XML 21 R10.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management, Strategy and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

The Company recognizes the risks posed by cybersecurity threats, including the risk of harm to our customers, our financial condition and results of operations, and our reputation. Following a layered defense-in-depth strategy, the Company utilizes a variety of controls and both internal and third-party resources to assess and manage identified risks. The following components of our information security program address cybersecurity risk management, and have been integrated into the Company’s overall risk management systems and processes:

Cybersecurity risks are identified and prioritized for resource allocation using two annual risk assessments: an internal risk assessment utilizing the Federal Financial Institutions Examination Council’s (“FFIEC”) Cybersecurity Assessment Tool, and a formal risk assessment prepared in conjunction with an external consultant.
A comprehensive set of security technologies constantly monitor our information systems and data, including endpoint detection and response services, intrusion detection and prevention, various filtering technologies, and event correlation technologies that alert management to potential cybersecurity threats.
Skilled internal personnel manage and update cyber defense functions including engineering, configuration, data protection, identity and access management, security operations, and threat intelligence.
Training programs continuously educate employees about cybersecurity risks and protection practices.
Periodic social engineering testing assists management in identifying training needs.
An incident response plan outlines the Company’s response to a cybersecurity incident. Periodic testing of the plan ensures readiness and identifies refinements.
Reputable third-party assessors are engaged to conduct various assessments on a regular basis.

Supporting the Company’s information security program is a third-party risk management program that manages the life cycle of external service providers and ensures that vendors meet the Company’s cybersecurity requirements. This includes a periodic risk assessment of vendors and the review of vendor assessment documentation including audit reports and other independent control assessments.

The Company’s cybersecurity risk management and strategy are regularly reviewed and updated to support our business strategy and objectives, our overall risk management, and address evolving potential cybersecurity threats.

Material Effects of Cybersecurity Threats

Cybersecurity risks have the potential to materially affect the Company’s business, financial condition and results of operation. The Company has strengthened its cybersecurity framework in recent years but the sophistication of emerging cyber threats and the utilization of new attack methods continues to evolve. The Company’s cybersecurity risk management and strategy may not protect against all cyber incidents. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations or financial condition, please refer to Item 1A, Risk Factors of this Form 10-K.

Governance

Board of Directors Oversight

The Company’s Board of Directors is charged with overseeing the establishment and execution of the Company’s enterprise risk management framework, including cybersecurity risk, and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. The Company’s Information Security Officer (“ISO”) provides the Board Risk Committee with regular updates on information security risk management and an annual comprehensive information security status report, which assesses the effectiveness of the program and updates the Risk Committee on developing trends and emerging threats.

Management’s Role

The Company’s ISO has many years of experience appropriate to the role and is supported by skilled internal personnel. The ISO is responsible for identifying, assessing and managing cybersecurity risks and designing, implementing and maintaining the Company’s information security program. The ISO reports to the Chief Risk Officer and the Board of Directors. Management’s enterprise risk management committee receives regular updates from the ISO on cybersecurity related risks, including trends and emerging threats.

Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] The following components of our information security program address cybersecurity risk management, and have been integrated into the Company’s overall risk management systems and processes
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Cybersecurity risks have the potential to materially affect the Company’s business, financial condition and results of operation. The Company has strengthened its cybersecurity framework in recent years but
Cybersecurity Risk Board of Directors Oversight [Text Block]

Board of Directors Oversight

The Company’s Board of Directors is charged with overseeing the establishment and execution of the Company’s enterprise risk management framework, including cybersecurity risk, and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. The Company’s Information Security Officer (“ISO”) provides the Board Risk Committee with regular updates on information security risk management and an annual comprehensive information security status report, which assesses the effectiveness of the program and updates the Risk Committee on developing trends and emerging threats.
Cybersecurity Risk Role of Management [Text Block]

Management’s Role

The Company’s ISO has many years of experience appropriate to the role and is supported by skilled internal personnel. The ISO is responsible for identifying, assessing and managing cybersecurity risks and designing, implementing and maintaining the Company’s information security program. The ISO reports to the Chief Risk Officer and the Board of Directors. Management’s enterprise risk management committee receives regular updates from the ISO on cybersecurity related risks, including trends and emerging threats.

Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Company’s Information Security Officer (“ISO”) provides the Board Risk Committee with regular updates on information security risk management and an annual comprehensive information security status report, which assesses the effectiveness of the program and updates the Risk Committee on developing trends and emerging threats.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Company’s ISO has many years of experience appropriate to the role and is supported by skilled internal personnel.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Company’s Board of Directors is charged with overseeing the establishment and execution of the Company’s enterprise risk management framework, including cybersecurity risk, and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true