XML 53 R36.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

The Company maintains documented processes, procedures, and controls for assessing, identifying, and managing material risks from cybersecurity threats.  Cybersecurity threats are identified utilizing risk assessments, detection tools, information gathering and performing internal, external, and third-party contracted security assessments.

The Company has processes to oversee and identify material risks from reported cybersecurity threats from any third-party service providers or vendors.  The Company’s vendor management program requires initial due diligence, on-going monitoring, and annual recertification of third-party cybersecurity controls.

Cybersecurity is an integral part of the risk management program, which is supported through the use of consultants, auditors and other third-parties who assist with reviewing and validating the effectiveness of cybersecurity controls.  Our internal audit function actively participates and engages with those managing the cybersecurity program to validate the effectiveness of implemented safeguards.  Our external audit results are reviewed and reported in our annual filing and to the Board Audit Committee.  Additionally, the Company and the Bank are regulated entities and undergo regulatory reviews to ensure the Company and the Bank are in compliance will all appropriate standards.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

The Company maintains documented processes, procedures, and controls for assessing, identifying, and managing material risks from cybersecurity threats.  Cybersecurity threats are identified utilizing risk assessments, detection tools, information gathering and performing internal, external, and third-party contracted security assessments.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

The CISO and CRO play a pivotal role in informing the Board of all cybersecurity risks.  These positions provide comprehensive updates to the Risk Management Committee of the Board, at least quarterly.  The briefings combine a range of updates, including the cybersecurity program, emerging risks, and risk reporting.  The CISO and CRO also provide a monthly overview of the cybersecurity landscape to the Board of Directors.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Risk Management Committee of the Board
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The CISO and CRO play a pivotal role in informing the Board of all cybersecurity risks.  These positions provide comprehensive updates to the Risk Management Committee of the Board, at least quarterly.  The briefings combine a range of updates, including the cybersecurity program, emerging risks, and risk reporting.  The CISO and CRO also provide a monthly overview of the cybersecurity landscape to the Board of Directors.
Cybersecurity Risk Role of Management [Text Block]

The cybersecurity programs are supervised by the Bank’s Chief Information Security Officer (“CISO”) reporting to the Chief Risk Officer (“CRO”) and dotted line to the Chief Information Officer.  The Chief Risk Officer has reporting responsibility to the Board’s Risk and Compliance Committee while the Chief Information Officer has reporting responsibility to the Board’s Information Technology Committee.  The Risk and Compliance Committee consists of eight directors, seven of whom are independent, while the Information Technology Committee consists of three directors, two of whom are independent and members of the Risk and Compliance Committee. The Company Board includes members who have expertise in cybersecurity, fraud, and risk management.  Cybersecurity risks are primarily assessed, monitored, and remediated by the CISO who has a Ph.D. in Information Technology with a concentration in Information Assurance and experience in the information technology and cybersecurity fields and maintains advanced cybersecurity centric certifications.  The CISO’s knowledge and experience in the cybersecurity field are key to executing our cybersecurity program.  Our CISO oversees proactive initiatives, remediation plans of known risks, compliance with regulations and standards and disaster recovery, business continuity, and incident response efforts.  Additionally, the Bank’s CRO who leads the management risk function, has extensive experience in risk management.

The cybersecurity programs include a cross-function team of trained internal and external information security professionals, all of whom are required to maintain industry accredited certifications.  We have an Incident Response Team chaired by our Chief Operating Officer that is comprised of executive management and designated managers, including the CISO.  The purpose of our incident response plan is to manage incidents, including information security incidents, efficiently and effectively to minimize loss and destruction, mitigate weaknesses, restore services, notify customers, as required by law, comply with regulatory requirement and any third-party obligations.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Chief Information Security Officer (“CISO”) Chief Risk Officer (“CRO”)
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Company Board includes members who have expertise in cybersecurity, fraud, and risk management.  Cybersecurity risks are primarily assessed, monitored, and remediated by the CISO who has a Ph.D. in Information Technology with a concentration in Information Assurance and experience in the information technology and cybersecurity fields and maintains advanced cybersecurity centric certifications.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The cybersecurity programs include a cross-function team of trained internal and external information security professionals, all of whom are required to maintain industry accredited certifications.  We have an Incident Response Team chaired by our Chief Operating Officer that is comprised of executive management and designated managers, including the CISO.  The purpose of our incident response plan is to manage incidents, including information security incidents, efficiently and effectively to minimize loss and destruction, mitigate weaknesses, restore services, notify customers, as required by law, comply with regulatory requirement and any third-party obligations.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true