|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We have developed a comprehensive Information Security Program (“ISP”) that was designed as the guiding policy to establish standards designed to protect the confidentiality of nonpublic, sensitive personal and business information, protect against potential threats to the security or integrity of such information, and protect against unauthorized access to or use of such information. The ISP applies to all Company employees, contractors, consultants, and third-party vendors as well as all technology owned and operated by the Bank. The scope of the ISP covers customer data as well as the Company’s strategic and proprietary information. The Board of Directors approves the ISP annually. Additionally, the Information Technology Steering Committee (“ITSC”) must approve significant modifications to the ISP prior to review and approval by the Board of Directors. The Chief Information Officer (“CIO”) is responsible for the implementation and maintenance of the ISP.
Key elements of our ISP include:
Our Information Security Governance Plan (“InfoSec”) is a component of the ISP and provides for strategic oversight of critical aspects of the Bank’s information security. The objective of InfoSec is to provide a framework for decision-making and accountability for information security issues to ensure that the ISP is actively monitored, and information security permeates through all areas and initiatives across the organization. InfoSec is actively managed by an InfoSec Governance Council ("ISGC") that consists of the Chief Risk Officer ("CRO"), virtual Chief Information Security Officer ("CISO"), Chief Strategy and Innovation Officer ("CSIO"), a cybersecurity focused systems engineer, and the CIO. The CRO, CISO, and CIO are part of the ITSC, along with other executives of the Bank.
Security assessments are an ongoing activity within the Bank, and the Security Assessment Policy identifies security assessment requirements and those individuals accountable for ensuring the assessments comply with the requirements. All assessment activities must be approved by the CRO. The coverage of assessments includes, but is not limited to, physical security assessment, information technology general controls audit, vulnerability assessment, penetration testing, and social engineering testing. Results are shared with the ITSC, executive management and the Board of Directors.
There is an established Incident Response Program (“IRP”) that provides a framework for us to respond quickly, decisively, and appropriately to limit the impact of an adverse event, such as a cybersecurity incident, on customers and information resources. Procedures have been developed that outline the necessary steps should an incident occur, such as incident identification, classification, and escalation. We use a Cybersecurity Assessment Tool to assess our cybersecurity preparedness on a periodic basis. A Cybersecurity Incident Response Team, which is part of our general Incident Response Team, will take the appropriate actions as outlined in the IRP in the event a cybersecurity situation occurs.
We do not believe that risks from cybersecurity threats, including the previously disclosed cyber-attack that occurred in April 2023, have materially impacted or are reasonably likely to materially impact our overall business strategy, results of operations, or financial condition. We maintain cybersecurity insurance to cover the costs resulting from cyber-attacks; however, the policy may not cover all losses from cybersecurity incidents. Refer to the discussion on the April 2023 incident in Note 15 - Commitments and Contingent Liabilities of our Consolidated Financial Statements and the discussion of cybersecurity risk in Part I, Item 1A, “Risk Factors”.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have developed a comprehensive Information Security Program (“ISP”) that was designed as the guiding policy to establish standards designed to protect the confidentiality of nonpublic, sensitive personal and business information, protect against potential threats to the security or integrity of such information, and protect against unauthorized access to or use of such information. The ISP applies to all Company employees, contractors, consultants, and third-party vendors as well as all technology owned and operated by the Bank. The scope of the ISP covers customer data as well as the Company’s strategic and proprietary information. The Board of Directors approves the ISP annually. Additionally, the Information Technology Steering Committee (“ITSC”) must approve significant modifications to the ISP prior to review and approval by the Board of Directors. The Chief Information Officer (“CIO”) is responsible for the implementation and maintenance of the ISP.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|We do not believe that risks from cybersecurity threats, including the previously disclosed cyber-attack that occurred in April 2023, have materially impacted or are reasonably likely to materially impact our overall business strategy, results of operations, or financial condition. We maintain cybersecurity insurance to cover the costs resulting from cyber-attacks; however, the policy may not cover all losses from cybersecurity incidents. Refer to the discussion on the April 2023 incident in Note 15 - Commitments and Contingent Liabilities of our Consolidated Financial Statements and the discussion of cybersecurity risk in Part I, Item 1A, “Risk Factors”.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Board of Directors
The Board of Directors, in coordination with the Audit Committee, oversees the Company’s management of cybersecurity risk. The Board receives monthly reports from the CIO, focusing on cybersecurity and information technology updates. The reports include key insights regarding our security risk score, areas of focus, and metrics from our third-party provider regarding security investigations and incidents as well as the results of training and phishing simulations. The Audit Committee receives periodic updates on information security risk and maturity of our ISP. The Audit Committee also receives reports with the results of security assessments conducted by third-parties.
Management
Under the leadership of the CIO, the ITSC serves to improve the effectiveness of information technology at the Bank and ensure alignment with the Bank’s strategic business plan and statement of risk appetite. Composition of the ITSC consists of senior management from the business areas. The virtual CISO is a non-voting member of the ITSC. Meetings occur at least bi-annually. The ITSC is tasked with reviewing the Bank’s technology, information security, business continuity, digital initiatives, vendor management, and data management strategic direction and providing feedback to management.
The ISGC acts on the behalf of and to assist the Board of Directors and executive management in fulfilling its oversight responsibilities regarding the Bank’s information security programs and risks. The ISGC is comprised of members from Risk, Information Technology, and other strategic areas within the Bank and meets at least quarterly. The responsibilities of the ISGC include providing strategic oversight and implementation guidance for the ISP, aligning cybersecurity and business objectives, monitoring and reporting on cybersecurity and information security incidents, and promoting a strong culture around information security.
As stated above, the CIO is a member of the ISGC, chairs the ITSC, and reports to the CSIO. The CIO has over 40 years of business experience in information technology and cybersecurity and is a Certified Bank Cybersecurity Manager. The virtual CISO is outsourced to a third-party vendor that specializes in partnering with organizations to enhance cybersecurity management and reports to the CRO.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors, in coordination with the Audit Committee, oversees the Company’s management of cybersecurity risk. The Board receives monthly reports from the CIO, focusing on cybersecurity and information technology updates. The reports include key insights regarding our security risk score, areas of focus, and metrics from our third-party provider regarding security investigations and incidents as well as the results of training and phishing simulations. The Audit Committee receives periodic updates on information security risk and maturity of our ISP. The Audit Committee also receives reports with the results of security assessments conducted by third-parties.
|Cybersecurity Risk Role of Management [Text Block]
|Under the leadership of the CIO, the ITSC serves to improve the effectiveness of information technology at the Bank and ensure alignment with the Bank’s strategic business plan and statement of risk appetite. Composition of the ITSC consists of senior management from the business areas. The virtual CISO is a non-voting member of the ITSC. Meetings occur at least bi-annually. The ITSC is tasked with reviewing the Bank’s technology, information security, business continuity, digital initiatives, vendor management, and data management strategic direction and providing feedback to management.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|As stated above, the CIO is a member of the ISGC, chairs the ITSC, and reports to the CSIO. The CIO has over 40 years of business experience in information technology and cybersecurity and is a Certified Bank Cybersecurity Manager. The virtual CISO is outsourced to a third-party vendor that specializes in partnering with organizations to enhance cybersecurity management and reports to the CRO.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The ISGC acts on the behalf of and to assist the Board of Directors and executive management in fulfilling its oversight responsibilities regarding the Bank’s information security programs and risks. The ISGC is comprised of members from Risk, Information Technology, and other strategic areas within the Bank and meets at least quarterly. The responsibilities of the ISGC include providing strategic oversight and implementation guidance for the ISP, aligning cybersecurity and business objectives, monitoring and reporting on cybersecurity and information security incidents, and promoting a strong culture around information security.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef