software, networks, storage devices and other technology assets.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board of Directors provides direction and oversight over the Corporation's enterprise-wide risk management program, including risks related to cybersecurity.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Committee is responsible for overseeing the Corporation's information security program and execution.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Committee promotes collaboration and cooperation between various elements within the Corporation relative to information security. Cybersecurity incidents are managed through the ICIRP, which provides direction to management allowing for the timely transfer of information throughout the organization. Our policy requires material incidents to be reported within four business days
|Cybersecurity Risk Role of Management [Text Block]
|Our management team, with oversight from our Board of Directors, proactively manages the Corporation's cybersecurity risks to avoid or minimize the impacts of attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt service, sabotage systems or cause other damage. Specifically, the Corporation has appointed a CISO to maintain a comprehensive information security program. Our strategy includes a continuous improvement mindset along with a defense in depth approach to cybersecurity. We utilize industry standards that include the NIST Cybersecurity Framework and the Financial Services Sector Cybersecurity Profile. Our layered security architecture consists of innovative technology to detect, prevent, and mitigate cybersecurity threats. Ongoing proactive analysis of cyber threat intelligence ensures that we are taking the appropriate counter measures to defend against the latest threats. We use monitoring and preventive controls to detect and respond swiftly to data breaches and cyber threats involving our systems. We regularly evaluate our systems and controls and implement upgrades as necessary. We also attempt to reduce our exposure to our vendors' data privacy and cyber incidents by performing initial vendor due diligence that is updated periodically for critical vendors, negotiating service level standards with vendors, negotiating for indemnification from vendors for confidentiality and data breaches, and limiting third-party access to the least privileged level necessary to perform outsourced functions. The additional cost to us of data and cybersecurity monitoring and protection systems and controls includes the cost of hardware and software, third-party technology providers, consulting and forensic testing firms, insurance premium costs, legal fees and the cost of personnel who focus a substantial portion of their responsibilities on data security and cybersecurity.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Specifically, the Corporation has appointed a CISO to maintain a comprehensive information security program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Corporation's cybersecurity professionals are well-trained on how to protect customer and employee information through ongoing education and awareness initiatives.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Cybersecurity incidents are managed through the ICIRP, which provides direction to management allowing for the timely transfer of information throughout the organization. Our policy requires material incidents to be reported within four business days after an incident is determined to be material with the materiality determination to be completed without unreasonable delay. Management's Disclosure Committee has developed a plan to facilitate making timely determinations as to whether and when incidents should be disclosed. If a material incident occurs, the Corporation will describe in detail the material aspects and nature, scope and timing of the incident, along with the impact to its financial condition and results of operations.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef