XML 115 R101.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] As a publicly-traded financial institution, we are subject to various cybersecurity risks that could adversely affect our business, financial condition, results of operations and reputation, including, but not limited to, cyber-attacks against us or our service providers focused on gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data or causing operational disruption. As described below, we have risk management and governance practices and processes designed to address these risks.

The Company has established an enterprise risk management framework that outlines the processes and procedures the Company uses to identify, assess, mitigate, and monitor the risks faced by the Company, including cybersecurity risk. Within the overarching enterprise risk management framework, we have an information security program (“ISP”) designed to preserve the confidentiality, integrity, and availability of information or data on our systems and those of our service providers, as documented in our information security policy.

The Company maintains an ISP to support the management of cybersecurity risk as an integral component of the Company’s ERM framework. The ISP encompasses the Company’s cybersecurity policies and practices and procedures that we use to identify, assess, mitigate, and monitor the risks faced by the Company. In addition, as part of the ISP, the Company has a Cyberecurity Incident Response Policy (“CIRP”) and Incident Response Team (“IRT”).
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] The Company has established an enterprise risk management framework that outlines the processes and procedures the Company uses to identify, assess, mitigate, and monitor the risks faced by the Company, including cybersecurity risk.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Based on information known to us, to date, we have not incurred any material losses related to cybersecurity incidents. However, the risk management and governance processes described above may not be sufficient to prevent cybersecurity incidents, and we could incur substantial costs and suffer other negative consequences from cybersecurity incidents. We can give no assurance that we have detected or protected against all cybersecurity threats or incidents. Please refer to “A failure in or breach of our operational or security systems or infrastructure, or those of our third party vendors and other service providers, including as a result of cyber-attacks, could disrupt our business, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses” included “Item 1A, Risk Factors” of this Annual Report on Form 10-K for additional information about material risks related to cybersecurity threats.
Cybersecurity Risk Board of Directors Oversight [Text Block] The Board is responsible for the oversight of cybersecurity risk management. In 2022, we elevated the Enterprise Risk Committee to a “committee of the whole” of the Bank’s board of directors. At the second board meeting of each calendar quarter, a significant portion of the meeting is dedicated to enterprise risk management. At that board meeting, management presents the enterprise risk management matrix, including the portions related to cybersecurity, to the board. In addition, the board receives regular reports from management on our cybersecurity threat risk management and strategic processes on topics including information on any cybersecurity incidents (including any remedial actions), including, for example, results of our EDR and XDR programs.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] In 2022, we elevated the Enterprise Risk Committee to a “committee of the whole” of the Bank’s board of directors.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] At that board meeting, management presents the enterprise risk management matrix, including the portions related to cybersecurity, to the board. In addition, the board receives regular reports from management on our cybersecurity threat risk management and strategic processes on topics including information on any cybersecurity incidents (including any remedial actions), including, for example, results of our EDR and XDR programs.
Cybersecurity Risk Role of Management [Text Block] Management determines and prioritizes appropriate risk responses for each identified enterprise risk. In doing so, executive and senior management work directly with our information technology team and our ISO. Management is accountable for our day-to-day risk management activities.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] At the management level, the Company has designated an information security officer (“ISO”). Our ISO is responsible for the overall administration and execution of the ISP and reports to our EVP-General Counsel. Our ISO has over twenty years of experience working in information security. The ISO monitors the security of, among other things, systems, applications, tools, databases, computers, websites, cloud infrastructure, vendor tools, and user access systems. The ISO also works with and oversees third-party vendors that provide us with information security services and products. The ISO performs an annual information security risk assessment, which, among other things, documents inherent risk levels and controls in place to manage those risks. The information security risk assessment is presented to the Board annually. The ISO has various professional certifications in relevant fields. The ISO is responsible for administering and executing the ISP and formulating a risk-based approach for evaluating and managing technology and cybersecurity threats.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our ISO has over twenty years of experience working in information security.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] On a regular basis, the ISO reports to executive management and the Board information security risk issues, risk mitigation progress and developments, and information security enhancement initiatives. The ISO also reports the status of information security-related key risk indicators to executive management.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true