XML 57 R34.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Peoples has a comprehensive Enterprise Risk Management program (“ERM Program”), which includes policies and processes for assessing, identifying and managing material risks from cybersecurity threats to Peoples and its customers. Peoples’ information security policy and procedures are reviewed and assessed on an annual basis and as needed throughout the year by the Risk Committee of the Board. Peoples assesses itself against the Federal Financial Institutions Examination Council’s (“FFIEC”) Cybersecurity Assessment Tool (“CAT”) on a quarterly basis. Beginning in 2025, Peoples will assess itself using the Cyber Risk Institute Tool (“CRIT”) on at least an annual basis. Additional assessment of Peoples’ cybersecurity capabilities is performed by consultants and regulators annually. Identified risks resulting from these assessments are documented, rated and mitigated by Peoples Bank’s Chief Information Security Officer (“CISO”), with oversight by the Risk Committee.
Peoples also has a third-party risk management program pursuant to which Peoples performs annual reviews of third-party vendors as to their cybersecurity and business continuity capabilities to ensure they meet the stated requirements and the risk appetite of Peoples as documented in Peoples’ information security policy. Vendors not meeting Peoples’ risk requirements are notified of necessary improvements and, if the vendors cannot mitigate the identified risks, Peoples looks to identify alternative vendors. Documentation of performance of the third-party risk assessments is retained and acknowledged by appropriate Risk and Information Security employees of Peoples.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Peoples has a comprehensive Enterprise Risk Management program (“ERM Program”), which includes policies and processes for assessing, identifying and managing material risks from cybersecurity threats to Peoples and its customers. Peoples’ information security policy and procedures are reviewed and assessed on an annual basis and as needed throughout the year by the Risk Committee of the Board. Peoples assesses itself against the Federal Financial Institutions Examination Council’s (“FFIEC”) Cybersecurity Assessment Tool (“CAT”) on a quarterly basis. Beginning in 2025, Peoples will assess itself using the Cyber Risk Institute Tool (“CRIT”) on at least an annual basis. Additional assessment of Peoples’ cybersecurity capabilities is performed by consultants and regulators annually. Identified risks resulting from these assessments are documented, rated and mitigated by Peoples Bank’s Chief Information Security Officer (“CISO”), with oversight by the Risk Committee.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] Peoples’ Board of Directors provides oversight of risks from cybersecurity threats primarily through the Risk Committee of the Board.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Peoples’ Board of Directors provides oversight of risks from cybersecurity threats primarily through the Risk Committee of the Board. The Risk Committee is comprised of all of the independent directors of the Board, along with Peoples’ Chief Executive Officer (“CEO”), and is responsible for oversight of Peoples’ risk management policies, programs and processes.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Risk Committee is organized and conducts its business pursuant to a written charter adopted by the Board. At least annually, the Risk Committee reviews and reassesses the adequacy of its charter and recommends any proposed changes to the full Board as necessary to reflect changes in regulatory requirements, authoritative guidance and evolving practices. On at least a quarterly basis, Peoples’ Chief Risk Officer provides a report to the Risk Committee regarding the overall risk condition of Peoples and whether it is within Peoples’ stated risk appetite.
Cybersecurity Risk Role of Management [Text Block]
Peoples’ Chief Risk Officer (“CRO”) reports to the Risk Committee and the CEO and has primary responsibility for the design and implementation of the ERM Program. The ERM Program establishes Peoples’ risk appetite, monitors key risk and performance indicators, identifies key risks within the firm, designs and executes specific risk initiatives and monitors risk mitigation efforts and control processes. The CRO updates the Risk Committee quarterly on the overall risk condition of Peoples inclusive of any cybersecurity issues or threats.
Peoples Bank also has an executive governance structure which includes the Capital and Risk Management Committee (“CRMC”). The CRMC, which is comprised of individuals representing each of the functional areas of Peoples and its subsidiaries, meets monthly and is responsible for the review of risk issues faced by Peoples, including material risks from cybersecurity threats. Summaries of the topics and discussions at CRMC meetings are provided to the Risk Committee along with an overview and recommendations regarding key risks and mitigating actions.
The CISO has primary responsibility for assessing and responding to material risks from cybersecurity threats. The current CISO is an experienced Information Security and Information Technology professional with over 25 years of experience specializing in cyber defense, vulnerability management, security operations, recovery management and as a Windows system engineer. On a quarterly basis, the CISO updates the Risk Committee on the state of cybersecurity and potential risks to Peoples’ to be considered by the Risk Committee.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The CISO has primary responsibility for assessing and responding to material risks from cybersecurity threats.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The current CISO is an experienced Information Security and Information Technology professional with over 25 years of experience specializing in cyber defense, vulnerability management, security operations, recovery management and as a Windows system engineer.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] On a quarterly basis, the CISO updates the Risk Committee on the state of cybersecurity and potential risks to Peoples’ to be considered by the Risk Committee.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true