XML 45 R27.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
The Company considers cybersecurity a subset of information security, and as such, cybersecurity risks and controls are assessed in our information security risk assessment and managed in our ISP. The ISP is developed and maintained utilizing the FFIEC Information Technology Examination Handbook and represents the standards, policies, procedures, and guidelines defining the Company’s security requirements and related activities, which includes risk management and risk assessment practices. Management has designated the ISO, along with the IT Steering Committee, with implementing and monitoring the ISP. The Company’s IT department is led by CTO, Senior Vice President of IT who has over 30 years of experience in the IT field, and other key personnel who have years of experience and various certifications related to assessing and managing cybersecurity risk. Additionally, the Company has established a comprehensive enterprise risk management program to monitor risks related to its operations, including cybersecurity risk, and the Company’s ISO has primary responsibility for the information security risk management program. Management also engages the services of third parties to assist IT with their tasks. The Company believes that risk management is a component of overall governance, and that IT risk management is a component of overall risk management.

The Company recognizes that our overall security culture contributes to the effectiveness of our ISP. The Company maintains an information security risk management program that identifies, prioritizes, and provides a formal structure for the internal and external risks that impact the organization. The Board of Directors sets the tone and direction for the Company’s use of IT and has identified the Audit Committee as having primary responsibility for oversight of the Company’s risk exposures and risk assessments and policies, including risks related to cybersecurity. The Board of Directors and Audit Committee approve and periodically review and re-approve the ISP and other IT related policies. While the Board of Directors may delegate the design, implementation, and monitoring of certain IT activities to the CTO, Senior Vice President of IT or designee, the full Board of Directors remains responsible for overseeing IT strategies and policies, including cybersecurity. To help carry out their responsibilities, Directors, management, and all employees are periodically trained to understand IT activities and risks, including cybersecurity risks. Management, via the Senior Vice President of IT and ISO, or combination, provides a status report to the Board of Directors at least annually, with more frequent communications, as necessary. The report describes the overall status of the ISP and material matters related to the program, including security breaches, cybersecurity assessments, cybersecurity awareness training for employees and the Board of Directors and results of incident response testing.

The Company utilizes third-party threat analysis tools such as penetration testing and vulnerability scanning to assist in understanding and supporting the measurement of information security related risks. Additionally, the Company uses third-party tools to help management identify current cybersecurity risks and control maturity levels, and to evaluate overall cybersecurity preparedness. The Company has also implemented an action plan designed to identify potential actions that would improve our overall cybersecurity posture, and periodically reevaluates both cybersecurity risks and controls to assure they are commensurate with our size and complexity and are keeping pace with the overall cybersecurity threat environment.

Management also obtains, analyzes, and responds to information from various sources on cybersecurity threats and vulnerabilities that may affect the Company, while incorporating available information on cybersecurity events into our ISP. Additionally, management develops, maintains, and updates a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments, and ultimately provide updates to the Board of Directors on cybersecurity risk trends. The Company has not experienced any cybersecurity incidents in the past that have individually or in the aggregate had a materially adverse effect on our business, financial condition, or results of operations.

Additionally, the Company conducts due diligence in the selection and on-going monitoring of third-party service providers. Management is responsible for ensuring that such third parties use suitable information security controls when providing services to us. As part of the oversight of third-party service providers, management will determine whether cybersecurity risks are identified, measured, mitigated, monitored, and reported by such third parties.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] The Company has also implemented an action plan designed to identify potential actions that would improve our overall cybersecurity posture, and periodically reevaluates both cybersecurity risks and controls to assure they are commensurate with our size and complexity and are keeping pace with the overall cybersecurity threat environment.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] The Company has not experienced any cybersecurity incidents in the past that have individually or in the aggregate had a materially adverse effect on our business, financial condition, or results of operations.
Cybersecurity Risk Board of Directors Oversight [Text Block]
The Company considers cybersecurity a subset of information security, and as such, cybersecurity risks and controls are assessed in our information security risk assessment and managed in our ISP. The ISP is developed and maintained utilizing the FFIEC Information Technology Examination Handbook and represents the standards, policies, procedures, and guidelines defining the Company’s security requirements and related activities, which includes risk management and risk assessment practices. Management has designated the ISO, along with the IT Steering Committee, with implementing and monitoring the ISP. The Company’s IT department is led by CTO, Senior Vice President of IT who has over 30 years of experience in the IT field, and other key personnel who have years of experience and various certifications related to assessing and managing cybersecurity risk. Additionally, the Company has established a comprehensive enterprise risk management program to monitor risks related to its operations, including cybersecurity risk, and the Company’s ISO has primary responsibility for the information security risk management program. Management also engages the services of third parties to assist IT with their tasks. The Company believes that risk management is a component of overall governance, and that IT risk management is a component of overall risk management.

The Company recognizes that our overall security culture contributes to the effectiveness of our ISP. The Company maintains an information security risk management program that identifies, prioritizes, and provides a formal structure for the internal and external risks that impact the organization. The Board of Directors sets the tone and direction for the Company’s use of IT and has identified the Audit Committee as having primary responsibility for oversight of the Company’s risk exposures and risk assessments and policies, including risks related to cybersecurity. The Board of Directors and Audit Committee approve and periodically review and re-approve the ISP and other IT related policies. While the Board of Directors may delegate the design, implementation, and monitoring of certain IT activities to the CTO, Senior Vice President of IT or designee, the full Board of Directors remains responsible for overseeing IT strategies and policies, including cybersecurity. To help carry out their responsibilities, Directors, management, and all employees are periodically trained to understand IT activities and risks, including cybersecurity risks. Management, via the Senior Vice President of IT and ISO, or combination, provides a status report to the Board of Directors at least annually, with more frequent communications, as necessary. The report describes the overall status of the ISP and material matters related to the program, including security breaches, cybersecurity assessments, cybersecurity awareness training for employees and the Board of Directors and results of incident response testing.

The Company utilizes third-party threat analysis tools such as penetration testing and vulnerability scanning to assist in understanding and supporting the measurement of information security related risks. Additionally, the Company uses third-party tools to help management identify current cybersecurity risks and control maturity levels, and to evaluate overall cybersecurity preparedness. The Company has also implemented an action plan designed to identify potential actions that would improve our overall cybersecurity posture, and periodically reevaluates both cybersecurity risks and controls to assure they are commensurate with our size and complexity and are keeping pace with the overall cybersecurity threat environment.

Management also obtains, analyzes, and responds to information from various sources on cybersecurity threats and vulnerabilities that may affect the Company, while incorporating available information on cybersecurity events into our ISP. Additionally, management develops, maintains, and updates a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments, and ultimately provide updates to the Board of Directors on cybersecurity risk trends. The Company has not experienced any cybersecurity incidents in the past that have individually or in the aggregate had a materially adverse effect on our business, financial condition, or results of operations.

Additionally, the Company conducts due diligence in the selection and on-going monitoring of third-party service providers. Management is responsible for ensuring that such third parties use suitable information security controls when providing services to us. As part of the oversight of third-party service providers, management will determine whether cybersecurity risks are identified, measured, mitigated, monitored, and reported by such third parties.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board of Directors and Audit Committee approve and periodically review and re-approve the ISP and other IT related policies. While the Board of Directors may delegate the design, implementation, and monitoring of certain IT activities to the CTO, Senior Vice President of IT or designee, the full Board of Directors remains responsible for overseeing IT strategies and policies, including cybersecurity.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board of Directors and Audit Committee approve and periodically review and re-approve the ISP and other IT related policies. While the Board of Directors may delegate the design, implementation, and monitoring of certain IT activities to the CTO, Senior Vice President of IT or designee, the full Board of Directors remains responsible for overseeing IT strategies and policies, including cybersecurity. To help carry out their responsibilities, Directors, management, and all employees are periodically trained to understand IT activities and risks, including cybersecurity risks. Management, via the Senior Vice President of IT and ISO, or combination, provides a status report to the Board of Directors at least annually, with more frequent communications, as necessary. The report describes the overall status of the ISP and material matters related to the program, including security breaches, cybersecurity assessments, cybersecurity awareness training for employees and the Board of Directors and results of incident response testing.
Cybersecurity Risk Role of Management [Text Block] The Board of Directors and Audit Committee approve and periodically review and re-approve the ISP and other IT related policies. While the Board of Directors may delegate the design, implementation, and monitoring of certain IT activities to the CTO, Senior Vice President of IT or designee, the full Board of Directors remains responsible for overseeing IT strategies and policies, including cybersecurity. To help carry out their responsibilities, Directors, management, and all employees are periodically trained to understand IT activities and risks, including cybersecurity risks. Management, via the Senior Vice President of IT and ISO, or combination, provides a status report to the Board of Directors at least annually, with more frequent communications, as necessary. The report describes the overall status of the ISP and material matters related to the program, including security breaches, cybersecurity assessments, cybersecurity awareness training for employees and the Board of Directors and results of incident response testing.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Management has designated the ISO, along with the IT Steering Committee, with implementing and monitoring the ISP. The Company’s IT department is led by CTO, Senior Vice President of IT who has over 30 years of experience in the IT field, and other key personnel who have years of experience and various certifications related to assessing and managing cybersecurity risk. Additionally, the Company has established a comprehensive enterprise risk management program to monitor risks related to its operations, including cybersecurity risk, and the Company’s ISO has primary responsibility for the information security risk management program.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Company’s IT department is led by CTO, Senior Vice President of IT who has over 30 years of experience in the IT field, and other key personnel who have years of experience and various certifications related to assessing and managing cybersecurity risk.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Management also obtains, analyzes, and responds to information from various sources on cybersecurity threats and vulnerabilities that may affect the Company, while incorporating available information on cybersecurity events into our ISP. Additionally, management develops, maintains, and updates a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments, and ultimately provide updates to the Board of Directors on cybersecurity risk trends.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true