v3.26.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy 

 

As a financial institution, we believe that the risk of cybersecurity incidents is a significant, increasing, and always evolving risk for our business. Federal law and regulations require us to maintain a comprehensive written information security program, and federal banking regulators regularly issue guidance regarding cybersecurity threats intended to enhance our cybersecurity risk management. Accordingly, we have developed and implemented processes for assessing, identifying and managing material risks from cybersecurity threats designed to comply with federal law and regulations and protect against cybersecurity threats to our business. Our program is supported by management and the Board. The Company maintains an active cyber insurance policy to enhance protections against material data intrusions or loss of privacy. For an overview of the federal banking laws and regulations that govern our management and oversight of cybersecurity risks, refer to Item 1. Business – Supervision and Regulation – “Financial Privacy and Cybersecurity Requirements,” incorporated by reference into this Item 1C.

 

The Company’s IS Program is comprised of five pillars: the Information Security Policy, the Enterprise Information Security Risk Assessment, the Incident Response Plan, a formalized Security Awareness Campaign, and an enterprise monitoring and reporting program.

 

 

The Information Security Policy contains numerous distinct administrative and technical controls that govern data security for the organization and is based on the NIST Cybersecurity Framework. The policy is reviewed and approved by the Board annually.

 

The Enterprise Information Security Risk Assessment quantifies risk criteria utilizing the same impact measures, including financial, strategic, operational, and reputational, set forth by the Enterprise Risk Committee. The risk assessment is reviewed and approved by the Board annually. The Enterprise Risk Committee includes members of management from various departments and members of the Board and oversees the overall risk management of the Company. The Enterprise Risk Committee meets as often as appropriate to perform its responsibilities, but no less than once per calendar quarter and reports findings and provides recommendations to the Board on a routine basis.

 

The IRP includes procedures for responding to actual or potential cybersecurity incidents, including providing timely notice to customers and our bank regulatory agencies when appropriate. The IRP is based on the NIST Cybersecurity Framework. The plan is tested annually through tabletop exercises.

 

The Security Awareness Campaign is designed with the goal that employees are educated on policy, threats, and best practices from onboarding and throughout their tenure at the Company. This effort includes an onboarding training program, annual attestation and training, and weekly communication designed to help instill in employees a security mindset through repetition.

 

The Company maintains an enterprise monitoring and reporting program, which identifies key risk indicators for tracking and identifying trends. The key risk indicators are presented to the Company’s IT Committee monthly and the Board on a quarterly basis.

 

The IS Program is monitored each year through various internal and external audits, as well as OCC regulatory exams. Vulnerability and penetration testing are also conducted at least annually by an independent third party to supplement the vulnerability and patching program routinely performed by internal staff. Third-party vendors supplement the Company’s internal patching program as necessary. The Company also utilizes a third-party “SOC as a Service” to monitor extended detection and response logs and network traffic.

 

Third-party service provider risk is evaluated prior to and throughout the relationship. Third-party service providers must meet a minimum set of baseline security standards prior to being onboarded. During onboarding, the third party and the services they provide are added to the Information Security Risk Assessment, including consideration of inherent risk factors and mitigating controls. Alternative vendors and the effort to transition between vendors are identified during onboarding as well as in the event that the selected provider may fail in providing contracted services at any time. After a third party is onboarded, they are subject to the annual third-party risk management program, specific to their assigned risk criticality. This effort includes the review of service organization controls reports, business continuity and disaster recovery efforts, insurance certificates, and other compliance related concerns when applicable.

 

We have not experienced any cybersecurity incidents that have materially affected our Company, including our business, strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats may be reasonably likely to materially affect us, refer to Item 1A. Risk Factors – Risks Related to our Business – “We rely on information technology and telecommunications systems, many of which are provided by third-party vendors” and – “Cyberattacks or other security breaches could adversely affect our operations, net income or reputation,” incorporated by reference into this Item 1C.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] As a financial institution, we believe that the risk of cybersecurity incidents is a significant, increasing, and always evolving risk for our business. Federal law and regulations require us to maintain a comprehensive written information security program, and federal banking regulators regularly issue guidance regarding cybersecurity threats intended to enhance our cybersecurity risk management. Accordingly, we have developed and implemented processes for assessing, identifying and managing material risks from cybersecurity threats designed to comply with federal law and regulations and protect against cybersecurity threats to our business. Our program is supported by management and the Board. The Company maintains an active cyber insurance policy to enhance protections against material data intrusions or loss of privacy.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] We have not experienced any cybersecurity incidents that have materially affected our Company, including our business, strategy, results of operations or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

 

The Board is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board and the IT Committee. The IT Committee’s primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. Of the IT Committee members who are not Board members, only our CIO and CISO are responsible for assessing and managing cybersecurity risks, and the other committee members are responsible for oversight. The CISO provides monthly information security reports to the Board and IT Committee on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board. The CISO also provides the Board with an annual Information Security Program Summary Report in compliance with federal banking guidelines.

 

The IS Program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. An information security analyst reports to the CISO and performs security and assurance functions daily. The CIO and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company's technology infrastructure. The CISO holds two cybersecurity industry leading certifications (Certified Information Systems Security Professional and Certified Cloud Security Professional) and has more than 20 years of technology experience. The CIO has been in the information technology field for over 30 years and at various points held the following certifications: Cisco Certified Internetwork Expert, Cisco Certified Network Professional, Cisco Certified Voice Professional, Cisco Certified Design Professional, and Microsoft Certified Systems Engineer. The information security analyst has over five years of experience and holds ISC2’s “Certified in Cybersecurity” and CompTIA’s Security+ certification. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board and the IT Committee. The IT Committee’s primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. Of the IT Committee members who are not Board members, only our CIO and CISO are responsible for assessing and managing cybersecurity risks, and the other committee members are responsible for oversight. The CISO provides monthly information security reports to the Board and IT Committee on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board. The CISO also provides the Board with an annual Information Security Program Summary Report in compliance with federal banking guidelines.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board and the IT Committee. The IT Committee’s primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. Of the IT Committee members who are not Board members, only our CIO and CISO are responsible for assessing and managing cybersecurity risks, and the other committee members are responsible for oversight. The CISO provides monthly information security reports to the Board and IT Committee on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board. The CISO also provides the Board with an annual Information Security Program Summary Report in compliance with federal banking guidelines.
Cybersecurity Risk Role of Management [Text Block] The IS Program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. An information security analyst reports to the CISO and performs security and assurance functions daily. The CIO and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company's technology infrastructure. The CISO holds two cybersecurity industry leading certifications (Certified Information Systems Security Professional and Certified Cloud Security Professional) and has more than 20 years of technology experience. The CIO has been in the information technology field for over 30 years and at various points held the following certifications: Cisco Certified Internetwork Expert, Cisco Certified Network Professional, Cisco Certified Voice Professional, Cisco Certified Design Professional, and Microsoft Certified Systems Engineer. The information security analyst has over five years of experience and holds ISC2’s “Certified in Cybersecurity” and CompTIA’s Security+ certification. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The IS Program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. An information security analyst reports to the CISO and performs security and assurance functions daily. The CIO and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company's technology infrastructure. The CISO holds two cybersecurity industry leading certifications (Certified Information Systems Security Professional and Certified Cloud Security Professional) and has more than 20 years of technology experience. The CIO has been in the information technology field for over 30 years and at various points held the following certifications: Cisco Certified Internetwork Expert, Cisco Certified Network Professional, Cisco Certified Voice Professional, Cisco Certified Design Professional, and Microsoft Certified Systems Engineer. The information security analyst has over five years of experience and holds ISC2’s “Certified in Cybersecurity” and CompTIA’s Security+ certification. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The IS Program is managed by the CISO who reports to the Chief Operations Officer and is reviewed by regulators as well as internal auditors. An information security analyst reports to the CISO and performs security and assurance functions daily. The CIO and information technology staff support the CISO in cybersecurity operations as necessary to mitigate risks to the Company's technology infrastructure. The CISO holds two cybersecurity industry leading certifications (Certified Information Systems Security Professional and Certified Cloud Security Professional) and has more than 20 years of technology experience. The CIO has been in the information technology field for over 30 years and at various points held the following certifications: Cisco Certified Internetwork Expert, Cisco Certified Network Professional, Cisco Certified Voice Professional, Cisco Certified Design Professional, and Microsoft Certified Systems Engineer. The information security analyst has over five years of experience and holds ISC2’s “Certified in Cybersecurity” and CompTIA’s Security+ certification. Information technology staff are generally subject to professional education, experience, and certification requirements, and receive education and mentoring from the CISO and CIO.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Board is responsible for oversight of risks from cybersecurity threats. Oversight of cybersecurity risk management is performed primarily by the Board and the IT Committee. The IT Committee’s primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations related to cybersecurity, data privacy, and third-party technology risk management. Of the IT Committee members who are not Board members, only our CIO and CISO are responsible for assessing and managing cybersecurity risks, and the other committee members are responsible for oversight. The CISO provides monthly information security reports to the Board and IT Committee on cybersecurity programs, policies and controls, key risk indicators and trends including responses to any cybersecurity events, and efforts to improve security. Annually, the CISO provides security training to the Board. The CISO also provides the Board with an annual Information Security Program Summary Report in compliance with federal banking guidelines.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true