Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We recognize the critical importance of maintaining the safety and security of our technology systems and data and have a holistic process for overseeing and managing cybersecurity and information technology related risks. This process is supported by both management and our Board. The Audit Committee of our Board (the “Audit Committee”) has oversight of the Company’s risk management program, and cybersecurity is a component of our overall approach to risk management. Our cybersecurity policies, standards, processes and practices are integrated across our operational risk management programs and are based on industry recognized frameworks. A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, our information systems that may result in adverse effects on the confidentiality, integrity or availability of our information systems or any information residing therein. Cybersecurity risk management and strategy As one of the critical elements of our overall risk management program, our cybersecurity program is focused on the following key areas: •Technical & Administrative Safeguards: We deploy technical and administrative safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are regularly evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. •Incident Response & Recovery Planning: We have established and maintain incident response and recovery plans that address our response procedures in the event of a multitude of various cybersecurity incidents, and such plans are tested and evaluated on a regular basis. •Third-Party Risk Management: We maintain a preemptive and comprehensive risk-based approach to identifying and overseeing potential cybersecurity risks presented by third parties, including our vendors, service providers and other external users of our systems. We conduct cybersecurity assessments of third-party vendors that we engage with in our operations, which take place both upon initial engagement and annually, in order to identify and evaluate potential vulnerabilities, including on-site visits for evaluation of certain core operational third-party vendors. In addition, our agreements with material vendors, including with our subservicer, contain indemnification provisions with respect to cybersecurity matters. •Independent Assessments with Outside Consultants: In addition to the broad capabilities of our internal information security team, we also engage various outside consultants, including contractors, auditors, and other third parties, to among other things, conduct independent assessments and regular testing of our networks and systems to identify vulnerabilities through penetration testing, while also measuring and advising on potential improvements to our incident prevention, response and documentation procedures. •Team Member Education & Awareness: We provide in-depth training to new team members, as well as annual, mandatory training for all team members regarding cybersecurity threats as a means to equip our team members with effective tools to identify and prevent cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We recognize the critical importance of maintaining the safety and security of our technology systems and data and have a holistic process for overseeing and managing cybersecurity and information technology related risks. This process is supported by both management and our Board. The Audit Committee of our Board (the “Audit Committee”) has oversight of the Company’s risk management program, and cybersecurity is a component of our overall approach to risk management. Our cybersecurity policies, standards, processes and practices are integrated across our operational risk management programs and are based on industry recognized frameworks. A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, our information systems that may result in adverse effects on the confidentiality, integrity or availability of our information systems or any information residing therein.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Our Board has delegated to the Audit Committee the responsibility for monitoring and overseeing our cybersecurity and other information technology risks, controls, strategies and procedures. The Audit Committee periodically evaluates our information security strategies to ensure effectiveness and, if appropriate, may also include a review from third-party consultants and experts. Our Senior Vice President and Chief Information Security Officer (“CISO”) presents and engages with the Audit Committee and the Board at least semi-annually and more frequently, as needed. Our CISO updates the Audit Committee and the Board on matters regarding information security policies and procedures and cybersecurity risk management strategy. We also established an Artificial Intelligence Governance Committee, which is executive-level body that oversees the secure, responsible and strategic implementation of AI within our operations. In addition, the full Board may review and assess cybersecurity threats as part of its responsibilities for our risk management oversight. In addition, we have a Risk Committee comprised of our top executives from across the Company, including our Chief Executive Officer, Chief Risk Officer, Chief Operating Officer, Chief Financial Officer, Chief People Officer, CISO and several other leaders across our legal, operational and reporting functions. The Risk Committee meets every month to discuss and address management of the risks facing our business. Technological risk is a regular component analyzed by our Risk Committee to identify and assess potential cybersecurity risks across our business operations. Our Information Security team, led by our CISO, has a combined six decades of experience in information technology and cybersecurity. Furthermore, our CISO holds a number of certifications, including CISSP (Certified Information Systems Security Professional), serves on the CISO ExecNet Advisory Council and is active in a number of information security communities and groups. The Information Security team conducts periodic assessment and testing of our policies, standards, processes and practices that are designed to address a multitude of potential cybersecurity threats and incidents. These efforts include a wide range of activities, including penetration testing multiple times throughout the year, adoption and regular evaluation of incident response plans and procedures, regular team member email phishing test campaigns, email security monitoring, real-time vulnerability scanning and intrusion detection, team member cybersecurity awareness programs, regular audits and evaluations of internal and third-party systems, and continuous improvement of the information security management system. Our CISO works collaboratively with leaders of each of our business operations teams to implement programs designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with incident response and recovery plans. We maintain a cyber incident response plan to timely, consistently, and compliantly address cybersecurity threats that may occur despite the Company’s safeguards. The response plan covers preparation, detection and analysis, containment and investigation, notification (which may include timely notice to the Board if deemed material or appropriate), eradication and recovery, and incident closure and post-incident analysis. Through ongoing communications with management, our CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and reports such threats and incidents to our executive management and the Audit Committee when appropriate.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | In addition, we have a Risk Committee comprised of our top executives from across the Company, including our Chief Executive Officer, Chief Risk Officer, Chief Operating Officer, Chief Financial Officer, Chief People Officer, CISO and several other leaders across our legal, operational and reporting functions. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Risk Committee meets every month to discuss and address management of the risks facing our business. Technological risk is a regular component analyzed by our Risk Committee to identify and assess potential cybersecurity risks across our business operations. |
| Cybersecurity Risk Role of Management [Text Block] | Our Board has delegated to the Audit Committee the responsibility for monitoring and overseeing our cybersecurity and other information technology risks, controls, strategies and procedures. The Audit Committee periodically evaluates our information security strategies to ensure effectiveness and, if appropriate, may also include a review from third-party consultants and experts. Our Senior Vice President and Chief Information Security Officer (“CISO”) presents and engages with the Audit Committee and the Board at least semi-annually and more frequently, as needed. Our CISO updates the Audit Committee and the Board on matters regarding information security policies and procedures and cybersecurity risk management strategy. We also established an Artificial Intelligence Governance Committee, which is executive-level body that oversees the secure, responsible and strategic implementation of AI within our operations. In addition, the full Board may review and assess cybersecurity threats as part of its responsibilities for our risk management oversight. In addition, we have a Risk Committee comprised of our top executives from across the Company, including our Chief Executive Officer, Chief Risk Officer, Chief Operating Officer, Chief Financial Officer, Chief People Officer, CISO and several other leaders across our legal, operational and reporting functions. The Risk Committee meets every month to discuss and address management of the risks facing our business. Technological risk is a regular component analyzed by our Risk Committee to identify and assess potential cybersecurity risks across our business operations.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our Board has delegated to the Audit Committee the responsibility for monitoring and overseeing our cybersecurity and other information technology risks, controls, strategies and procedures. The Audit Committee periodically evaluates our information security strategies to ensure effectiveness and, if appropriate, may also include a review from third-party consultants and experts. Our Senior Vice President and Chief Information Security Officer (“CISO”) presents and engages with the Audit Committee and the Board at least semi-annually and more frequently, as needed. Our CISO updates the Audit Committee and the Board on matters regarding information security policies and procedures and cybersecurity risk management strategy. We also established an Artificial Intelligence Governance Committee, which is executive-level body that oversees the secure, responsible and strategic implementation of AI within our operations. In addition, the full Board may review and assess cybersecurity threats as part of its responsibilities for our risk management oversight. In addition, we have a Risk Committee comprised of our top executives from across the Company, including our Chief Executive Officer, Chief Risk Officer, Chief Operating Officer, Chief Financial Officer, Chief People Officer, CISO and several other leaders across our legal, operational and reporting functions. The Risk Committee meets every month to discuss and address management of the risks facing our business. Technological risk is a regular component analyzed by our Risk Committee to identify and assess potential cybersecurity risks across our business operations. Our Information Security team, led by our CISO, has a combined six decades of experience in information technology and cybersecurity. Furthermore, our CISO holds a number of certifications, including CISSP (Certified Information Systems Security Professional), serves on the CISO ExecNet Advisory Council and is active in a number of information security communities and groups. The Information Security team conducts periodic assessment and testing of our policies, standards, processes and practices that are designed to address a multitude of potential cybersecurity threats and incidents. These efforts include a wide range of activities, including penetration testing multiple times throughout the year, adoption and regular evaluation of incident response plans and procedures, regular team member email phishing test campaigns, email security monitoring, real-time vulnerability scanning and intrusion detection, team member cybersecurity awareness programs, regular audits and evaluations of internal and third-party systems, and continuous improvement of the information security management system. Our CISO works collaboratively with leaders of each of our business operations teams to implement programs designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with incident response and recovery plans. We maintain a cyber incident response plan to timely, consistently, and compliantly address cybersecurity threats that may occur despite the Company’s safeguards. The response plan covers preparation, detection and analysis, containment and investigation, notification (which may include timely notice to the Board if deemed material or appropriate), eradication and recovery, and incident closure and post-incident analysis. Through ongoing communications with management, our CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and reports such threats and incidents to our executive management and the Audit Committee when appropriate.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our Information Security team, led by our CISO, has a combined six decades of experience in information technology and cybersecurity. Furthermore, our CISO holds a number of certifications, including CISSP (Certified Information Systems Security Professional), serves on the CISO ExecNet Advisory Council and is active in a number of information security communities and groups.
|
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | . The Information Security team conducts periodic assessment and testing of our policies, standards, processes and practices that are designed to address a multitude of potential cybersecurity threats and incidents. These efforts include a wide range of activities, including penetration testing multiple times throughout the year, adoption and regular evaluation of incident response plans and procedures, regular team member email phishing test campaigns, email security monitoring, real-time vulnerability scanning and intrusion detection, team member cybersecurity awareness programs, regular audits and evaluations of internal and third-party systems, and continuous improvement of the information security management system. Our CISO works collaboratively with leaders of each of our business operations teams to implement programs designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with incident response and recovery plans. We maintain a cyber incident response plan to timely, consistently, and compliantly address cybersecurity threats that may occur despite the Company’s safeguards. The response plan covers preparation, detection and analysis, containment and investigation, notification (which may include timely notice to the Board if deemed material or appropriate), eradication and recovery, and incident closure and post-incident analysis. Through ongoing communications with management, our CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and reports such threats and incidents to our executive management and the Audit Committee when appropriate.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |