Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

We rely extensively on various information systems and other electronic resources to operate our business. In addition, nearly all of our customers, service providers and other business partners on whom we depend, including the providers of our online banking, mobile banking and accounting systems, use these systems and their own electronic information systems. Any of these systems can be compromised, including through the employees, customers and other individuals who are authorized to use them, and threat actors use a sophisticated and constantly evolving set of software, tools, and strategies to do so. The nature of our business, as a financial services provider, and our relative size, make us and our business partners high-value targets for these bad actors to pursue. See section “Risks Related to Our Business.”

Accordingly, we have long devoted significant resources to assessing, identifying, and managing risks associated with cybersecurity threats, including:

an internal information security team that is responsible for conducting regular assessments of our information systems, existing controls, vulnerabilities and potential improvements;

continuous monitoring tools that can detect and help respond to cybersecurity threats in real time;

performing due diligence with respect to our third-party service providers, including their cybersecurity practices, and requiring contractual commitments from our service providers to take certain cybersecurity measures;

third-party information security and cybersecurity consultants, who conduct periodic penetration testing, vulnerability assessments and other procedures to identify potential weaknesses in our systems and processes; and

ongoing cybersecurity training and phishing testing for our employees.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

This information security program is a key part of our overall risk management system. The program includes administrative, technical, and physical safeguards to help ensure the security and confidentiality of customer records and information. These security and privacy policies and procedures are in effect across all our businesses and geographic locations.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Our management team is responsible for the day-to-day management of risks we face, including our Chief Information Security Officer. Our Chief Information Security Officer has over 40 years of experience, including prior work in government, law enforcement, military, and private industry in cybersecurity and digital forensics. He has a PhD in information security specializing in digital forensics and multiple professional certifications in the field.

In addition, our board of directors, as a whole and through the Bank's Enterprise Risk Management Committee, is responsible for the oversight of risk management. In that role, our board of directors and the Enterprise Risk Management Committee, with support from the Corporation’s cybersecurity advisors, are responsible for ensuring that the risk management processes designed and implemented by management are adequate and functioning as designed. To carry out those duties, our board of directors receives reports, at least quarterly, from our management team regarding cybersecurity risks, and the Corporation’s efforts to prevent, detect, mitigate, and remediate any cybersecurity incidents.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Enterprise Risk Management Committee

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

In addition, our board of directors, as a whole and through the Bank's Enterprise Risk Management Committee, is responsible for the oversight of risk management. In that role, our board of directors and the Enterprise Risk Management Committee, with support from the Corporation’s cybersecurity advisors, are responsible for ensuring that the risk management processes designed and implemented by management are adequate and functioning as designed. To carry out those duties, our board of directors receives reports, at least quarterly, from our management team regarding cybersecurity risks, and the Corporation’s efforts to prevent, detect, mitigate, and remediate any cybersecurity incidents.

Cybersecurity Risk Role of Management [Text Block]

Our management team is responsible for the day-to-day management of risks we face, including our Chief Information Security Officer. Our Chief Information Security Officer has over 40 years of experience, including prior work in government, law enforcement, military, and private industry in cybersecurity and digital forensics. He has a PhD in information security specializing in digital forensics and multiple professional certifications in the field.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Chief Information Security Officer

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our Chief Information Security Officer has over 40 years of experience, including prior work in government, law enforcement, military, and private industry in cybersecurity and digital forensics. He has a PhD in information security specializing in digital forensics and multiple professional certifications in the field.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

our board of directors and the Enterprise Risk Management Committee, with support from the Corporation’s cybersecurity advisors, are responsible for ensuring that the risk management processes designed and implemented by management are adequate and functioning as designed. To carry out those duties, our board of directors receives reports, at least quarterly, from our management team regarding cybersecurity risks, and the Corporation’s efforts to prevent, detect, mitigate, and remediate any cybersecurity incidents

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true