Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Risk Management and Strategy We recognize the importance of assessing, identifying, and managing risks associated with cybersecurity threats. Our process to identify and assess material risks from cybersecurity threats operates alongside our broader overall risk assessment process that contemplates all company risks. As part of this process, appropriate personnel collaborate with subject matter specialists, as necessary, to gather information to identify and assess material cybersecurity threat risks, their severity, and potential mitigations. We have implemented a variety of processes, technologies, and controls to aid in our efforts to identify, assess, and manage cybersecurity risks. Our approach includes: •an enterprise risk management program that includes an annual cybersecurity risk assessment and management and is periodically refreshed; •security reviews designed to identify risks from many new features, software, and vendors, including a security operations center to monitor our systems; •a team of trained and experienced security professionals to investigate and remediate cybersecurity incidents; •regular cybersecurity training for all employees and network users to raise and maintain awareness of cybersecurity risks and best practices; •a vulnerability management program designed to identify vulnerabilities in our systems and software; •regular cybersecurity testing, including third-party penetration testing on a periodic basis to allow security researchers to help identify vulnerabilities in our systems before they mature into real-world cybersecurity threats; •a third-party service provider risk management program designed to identify and mitigate risks associated with third-party vendors and business partners, which includes pre-engagement diligence, risk assessments, contractual security and notification provisions, and ongoing monitoring, as appropriate; •a threat intelligence program designed to model and research potential cybersecurity threat actors to identify vulnerabilities and anticipate attack vectors before they are exploited; •cybersecurity controls designed to segment access to systems and to limit access to sensitive data, which controls are tested and updated regularly; •patch management controls aimed at reducing system vulnerabilities; and •a generative artificial intelligence policy that describes how users may utilize generative artificial intelligence tools in alignment with our values, ethical standards, and legal requirements, while also safeguarding sensitive information. These processes vary in maturity across the business and we work continually to improve them. We also maintain a privacy and security incident response program to prepare for, detect, respond to, and recover from cybersecurity incidents. That program includes processes to triage, assess severity for, escalate, contain, investigate, and remediate any cybersecurity incident, as well as to comply with any applicable legal obligations (including to preserve evidence) and to mitigate brand and reputational damage. We also conduct regular tabletop exercises to test and fortify the controls of our cybersecurity incident response program. Our security operations center and incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of cybersecurity incidents provided to our management team and board as appropriate. If a cybersecurity incident is determined to be material, our incident response plan defines the process for any required regulatory disclosures. Our risk management approach is supplemented by external and internal enterprise risk management audits, which are designed to test the effectiveness of our security controls. Prior cybersecurity incidents have not materially affected our business strategy, results of operations, or financial condition. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations, or financial condition, although the occurrence of both intentional and unintentional incidents could cause a variety of adverse business impacts in the future.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	We have implemented a variety of processes, technologies, and controls to aid in our efforts to identify, assess, and manage cybersecurity risks. Our approach includes: •an enterprise risk management program that includes an annual cybersecurity risk assessment and management and is periodically refreshed; •security reviews designed to identify risks from many new features, software, and vendors, including a security operations center to monitor our systems; •a team of trained and experienced security professionals to investigate and remediate cybersecurity incidents; •regular cybersecurity training for all employees and network users to raise and maintain awareness of cybersecurity risks and best practices; •a vulnerability management program designed to identify vulnerabilities in our systems and software; •regular cybersecurity testing, including third-party penetration testing on a periodic basis to allow security researchers to help identify vulnerabilities in our systems before they mature into real-world cybersecurity threats; •a third-party service provider risk management program designed to identify and mitigate risks associated with third-party vendors and business partners, which includes pre-engagement diligence, risk assessments, contractual security and notification provisions, and ongoing monitoring, as appropriate; •a threat intelligence program designed to model and research potential cybersecurity threat actors to identify vulnerabilities and anticipate attack vectors before they are exploited; •cybersecurity controls designed to segment access to systems and to limit access to sensitive data, which controls are tested and updated regularly; •patch management controls aimed at reducing system vulnerabilities; and •a generative artificial intelligence policy that describes how users may utilize generative artificial intelligence tools in alignment with our values, ethical standards, and legal requirements, while also safeguarding sensitive information.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	Our board of directors is actively involved in overseeing our cybersecurity risk management. At least once a year, the full board of directors meets with our Chief Information Security Officer (“CISO”) to discuss and approve our programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of our business strategy. The board has created a dedicated cybersecurity subcommittee of the board's enterprise risk committee to oversee our cybersecurity programs and practices, including the identification and mitigation of security and privacy risks. The cybersecurity subcommittee consists of three members of the enterprise risk committee. The cybersecurity subcommittee typically meets on a monthly basis with the CISO and other members of our management team to discuss the performance and effectiveness of our cyber program and to receive updates on cybersecurity risks, any cybersecurity incidents, and major cybersecurity initiatives. The materials provided to the cybersecurity subcommittee and discussed in the meetings may include updates about cybersecurity risks, controls, and assessments, including those from third parties. At each regular quarterly meeting of the board enterprise risk committee, the cybersecurity subcommittee reviews a summary of the information discussed in the most recent cybersecurity subcommittee meetings.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our board of directors is actively involved in overseeing our cybersecurity risk management.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	At least once a year, the full board of directors meets with our Chief Information Security Officer (“CISO”) to discuss and approve our programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of our business strategy. The board has created a dedicated cybersecurity subcommittee of the board's enterprise risk committee to oversee our cybersecurity programs and practices, including the identification and mitigation of security and privacy risks.
Cybersecurity Risk Role of Management [Text Block]	The CISO manages our cybersecurity program, which aligns to industry standards and is reviewed by the cybersecurity subcommittee and approved by the board enterprise risk committee annually, and which includes the identification, evaluation, and prioritization of security risks, as well as our response to security incidents. The CISO has more than 20 years of experience in cybersecurity and information technology and holds a Master’s degree in Business Administration with a focus on Information Technology. The CISO also holds a Certified Information Security Manager ("CISM") certification, which is an advanced certification indicating that an individual possesses the knowledge and experience required to develop and manage an enterprise information security program. The CISO reports to our Executive Vice President – Chief Risk Officer, who in turn reports to the Chief Executive Officer. Members of senior management have regular meetings with the CISO and other members of our information technology team to discuss and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents. The participants in these meetings also discuss their management of, and participation in, the cybersecurity risk management and strategy processes described in this report, including the operation of our incident response plan.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	The CISO manages our cybersecurity program, which aligns to industry standards and is reviewed by the cybersecurity subcommittee and approved by the board enterprise risk committee annually, and which includes the identification, evaluation, and prioritization of security risks, as well as our response to security incidents.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	The CISO has more than 20 years of experience in cybersecurity and information technology and holds a Master’s degree in Business Administration with a focus on Information Technology. The CISO also holds a Certified Information Security Manager ("CISM") certification, which is an advanced certification indicating that an individual possesses the knowledge and experience required to develop and manage an enterprise information security program.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	The CISO reports to our Executive Vice President – Chief Risk Officer, who in turn reports to the Chief Executive Officer.Members of senior management have regular meetings with the CISO and other members of our information technology team to discuss and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents. The participants in these meetings also discuss their management of, and participation in, the cybersecurity risk management and strategy processes described in this report, including the operation of our incident response plan.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing risks associated with cybersecurity threats. Our process to identify and assess material risks from cybersecurity threats operates alongside our broader overall risk assessment process that contemplates all company risks. As part of this process, appropriate personnel collaborate with subject matter specialists, as necessary, to gather information to identify and assess material cybersecurity threat risks, their severity, and potential mitigations.

We have implemented a variety of processes, technologies, and controls to aid in our efforts to identify, assess, and manage cybersecurity risks. Our approach includes:

•an enterprise risk management program that includes an annual cybersecurity risk assessment and management and is periodically refreshed;

•security reviews designed to identify risks from many new features, software, and vendors, including a security operations center to monitor our systems;

•a team of trained and experienced security professionals to investigate and remediate cybersecurity incidents;

•regular cybersecurity training for all employees and network users to raise and maintain awareness of cybersecurity risks and best practices;

•a vulnerability management program designed to identify vulnerabilities in our systems and software;

•regular cybersecurity testing, including third-party penetration testing on a periodic basis to allow security researchers to help identify vulnerabilities in our systems before they mature into real-world cybersecurity threats;

•a third-party service provider risk management program designed to identify and mitigate risks associated with third-party vendors and business partners, which includes pre-engagement diligence, risk assessments, contractual security and notification provisions, and ongoing monitoring, as appropriate;

•a threat intelligence program designed to model and research potential cybersecurity threat actors to identify vulnerabilities and anticipate attack vectors before they are exploited;

•cybersecurity controls designed to segment access to systems and to limit access to sensitive data, which controls are tested and updated regularly;

•patch management controls aimed at reducing system vulnerabilities; and

•a generative artificial intelligence policy that describes how users may utilize generative artificial intelligence tools in alignment with our values, ethical standards, and legal requirements, while also safeguarding sensitive information.

These processes vary in maturity across the business and we work continually to improve them.

We also maintain a privacy and security incident response program to prepare for, detect, respond to, and recover from cybersecurity incidents. That program includes processes to triage, assess severity for, escalate, contain, investigate, and remediate any cybersecurity incident, as well as to comply with any applicable legal obligations (including to preserve evidence) and to mitigate brand and reputational damage. We also conduct regular tabletop exercises to test and fortify the controls of our cybersecurity incident response program. Our security operations center and incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of cybersecurity incidents provided to our management team and board as appropriate. If a cybersecurity incident is determined to be material, our incident response plan defines the process for any required regulatory disclosures.

Our risk management approach is supplemented by external and internal enterprise risk management audits, which are designed to test the effectiveness of our security controls. Prior cybersecurity incidents have not materially affected our business strategy, results of operations, or financial condition. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations, or financial condition, although the occurrence of both intentional and unintentional incidents could cause a variety of adverse business impacts in the future.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]