Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Item 1C. Cybersecurity
The Company recognizes the importance of maintaining a cybersecurity risk management system designed to reduce the risks that cybersecurity threats pose to financial institutions. As such, the Company has adopted proactive and defensive safeguards intended to better protect the Company’s information assets and supporting infrastructures from technology-related attacks. The Company’s Board of Directors and management oversee its information security and cybersecurity risk management programs. As further discussed below, the Company has established various programs, policies and procedures which are designed to proactively protect information assets. However, not all incidents can be prevented. As a result, the Company has also established a policy and cybersecurity incident response plan governing how to respond to security incidents, with the objective of minimizing any potential impacts. As of December 31, 2024, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect Peoples Bank, including its business strategies, results of operations or financial condition.
Risk Assessment and Management
The Company maintains a variety of programs and policies to support the management of cybersecurity risk within the organization with a focus on prevention, detection and response processes. These programs and policies leverage frameworks and controls from the National Institute of Standards and Technology as well as various other regulatory requirements and industry-specific standards. The Company also participates in the federally recognized Financial Services Information Sharing and Analysis Center and requires its employees and contractors to complete various education and training programs related to information security.
The Company’s Information Technology (“IT”) team along with a Virtual Chief Information Security Officer (“vCISO”) provider has the primary responsibility for establishing appropriate policies and procedures that are responsive to cybersecurity threats and other information security risks. The Company’s vCISO, as part of the Company’s Risk Management division, provides independent risk management oversight to the IT team. In addition to the Board oversight discussed below, the Company’s Internal Audit function independently oversees, reviews and validates these activities and reports to the Board of Directors on the effectiveness of governance, risk management and internal controls.
The Company has established an Enterprise Risk Management Framework which informs the Company’s risk management programs. As part of this framework, the vCISO maintains the Company’s Cybersecurity Risk Management Program, which is designed to identify, assess, manage, monitor and report cybersecurity risks as part of the Company’s independent risk management function. The vCISO is responsible for defining the risk management practices set forth in the Cybersecurity Program.
In light of the complexity and evolving nature of the cybersecurity landscape, the Company periodically re-assesses the maturity of its cybersecurity programs, policies and procedures, including in some instances by engaging the assistance of external experts. The Company also conducts exercises to test its incident response plans and threat assessments, some of which also involve assistance from external consultants.
The Company also maintains a Third Party Risk Management Program to perform similar functions related to risks associated with the Company’s relationships with third parties. This assists the Company in its management of its relationships with third parties, which includes considerations for identifying, analyzing and monitoring the cybersecurity risks that third parties may present to Peoples Bank. The Company also maintains a -party incident response program to govern its response in the event of -party cybersecurity events. |
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | The Company maintains a variety of programs and policies to support the management of cybersecurity risk within the organization with a focus on prevention, detection and response processes. These programs and policies leverage frameworks and controls from the National Institute of Standards and Technology as well as various other regulatory requirements and industry-specific standards. The Company also participates in the federally recognized Financial Services Information Sharing and Analysis Center and requires its employees and contractors to complete various education and training programs related to information security. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] | The Company recognizes the importance of maintaining a cybersecurity risk management system designed to reduce the risks that cybersecurity threats pose to financial institutions. As such, the Company has adopted proactive and defensive safeguards intended to better protect the Company’s information assets and supporting infrastructures from technology-related attacks. The Company’s Board of Directors and management oversee its information security and cybersecurity risk management programs. As further discussed below, the Company has established various programs, policies and procedures which are designed to proactively protect information assets. However, not all incidents can be prevented. As a result, the Company has also established a policy and cybersecurity incident response plan governing how to respond to security incidents, with the objective of minimizing any potential impacts. As of December 31, 2024, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect Peoples Bank, including its business strategies, results of operations or financial condition. |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Board of Directors Oversight The Risk Management and Compliance Committee of the Company’s Board of Directors takes primary responsibility for overseeing the Company’s information security programs at the Board level. The Risk Management and Compliance Committee’s primary purpose is to assist the Board of Directors in its oversight of plans and operations related to information technology, cybersecurity, data privacy and third-party technology strategy.
The Company’s Risk Management and Compliance Committee of the Board of Directors oversees the Company’s Enterprise Risk Management Framework and policies, including oversight of risks related to information security. The Risk Management and Compliance Committee receives periodic reports from the Enterprise Risk Management Committee.
The full Board of Directors receives reports from the Risk Management and Compliance Committee about the Company’s cybersecurity programs as a result of the above-described oversight. In the event of a material cybersecurity incident, the Company’s incident response procedures include notifications to the Risk Management and Compliance Committee and full Board of Directors, when appropriate and necessary.
Management Oversight
The Company’s Enterprise Risk Management Committee (“ERM”) is a management committee that reviews and discusses critical information security risks that impact the Company, identifies solutions to address these risks and has oversight of the Company’s information technology and information security policies. The ERM Committee provides cybersecurity reports periodically to the Risk Management Committee and is comprised of the Company’s vCISO, information technology and enterprise risk management leaders, including the Virtual Chief Information Security Officer (“vCISO”), Chief Information Officer, and Chief Risk Officer. The ERM Committee’s membership enables the ERM Committee to be informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, if any, in accordance with the Company’s incident response plans.
The Company’s vCISO is responsible for information security policies and the coordination of information security efforts across the organization. The vCISO has over 10 years of experience in various information security roles, including working with banking, healthcare, and manufacturing organizations. Prior to his current role, the vCISO served in both network security and IT audit roles, conducting services for banks of various sizes and complexities. The vCISO maintains their Certified Information Security Manager (CISM), Certified Banking Security Manager (CBSM), Certified Banking Security Technology Professional (CBSTP), and Certified Banking Cybersecurity Manager (CBCM) certifications and received his Bachelor of Science in Network Security and Administration. The Company’s vCISO reports to the Chief Risk Officer. The vCISO also reports directly to the ERM Committee.
The vCISO remains informed about developments in cybersecurity, including potential threats and emerging risk management techniques, reporting such information to the Chief Information Officer and ERM Committee periodically. The vCISO advises on processes for the regular monitoring of information systems. This includes the deployment of advanced security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the IT team is equipped with a well-defined incident response plan. This plan includes immediate actions designed to mitigate the impact of any incident, and long-term strategies for remediation and prevention of future incidents. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Risk Management and Compliance Committee of the Company’s Board of Directors takes primary responsibility for overseeing the Company’s information security programs at the Board level. The Risk Management and Compliance Committee’s primary purpose is to assist the Board of Directors in its oversight of plans and operations related to information technology, cybersecurity, data privacy and third-party technology strategy. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The full Board of Directors receives reports from the Risk Management and Compliance Committee about the Company’s cybersecurity programs as a result of the above-described oversight. In the event of a material cybersecurity incident, the Company’s incident response procedures include notifications to the Risk Management and Compliance Committee and full Board of Directors, when appropriate and necessary. |
| Cybersecurity Risk Role of Management [Text Block] | The Company’s Enterprise Risk Management Committee (“ERM”) is a management committee that reviews and discusses critical information security risks that impact the Company, identifies solutions to address these risks and has oversight of the Company’s information technology and information security policies. The ERM Committee provides cybersecurity reports periodically to the Risk Management Committee and is comprised of the Company’s vCISO, information technology and enterprise risk management leaders, including the Virtual Chief Information Security Officer (“vCISO”), Chief Information Officer, and Chief Risk Officer. The ERM Committee’s membership enables the ERM Committee to be informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, if any, in accordance with the Company’s incident response plans. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The Company’s vCISO is responsible for information security policies and the coordination of information security efforts across the organization. The vCISO has over 10 years of experience in various information security roles, including working with banking, healthcare, and manufacturing organizations. Prior to his current role, the vCISO served in both network security and IT audit roles, conducting services for banks of various sizes and complexities. The vCISO maintains their Certified Information Security Manager (CISM), Certified Banking Security Manager (CBSM), Certified Banking Security Technology Professional (CBSTP), and Certified Banking Cybersecurity Manager (CBCM) certifications and received his Bachelor of Science in Network Security and Administration. The Company’s vCISO reports to the Chief Risk Officer. The vCISO also reports directly to the ERM Committee. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The vCISO remains informed about developments in cybersecurity, including potential threats and emerging risk management techniques, reporting such information to the Chief Information Officer and ERM Committee periodically. The vCISO advises on processes for the regular monitoring of information systems. This includes the deployment of advanced security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the IT team is equipped with a well-defined incident response plan. This plan includes immediate actions designed to mitigate the impact of any incident, and long-term strategies for remediation and prevention of future incidents. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |