XML 209 R34.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy

The current threat environment from phishing emails to cyber-attacks has created an urgent need for increased awareness on cyber and information security. Peoples and the Bank take a risk-based approach to managing these threats. The Bank’s leadership team and its Board of Directors engages in the management of this risk by participating in the information security and cybersecurity strategy and review process.

Cyber and information security programs are designed around industry best practices. Compliance with these best practices along with federal and state regulatory requirements are examined annually by the Department of Banking and the FDIC and we regularly engage third-party external auditors and consultants to assess our compliance.

Our cyber defense strategy includes continuous monitoring, integrated risk assessment, identification of vulnerabilities and human risk factors, and employee awareness. Cybersecurity exercises with other financial services companies and government agencies help prepare the Bank for cybersecurity threats and incidents. Incident response scenarios and business continuity exercises test the organizations preparedness for disaster events. The organization also utilizes several national and global third party advisors to ensure the appropriateness of the Bank’s security posture, effective operation of the cybersecurity discipline and proper assessment of risk.

Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

The current threat environment from phishing emails to cyber-attacks has created an urgent need for increased awareness on cyber and information security. Peoples and the Bank take a risk-based approach to managing these threats. The Bank’s leadership team and its Board of Directors engages in the management of this risk by participating in the information security and cybersecurity strategy and review process.

Cyber and information security programs are designed around industry best practices. Compliance with these best practices along with federal and state regulatory requirements are examined annually by the Department of Banking and the FDIC and we regularly engage third-party external auditors and consultants to assess our compliance.

Our cyber defense strategy includes continuous monitoring, integrated risk assessment, identification of vulnerabilities and human risk factors, and employee awareness. Cybersecurity exercises with other financial services companies and government agencies help prepare the Bank for cybersecurity threats and incidents. Incident response scenarios and business continuity exercises test the organizations preparedness for disaster events. The organization also utilizes several national and global third party advisors to ensure the appropriateness of the Bank’s security posture, effective operation of the cybersecurity discipline and proper assessment of risk.

Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Board of Director Oversight

Our Board of Directors has ultimate oversight of cybersecurity risk. The Board of Directors is assisted by the Board Information Technology Committee (“IT Committee”) which regularly provides reports to the Board of Directors. The IT Committee is comprised of members with experience in managing cybersecurity risks. The IT Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Information Officer (“CIO”), and the Chief Risk Officer (“CRO”) through quarterly meetings. Cybersecurity reviews are completed at least twice annually and provided to the Board of Directors Audit Committee. Additionally, awareness and training on cybersecurity topics is provided to the whole Board on an annual basis.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Information Technology Committee (“IT Committee”)
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board of Directors is assisted by the Board Information Technology Committee (“IT Committee”) which regularly provides reports to the Board of Directors. The IT Committee is comprised of members with experience in managing cybersecurity risks. The IT Committee receives regular updates on cybersecurity risks and incidents and the cybersecurity program through direct interaction with the Chief Information Officer (“CIO”), and the Chief Risk Officer (“CRO”) through quarterly meetings. Cybersecurity reviews are completed at least twice annually and provided to the Board of Directors Audit Committee.
Cybersecurity Risk Role of Management [Text Block]

Management’s Role

The CRO and the CIO along with the Information Security Officer are responsible for implementing and maintaining the Company's cybersecurity risk management program. The Information Security Department is led by the Information Security Officer, who reports directly to the CRO. The Chief Risk Officer and the Chief Information Officer report directly to the Board IT Committee and the Board. The Company’s CIO has over 30 years of experience in technology and cybersecurity, which includes 24 years in the financial services industry. The Information Security Officer has over 20 years in the financial services industry with the last 14 years as a Risk Analyst and then Information Security.

The Company’s Information Security department measures and reports on the quality of information and cyber risk management across all functions. Information security risk is reported by both the Information Security and Enterprise Risk departments through monthly management metric reporting working groups and multiple layers of quarterly risk committees to achieve an appropriate flow of information risk reporting to the Board. The risk committees include the Executive Risk Management Committee, the Management Information Technology Steering Committee and the Information Technology Committee of the Board of Directors. In addition, we have an escalation process in place to inform senior management and Board of Directors of material cybersecurity issues.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The risk committees include the Executive Risk Management Committee, the Management Information Technology Steering Committee and the Information Technology Committee
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The Company’s Information Security department measures and reports on the quality of information and cyber risk management across all functions. Information security risk is reported by both the Information Security and Enterprise Risk departments through monthly management metric reporting working groups and multiple layers of quarterly risk committees to achieve an appropriate flow of information risk reporting to the Board. The risk committees include the Executive Risk Management Committee, the Management Information Technology Steering Committee and the Information Technology Committee of the Board of Directors. In addition, we have an escalation process in place to inform senior management and Board of Directors of material cybersecurity issues.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true