ITEM 1C. CYBERSECURITY.

​

Overview

​

The cybersecurity threat landscape is volatile and dynamic, requiring a robust and resilient framework to reduce and mitigate cybersecurity risk. Our cybersecurity risk includes exposure to failures or interruptions of service or security breaches resulting from malicious technological attacks that impact the confidentiality, integrity, or availability of our or third parties’ operations, systems, or data. We seek to mitigate cybersecurity risk and associated reputational and compliance risk by, among other things:

​

​

We had no material cybersecurity incidents in 2024. While to date, we have not experienced a significant compromise, attack, or loss of data related to cybersecurity attacks, due to the nature of our business, we are under constant threat of an attack and could experience a significant cybersecurity event in the future. Attacks are increasingly sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. Accordingly, risks related to a cybersecurity event, including litigation and enforcement risks, are elevated due to the dynamic nature and sophistication and frequency of these threats, and the expanding use of

Internet banking, mobile banking and other technology-based products in our industry. Potential risks we could face from a cybersecurity event are discussed in “Risk Factors” above.

​

​Risk Management and Strategy

​

Our cybersecurity risk management strategy is integrated into our enterprise risk management framework and is embedded in each of our three lines of defense. We use a combination of management expertise and Board oversight, as discussed below, as well as outside consultants to assist us in overseeing our cybersecurity risk management program. We deploy safeguards designed to protect customer information and our own corporate information and technology. We have programs and processes in place designed to mitigate known attacks, and we use both internal and external resources to scan for vulnerabilities in our applications, systems, and platforms. We implement backup and recovery systems and require the same of our third-party service providers.

​

We devote significant resources to cybersecurity and risk management processes and continue to expand investments in information security and cybersecurity by attracting and retaining top talent, fostering continuous education and improvement, and leveraging advanced technology and innovative solutions, including partnerships with third-party vendors, to strengthen our information security and cybersecurity capabilities. We use independent third-party service providers to perform penetration testing of our infrastructure to help us better understand the effectiveness of our controls, improve our defenses, and conduct assessments of our program for compliance with regulatory requirements, industry guidelines, and best practices. We also engage with outside risk experts and industry groups, including other peer institutions, as needed, to help us evaluate potential future threats and trends, particularly with respect to emerging information security and fraud risks. In addition, we use a Third-Party Risk Management program to help mitigate risks with our third- and fourth-party providers; however, our ability to monitor our service providers’ cybersecurity practices is limited. We generally have agreements with our service providers that include requirements related to cybersecurity and data privacy, however, we cannot guarantee that such agreements will prevent a cyber incident from impacting our systems or information. Additionally, we may not be able to obtain adequate or any reimbursement from our service providers in the event we suffer any such incidents. Due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber incidents attributed to our service providers in relation to any data that we share with them.

​

Governance

​

Through established governance structures, including our problem and incident management process and Cybersecurity Incident Response Plan, we have processes and procedures to help facilitate appropriate and effective oversight of cybersecurity risk. These processes and procedures help enable our three lines of defense and management to identify, protect, detect, respond, and recover from cybersecurity risks, monitor threats, and provide for further escalation to executive management, our management-level Disclosure Committee, our board-level Risk Committee, or to the full Board, as appropriate.

​

Role of the Board of Directors

​

Our Board of Directors plays a critical role in the oversight of risk, including risks from cybersecurity threats, and has established a risk oversight structure that seeks to ensure that cybersecurity risks are identified, monitored, assessed, and mitigated appropriately. In that regard, our Board is actively engaged in the oversight of our cyber risk profile, which includes, but is not limited to, risks from cybersecurity threats, enterprise cyber strategy, and key cyber initiatives. Our Board regularly receives reports on such matters from our Chief Information Officer, Chief Information Security Officer, and other relevant personnel. Our Board also meets with our internal and external auditors, and federal and state regulators to review and discuss reports on risk, examination, and regulatory compliance matters.

​

Our board-level Risk Committee is responsible for assisting the Board in its oversight of risk, including cybersecurity threats, and for overseeing our enterprise risk management framework. The Risk Committee actively engages with our Chief Risk Officer and other members of management to discuss major risk exposures, establish risk management principles, and determine our risk appetite, and regularly reports on its activities, and makes recommendations to, the full Board. The Risk Committee receives a quarterly summary analysis of cybersecurity risks, threats, and incidents. In addition, the Risk Committee is engaged, as needed, in accordance with our Cybersecurity Incident Response Plan.

​

Role of Management

​

Our cybersecurity risk management program is built on three lines of defense, which collectively are designed to identify, assess, and manage our material risks from cybersecurity threats. Our Chief Risk Officer is responsible for implementing our enterprise risk management framework and reports directly to our Chief Executive Officer.

​

Our Information Security department, which is our first line of defense, operates under our Chief Information Security Officer, who manages preventative and detective controls to protect against cybersecurity risks and responds to cyber incidents and data breaches. Our Chief Information Security Officer has 28 years of cybersecurity experience, with 13 years servicing financial institutions in senior leadership or executive security roles. At least annually, the first line of defense conducts mandatory teammate training on information security and provides ongoing information security education and awareness for teammates, such as online training classes, mock phishing attacks and information security awareness materials. The first line of defense also conducts regular exercises that simulate mock cyber-attacks and provide lessons learned that continuously improve our incident response plans. Our cybersecurity risk management program is designed to maintain and challenge our information security defense system, as well as monitor, respond, evaluate, and escalate cyber threats. We also have a business risk manager within our first line of defense whose role is to focus on evaluating, managing, and escalating technology risks. The escalation process includes regular escalation reports of problem incidents, including cybersecurity threats, which allows for collaborative threat management by the first and second lines of defense.

​

The second line of defense independently evaluates, monitors, and challenges our risk mitigation efforts to proactively identify cybersecurity risks, including early-stage engagement and risk management with emerging threats. Second line teammates provide effective challenge to the cybersecurity risk management efforts of the first line through ongoing engagement in problem incidents, regular reviews of cybersecurity risk reporting, and inquiries into the sufficiency of risk management activities. Our second line of defense leads our management-level Technology and Third-Party Risk Committee, which governs our technology and third-party risk tolerances, including cybersecurity. This committee includes the Chief Information Security Officer and is co-sponsored by the Chief Information Officer, the Chief Risk Officer, and the Director of Vendor Risk Management and Sourcing. These individuals have relevant financial, technical, and business degrees, hold relevant certifications, and each have over 20 years of experience in their respective areas of expertise, with a minimum of ten years in leadership roles, including multiple years at financial institutions. The Committee is responsible for escalating key risks to our Management Risk Committee, which includes all members of our Executive Leadership Team, as well as our Head of Business Risk, who operates within our first line of defense.

​

Internal Audit serves as the third line of defense and provides independent assurance on how effectively we are mitigating, managing, and challenging our cybersecurity risks.

Role of the Board of Directors

​

Our Board of Directors plays a critical role in the oversight of risk, including risks from cybersecurity threats, and has established a risk oversight structure that seeks to ensure that cybersecurity risks are identified, monitored, assessed, and mitigated appropriately. In that regard, our Board is actively engaged in the oversight of our cyber risk profile, which includes, but is not limited to, risks from cybersecurity threats, enterprise cyber strategy, and key cyber initiatives. Our Board regularly receives reports on such matters from our Chief Information Officer, Chief Information Security Officer, and other relevant personnel. Our Board also meets with our internal and external auditors, and federal and state regulators to review and discuss reports on risk, examination, and regulatory compliance matters.

​

Our board-level Risk Committee is responsible for assisting the Board in its oversight of risk, including cybersecurity threats, and for overseeing our enterprise risk management framework. The Risk Committee actively engages with our Chief Risk Officer and other members of management to discuss major risk exposures, establish risk management principles, and determine our risk appetite, and regularly reports on its activities, and makes recommendations to, the full Board. The Risk Committee receives a quarterly summary analysis of cybersecurity risks, threats, and incidents. In addition, the Risk Committee is engaged, as needed, in accordance with our Cybersecurity Incident Response Plan.