XML 46 R31.htm IDEA: XBRL DOCUMENT

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

In line with our commitment to strong corporate governance and the security of our operations, we continuously assess and mitigate cybersecurity risks that could impact our business, stakeholders, and the integrity of our systems.

Using comprehensive risk assessment methodologies, we diligently identify and evaluate potential cybersecurity threats and vulnerabilities across our systems, networks, and data assets. This process includes regular reviews of emerging threats, penetration testing, vulnerability scanning, and thorough analysis of industry-specific risks. We actively participate in industry forums and information-sharing initiatives and collaborate with relevant stakeholders to exchange threat intelligence and best practices.

We emphasize continuous training for our staff to enhance their ability to identify and respond to cybersecurity threats. To support this effort, we invest in cybersecurity technology and talent. Additionally, we conduct rigorous vendor assessments and require specific security standards for third-party providers. Our comprehensive policies and procedures are designed to safeguard the integrity and security of information collected by us and our service providers. We have also implemented security measures to prevent unauthorized access to personal data and mitigate potential incidents. Furthermore, we learn from any past incidents and near misses to strengthen our resilience.

NBT collaborates with external experts to conduct audits, assessments, and validations of our cybersecurity controls, aligning them with established frameworks such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We adapt our cybersecurity policies, standards, processes, and practices based on insights from these reviews.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

We have purchased cybersecurity insurance, but there are no assurances that the coverage would be adequate in relation to any incurred losses. As of December 31, 2024 we have not experienced any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected the business strategy, results of operations or financial condition of the Company. However, we cannot guarantee that we will remain unaffected in the future.

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Board considers cybersecurity as part of its broader consideration of business strategy and enterprise risk management. It is the responsibility of the Risk Management Committee (“RMC”), a committee of the Board, to oversee efforts to develop and formally approve the written Information Security Program (“ISP”), implement, maintain and monitor the program, and review management reports and policies related to cyber incidents. The RMC is led by our Chief Risk Officer and comprised of Board members as well as the Chief Executive Officer. Cybersecurity risks are reported to the RMC at least quarterly and those reports include key performance indicators, test results, recent threats and how the Company is managing those threats, along with the effectiveness of the ISP. The RMC receives briefings from executive management on activities, including those related to cybersecurity risk oversight. The Board reviews the overall ISP at least annually.

NBT has appointed the Senior Director of Information Security (“DISO”) to oversee the implementation, coordination, and maintenance of the ISP. The DISO’s responsibilities include:

●

Leading the initial implementation of the ISP, including assessing internal and external risks to institutional data and documenting findings through risk assessment reports and remediation plans.

●

Coordinating the development, distribution, and maintenance of information security policies and procedures.

●

Designing and implementing administrative, technical, and physical safeguards to protect institutional data across the company.

The DISO reports to the Chief Risk Officer and has expertise in cybercrime prevention, social engineering, identity theft, and fraud prevention, gained through prior roles within the organization.

The DISO also supervises the Incident Response Team (“IRT”), which consists of senior executives, including the Chief Audit Officer, Chief Risk Officer, General Counsel, and representatives from Operations, Accounting, and Communications. Upon detecting an incident, the IRT promptly convenes to assess its severity, categorizing it as low, medium, or high. The response protocol follows the Cybersecurity and Infrastructure Security Agency (“CISA”) Cybersecurity Incident and Vulnerability Response Playbook (November 2021) and incorporates best practices outlined in the NIST Special Publication (SP) 800-61 Rev. 2: Computer Security Incident Handling Guide. The IRT has procedures and escalation protocols to escalate significant cybersecurity matters to the Executive Committee, the RMC and/or full Board, as deemed necessary.

During the incident review process, senior management, in collaboration with relevant personnel from information technology, data security, and external cybersecurity firms specializing in forensic investigations, when necessary, assesses the materiality of the breach alongside the severity scale. This evaluation aims to accurately identify risks and potential operational and business impacts. Materiality determination involves an objective analysis of both quantitative and qualitative factors, including an evaluation of impact and reasonably likely impacts.

For further discussion of such risks, see the section entitled “Risks Related to Information Technology, Cybersecurity and Data Privacy” in Item 1A. Risk Factors of this Form 10-K.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The RMC is led by our Chief Risk Officer and comprised of Board members as well as the Chief Executive Officer. Cybersecurity risks are reported to the RMC at least quarterly and those reports include key performance indicators, test results, recent threats and how the Company is managing those threats, along with the effectiveness of the ISP. The RMC receives briefings from executive management on activities, including those related to cybersecurity risk oversight. The Board reviews the overall ISP at least annually.

Cybersecurity Risk Role of Management [Text Block]

NBT has appointed the Senior Director of Information Security (“DISO”) to oversee the implementation, coordination, and maintenance of the ISP. The DISO’s responsibilities include:

●

Leading the initial implementation of the ISP, including assessing internal and external risks to institutional data and documenting findings through risk assessment reports and remediation plans.

●

Coordinating the development, distribution, and maintenance of information security policies and procedures.

●

Designing and implementing administrative, technical, and physical safeguards to protect institutional data across the company.

The DISO reports to the Chief Risk Officer and has expertise in cybercrime prevention, social engineering, identity theft, and fraud prevention, gained through prior roles within the organization.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

NBT has appointed the Senior Director of Information Security (“DISO”) to oversee the implementation, coordination, and maintenance of the ISP. The DISO’s responsibilities include:

●

Leading the initial implementation of the ISP, including assessing internal and external risks to institutional data and documenting findings through risk assessment reports and remediation plans.

●

Coordinating the development, distribution, and maintenance of information security policies and procedures.

●

Designing and implementing administrative, technical, and physical safeguards to protect institutional data across the company.

The DISO reports to the Chief Risk Officer and has expertise in cybercrime prevention, social engineering, identity theft, and fraud prevention, gained through prior roles within the organization.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The DISO reports to the Chief Risk Officer and has expertise in cybercrime prevention, social engineering, identity theft, and fraud prevention, gained through prior roles within the organization.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true