XML 71 R38.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
To date, we have not incurred any material losses related to cybersecurity incidents. However, the risk management and governance processes described above may not be sufficient to prevent cybersecurity incidents, and we could incur substantial costs and suffer other negative consequences from cybersecurity incidents. See “Part 1, Item IA. – Risk Factors” for more information on the cybersecurity risks facing the Company.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
The Company has established an enterprise risk management framework that outlines the processes and procedures the Company uses to identify, assess, mitigate and monitor the risks faced by the Company, including cybersecurity risk.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
The Board is responsible for the oversight of cybersecurity risk management, as well as the selection of a Chief Information Security Officer (“CISO”), the management official responsible for administering and executing the information security program. The Board’s Technology Oversight Committee (the “TOC”) assists the Board in its oversight of the information security program. The TOC reviews information security metrics, oversees significant instances of non-compliance with the information security policy and monitors remediation of those instances, and reviews the appointment of the CISO for recommendation to the Board.
At the management level, the Enterprise Risk Management Committee (the “ERMC”) is primarily responsible for cybersecurity risk management. As it pertains to the information security program, the ERMC assesses and monitors information security risks and approves the information security policy on at least an annual basis. Certain instances of non-compliance with the information security policy are escalated to the EMRC, which may further escalate to the TOC as appropriate. Once escalated to a committee, the committee is responsible for overseeing related remediation.
Our CISO is responsible for the overall administration and execution of the information security program and reports to our Chief Risk Officer (“CRO”). Our CISO has over fifteen years of experience working in information security and risk for a variety of companies and organizations, including multiple financial institutions. The CISO monitors the security of, among other things, systems, applications, tools, databases, computers, websites, cloud infrastructure, vendor tools, and user access systems. The CISO performs an annual information security risk assessment, which, among other things, documents inherent risk levels and controls in place to manage those risks. The information security risk assessment is presented to the Board annually.
We strive to minimize the occurrence of cybersecurity incidents and the risks resulting from such incidents. However, when a cybersecurity incident does occur, the Company has in place an incident response program to guide our assessment of and response to the incident. The CISO coordinates the Company’s response to a cybersecurity incident, including investigating, recording and evaluating any potential, suspected or confirmed incidents involving non-public customer information or Company confidential information.
On a regular basis, the CISO discusses with the CRO information security risk issues, risk mitigation progress and developments and information security enhancement initiatives. The CISO reports to the TOC quarterly on information security developments and emerging risks, both in the industry and specific to the Company. The CISO and CRO report on the information security program, including the status of information security-related key risk indicators, to the TOC and the ERMC. The Information Security Policy is also approved by the TOC on an annual basis.
The Company employs third parties in certain aspects of its information security and cybersecurity risk management. For example, we utilize third parties to conduct certain security operations and maintain certain information security infrastructure. We have adopted a Third Party Risk Management Policy, which addresses the identification, measurement, monitoring, and management of our third-party service provider relationships, including those related to information security. The Director of Third-Party Risk Management, along with the CISO, assess and monitor information risks posed by third parties and any non-compliance with the controls created to address such risks. With respect to cybersecurity incidents affecting our third-party service providers, the Director of Third-Party Risk Management works with our service providers to understand and document any incidents, along with managing the impact to us and reporting such incidents to the CRO, ERMC, TOC, and, if applicable, the Board.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] At the management level, the Enterprise Risk Management Committee (the “ERMC”) is primarily responsible for cybersecurity risk management. As it pertains to the information security program, the ERMC assesses and monitors information security risks and approves the information security policy on at least an annual basis.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
At the management level, the Enterprise Risk Management Committee (the “ERMC”) is primarily responsible for cybersecurity risk management. As it pertains to the information security program, the ERMC assesses and monitors information security risks and approves the information security policy on at least an annual basis. Certain instances of non-compliance with the information security policy are escalated to the EMRC, which may further escalate to the TOC as appropriate. Once escalated to a committee, the committee is responsible for overseeing related remediation.
Our CISO is responsible for the overall administration and execution of the information security program and reports to our Chief Risk Officer (“CRO”). Our CISO has over fifteen years of experience working in information security and risk for a variety of companies and organizations, including multiple financial institutions. The CISO monitors the security of, among other things, systems, applications, tools, databases, computers, websites, cloud infrastructure, vendor tools, and user access systems. The CISO performs an annual information security risk assessment, which, among other things, documents inherent risk levels and controls in place to manage those risks. The information security risk assessment is presented to the Board annually.
Cybersecurity Risk Role of Management [Text Block]
At the management level, the Enterprise Risk Management Committee (the “ERMC”) is primarily responsible for cybersecurity risk management. As it pertains to the information security program, the ERMC assesses and monitors information security risks and approves the information security policy on at least an annual basis. Certain instances of non-compliance with the information security policy are escalated to the EMRC, which may further escalate to the TOC as appropriate. Once escalated to a committee, the committee is responsible for overseeing related remediation.
Our CISO is responsible for the overall administration and execution of the information security program and reports to our Chief Risk Officer (“CRO”). Our CISO has over fifteen years of experience working in information security and risk for a variety of companies and organizations, including multiple financial institutions. The CISO monitors the security of, among other things, systems, applications, tools, databases, computers, websites, cloud infrastructure, vendor tools, and user access systems. The CISO performs an annual information security risk assessment, which, among other things, documents inherent risk levels and controls in place to manage those risks. The information security risk assessment is presented to the Board annually.
We strive to minimize the occurrence of cybersecurity incidents and the risks resulting from such incidents. However, when a cybersecurity incident does occur, the Company has in place an incident response program to guide our assessment of and response to the incident. The CISO coordinates the Company’s response to a cybersecurity incident, including investigating, recording and evaluating any potential, suspected or confirmed incidents involving non-public customer information or Company confidential information.
On a regular basis, the CISO discusses with the CRO information security risk issues, risk mitigation progress and developments and information security enhancement initiatives. The CISO reports to the TOC quarterly on information security developments and emerging risks, both in the industry and specific to the Company. The CISO and CRO report on the information security program, including the status of information security-related key risk indicators, to the TOC and the ERMC. The Information Security Policy is also approved by the TOC on an annual basis.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
At the management level, the Enterprise Risk Management Committee (the “ERMC”) is primarily responsible for cybersecurity risk management. As it pertains to the information security program, the ERMC assesses and monitors information security risks and approves the information security policy on at least an annual basis. Certain instances of non-compliance with the information security policy are escalated to the EMRC, which may further escalate to the TOC as appropriate. Once escalated to a committee, the committee is responsible for overseeing related remediation.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CISO is responsible for the overall administration and execution of the information security program and reports to our Chief Risk Officer (“CRO”). Our CISO has over fifteen years of experience working in information security and risk for a variety of companies and organizations, including multiple financial institutions
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
At the management level, the Enterprise Risk Management Committee (the “ERMC”) is primarily responsible for cybersecurity risk management. As it pertains to the information security program, the ERMC assesses and monitors information security risks and approves the information security policy on at least an annual basis. Certain instances of non-compliance with the information security policy are escalated to the EMRC, which may further escalate to the TOC as appropriate. Once escalated to a committee, the committee is responsible for overseeing related remediation.
Our CISO is responsible for the overall administration and execution of the information security program and reports to our Chief Risk Officer (“CRO”). Our CISO has over fifteen years of experience working in information security and risk for a variety of companies and organizations, including multiple financial institutions. The CISO monitors the security of, among other things, systems, applications, tools, databases, computers, websites, cloud infrastructure, vendor tools, and user access systems. The CISO performs an annual information security risk assessment, which, among other things, documents inherent risk levels and controls in place to manage those risks. The information security risk assessment is presented to the Board annually.
We strive to minimize the occurrence of cybersecurity incidents and the risks resulting from such incidents. However, when a cybersecurity incident does occur, the Company has in place an incident response program to guide our assessment of and response to the incident. The CISO coordinates the Company’s response to a cybersecurity incident, including investigating, recording and evaluating any potential, suspected or confirmed incidents involving non-public customer information or Company confidential information.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true