|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including but not limited to the following risks: operational, regulatory compliance, reputational, strategic, information technology, data security and privacy, and market risks such as interest rate, credit, liquidity and price risks. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Board of Directors is responsible for risk oversight over all significant risks facing the Corporation and fulfills this responsibility mainly through its committees. While our Board of Directors takes an oversight role in cybersecurity risk tolerance, we rely to a large degree on management and outside consultants in overseeing cybersecurity risk management. Our Director of Technology Solutions, who reports directly to our Chief Information Officer, is primarily responsible for this cybersecurity component and is a member of management's Operational Risk and IT Steering Committees, and regularly attends and presents to the Risk Committee of our Board of Directors ("Risk Committee").
Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. Theof our information security program is designed around regulatory guidance, and other industry standards. In addition, we certain industry and government , audits, and threat intelligence feeds to facilitate and promote program effectiveness.
We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to provide alerts and monitor and block suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal and-party specialists. We also maintain a -party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections as a significant portion of our workforce has the ability to work remotely. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.
We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including notification of and escalation to the appropriate team members as well as executive management and the Board of Directors. The Incident Response Plan is coordinated through the Director of Technology Solutions and key members of management. The Incident Response Plan facilitates coordination across multiple departments and is evaluated at least annually.
Notwithstanding our defensive measures and processes, the threat posed by cyberattacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks. To date, the Corporation has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Corporation.
The Director of Technology Solutions provides information security updates to the IT Steering Committee and the Risk Committee. Cybersecurity metrics are reported to the IT Steering Committee monthly and to the Risk Committee on a quarterly basis. Security training is provided to all staff through targeted training overseen by the Director of Technology Solutions. All Board members receive cybersecurity training annually.
The Board of Directors recognizes the importance of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and has incorporated those elements in its ongoing oversight of the Information Security Program. At least annually, the Director of Technology Solutions and the Chief Risk Officer report to the Risk Committee the overall status of the Information Security Program. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations are discussed as are management’s responses and any recommendations for program changes.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including but not limited to the following risks: operational, regulatory compliance, reputational, strategic, information technology, data security and privacy, and market risks such as interest rate, credit, liquidity and price risks. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Board of Directors is responsible for risk oversight over all significant risks facing the Corporation and fulfills this responsibility mainly through its committees. While our Board of Directors takes an oversight role in cybersecurity risk tolerance, we rely to a large degree on management and outside consultants in overseeing cybersecurity risk management. Our Director of Technology Solutions, who reports directly to our Chief Information Officer, is primarily responsible for this cybersecurity component and is a member of management's Operational Risk and IT Steering Committees, and regularly attends and presents to the Risk Committee of our Board of Directors ("Risk Committee").
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Notwithstanding our defensive measures and processes, the threat posed by cyberattacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks. To date, the Corporation has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Corporation.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including notification of and escalation to the appropriate team members as well as executive management and the Board of Directors. The Incident Response Plan is coordinated through the Director of Technology Solutions and key members of management. The Incident Response Plan facilitates coordination across multiple departments and is evaluated at least annually.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Director of Technology Solutions provides information security updates to the IT Steering Committee and the Risk Committee. Cybersecurity metrics are reported to the IT Steering Committee monthly and to the Risk Committee on a quarterly basis. Security training is provided to all staff through targeted training overseen by the Director of Technology Solutions. All Board members receive cybersecurity training annually.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef