Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
As part of our enterprise risk assessment function, which is led by our Senior Vice President and head of Internal Audit, we have implemented processes to assess, identify and manage the material risks facing us, including from cyber threats. Our enterprise risk assessment function is part of our overall risk management processes. Our cybersecurity program is built upon
internationally recognized frameworks, such as ISO 27001, and maps to standards published by The National Institute of Standards and Technology. We believe that our processes provide us with a reasonable and comprehensive assessment of potential cyber threats. We conduct regular scans, penetration tests, and vulnerability assessments to identify any potential threats or vulnerabilities in our systems. Our processes to assess, identify and manage the material risks from cyber threats include the risks arising from threats associated with third party service providers, including cloud-based platforms.
We have developed a robust cyber crisis response plan which provides a documented framework for handling high severity security incidents and facilitates coordination across multiple parts of the company. Our incident response team constantly monitors threat intelligence feeds, handles vulnerability management and responds to incidents. In addition, we routinely perform simulations and drills at technical, management and executive levels.
Internally, we have a security awareness program which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The security awareness program offers training on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees on an annual basis, and it is supplemented by testing initiatives, including periodic phishing tests. We also provide specialized security training for certain employee roles, such as application developers. Finally, our privacy program requires all employees to take periodic awareness training on data privacy. This training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information.
From time to time, we engage third-party service providers to enhance our risk mitigation efforts. For instance, we have routinely engaged an independent cybersecurity advisor to lead a cybersecurity crisis simulation exercise that has been used by our senior leaders to prepare for a possible cyber crisis. In addition, we have engaged: Novacoast, an international cybersecurity company specializing in IT services and software development, to augment our monitoring and detection efforts; Synopsys, Inc., a leader in electronic design automation, to perform our external penetration testing and vulnerability assessment; Recorded Future, one of the world’s largest intelligence companies, and Mandiant, a recognized leader in cyber defense, threat intelligence and incident response services, to provide threat intelligence and analysis services and augment our incident response ability. Our Senior Vice President and Treasurer is responsible for our insurance programs and reviews on a regular basis our insurance policies and assesses whether we have appropriate coverage.
To date, risks from cybersecurity threats have not materially affected us, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. As discussed more fully under “Item 1A – Risk Factors”, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security breaches of these types, including security threats that may result from third parties improperly employing AI technologies, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] |
We have developed a robust cyber crisis response plan which provides a documented framework for handling high severity security incidents and facilitates coordination across multiple parts of the company. Our incident response team constantly monitors threat intelligence feeds, handles vulnerability management and responds to incidents. In addition, we routinely perform simulations and drills at technical, management and executive levels.
Internally, we have a security awareness program which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The security awareness program offers training on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees on an annual basis, and it is supplemented by testing initiatives, including periodic phishing tests. We also provide specialized security training for certain employee roles, such as application developers. Finally, our privacy program requires all employees to take periodic awareness training on data privacy. This training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
The Audit Committee of the Board of Directors is responsible for the primary oversight of our information security programs, including relating to cybersecurity. The Audit Committee receives regular reports from our Chief Information Security Officer on, among other things, our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of our security program, and our views of the emerging threat landscape. Our Senior Vice President and head of Internal Audit reports directly to the Audit Committee and is responsible for reporting to the Committee on our company-wide enterprise risk assessment, and that assessment also includes an evaluation of cyber risks and threats. The Chair of the Audit Committee reports to the Board on cybersecurity risks and other matters reviewed by the Committee. In addition, the Board receives separate presentations on cybersecurity risk. Furthermore, all Board members are invited to attend each Audit Committee meeting and have access to the materials for each Audit Committee meeting.
As a matter of process, the Audit Committee annually reviews, and recommends to the Board its approval of, our information security policy and information security program. Furthermore, on an annual basis, the Board reviews and discusses our technology strategy and strategic plan.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Audit Committee of the Board of Directors is responsible for the primary oversight of our information security programs, including relating to cybersecurity. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] |
Our Chief Information Security Officer is responsible for the day-to-day management of our cybersecurity risks. To ensure robust oversight, we have established a Security Council comprising senior leaders, including our Chief Executive Officer, Chief Operating Officer, Chief Information Security Officer, Chief Financial Officer, General Counsel and Chief Privacy Officer. The Security Counsel meets on at least a quarterly basis to review cybersecurity and information security
matters. The Security Council has primary management oversight responsibility for assessing and managing risks related to information security, fraud, vendor oversight, data protection and privacy, and cybersecurity.
We have a security incident response framework in place. We use this incident response framework as part of the process we employ to keep our management and Board of Directors informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The framework is a set of coordinated procedures and tasks that our incident response team, under the direction of the Chief Information Security Officer, executes with the goal of ensuring timely and accurate resolution of cybersecurity incidents. Our cybersecurity framework includes regular compliance assessments with our policies and standards and applicable state and federal statutes and regulations. In addition, we validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits.
Our Chief Information Security Officer has extensive experience in the information technology area, with over twenty years of professional experience in the information security area, including as a result of his service as the director of security, a security architect and a software security engineer at companies such as Squarespace, Verizon Media (Oath), Tumblr, Bridgewater Associates and EMC. Our Chief Information Security Officer aims to ensure rigorous oversight and execution of our cybersecurity and information security strategy.
|
| Cybersecurity Risk Role of Management [Text Block] |
Our Chief Information Security Officer is responsible for the day-to-day management of our cybersecurity risks. To ensure robust oversight, we have established a Security Council comprising senior leaders, including our Chief Executive Officer, Chief Operating Officer, Chief Information Security Officer, Chief Financial Officer, General Counsel and Chief Privacy Officer. The Security Counsel meets on at least a quarterly basis to review cybersecurity and information security
matters. The Security Council has primary management oversight responsibility for assessing and managing risks related to information security, fraud, vendor oversight, data protection and privacy, and cybersecurity.
We have a security incident response framework in place. We use this incident response framework as part of the process we employ to keep our management and Board of Directors informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The framework is a set of coordinated procedures and tasks that our incident response team, under the direction of the Chief Information Security Officer, executes with the goal of ensuring timely and accurate resolution of cybersecurity incidents. Our cybersecurity framework includes regular compliance assessments with our policies and standards and applicable state and federal statutes and regulations. In addition, we validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits.
Our Chief Information Security Officer has extensive experience in the information technology area, with over twenty years of professional experience in the information security area, including as a result of his service as the director of security, a security architect and a software security engineer at companies such as Squarespace, Verizon Media (Oath), Tumblr, Bridgewater Associates and EMC. Our Chief Information Security Officer aims to ensure rigorous oversight and execution of our cybersecurity and information security strategy.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
Our Chief Information Security Officer is responsible for the day-to-day management of our cybersecurity risks. To ensure robust oversight, we have established a Security Council comprising senior leaders, including our Chief Executive Officer, Chief Operating Officer, Chief Information Security Officer, Chief Financial Officer, General Counsel and Chief Privacy Officer. The Security Counsel meets on at least a quarterly basis to review cybersecurity and information security matters. The Security Council has primary management oversight responsibility for assessing and managing risks related to information security, fraud, vendor oversight, data protection and privacy, and cybersecurity
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our Chief Information Security Officer has extensive experience in the information technology area, with over twenty years of professional experience in the information security area, including as a result of his service as the director of security, a security architect and a software security engineer at companies such as Squarespace, Verizon Media (Oath), Tumblr, Bridgewater Associates and EMC. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our Chief Information Security Officer is responsible for the day-to-day management of our cybersecurity risks. To ensure robust oversight, we have established a Security Council comprising senior leaders, including our Chief Executive Officer, Chief Operating Officer, Chief Information Security Officer, Chief Financial Officer, General Counsel and Chief Privacy Officer. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |