|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk
Cybersecurity Risk Management and Strategy
We manage cybersecurity risk using a three lines risk management model and governance structure that is integrated into our enterprise-wide Risk Framework with oversight by the Board of Directors and its committees and senior management positions, including our EVP – EO&T and Chief Information Security Officer (who reports to our EVP – EO&T). For additional information on our enterprise Risk Framework, see Risk Management – Overview, Risk Management – Enterprise Risk Framework, and Risk Management – Enterprise Risk Governance Structure. Our cybersecurity program continues to evolve based on the changing needs of our business, the evolving threat landscape, and the evolving legal and regulatory requirements.
Our cybersecurity program is designed to implement a defense in depth strategy. This approach employs overlapping layers of protection at the perimeter, network, platform, application, and data levels with security incident response and identity lifecycle management employed at all levels. This strategy is designed so that if one safeguard fails then additional layers are in place to prevent, detect or mitigate risks from cybersecurity threats. Our key capabilities include solutions designed to protect our perimeter and network, manage our authentication and access, scan to identify vulnerabilities, monitor and respond to suspicious activity and protect our most sensitive data. We validate our capabilities according to the Risk Framework and use third-party vendors and service providers to help enhance our cybersecurity capabilities and to assist us with cybersecurity program assessments and testing. Our cybersecurity program is also designed to align with the National Institute of Standards and Technology 800-53 moderate baseline control framework.
We exercise due diligence over our third parties and service providers, including risk assessments and contractual expectations. However, our control over the security posture of our third-party vendors and service providers and their supply chain connections is limited.
Material Effects from Cybersecurity Incidents
Our operations rely on the secure, accurate and timely receipt, storage, transmission, use, disclosure, and other processing of confidential and other information (including personal information) in our systems and networks. We also rely on the secure, accurate and timely receipt, storage, transmission, use, disclosure, and other processing of confidential and other information (including personal information) in the systems and networks of our customers and third parties, including suppliers, sellers and
servicers, financial market utilities, and other third parties. Cybersecurity risks for companies like ours continue to increase. Like many companies and government entities, from time to time we have been, and expect to continue to be, the target of attempted cybersecurity incidents and other information security threats, including those from nation-state and nation-state supported actors. With respect to third parties, there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the systems, networks, and other technology assets owned or controlled by our third parties.
To date, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company, including our business strategy, results of operations, or financial condition. However, there is no assurance that our cybersecurity risk management program will prevent cybersecurity incidents from having such impacts in the future.
For additional information, see Risk Factors - Operational Risks - Cybersecurity threats are changing rapidly and advancing in sophistication. We may not be able to protect our systems and networks, or the confidentiality of our confidential or other information (including personal information), from cybersecurity incidents and other unauthorized access, disclosure, and disruption.
Cybersecurity Governance
The Board of Directors and two of its committees, the Operations and Technology and Risk Committees, oversee the company's information and cybersecurity operations and risks from cybersecurity threats by receiving periodic reports from our EVP – EO&T, the Chief Information Security Officer, and other members of management.
Management
Our management is responsible for assessing and managing cybersecurity risks by establishing and maintaining processes and programs designed to prevent, detect, respond to, and mitigate potential cybersecurity risks. Senior management is regularly informed by our cybersecurity personnel on cybersecurity matters. Our management also engages in periodic cybersecurity exercises and internal cybersecurity incident simulations, including tabletop exercises relating to cyberattacks, ransomware, and other security events. Escalation of specific incidents from our cybersecurity personnel to senior management follow written, risk-based procedures. Our management periodically reports to the Board of Directors, and its committees. These reports include information regarding management's ongoing efforts to manage cybersecurity risk and the steps management has taken towards addressing and mitigating the evolving cybersecurity threat environment. Management discusses cybersecurity developments with the Chairs of the Operations and Technology Committee and the Risk Committee and other Board members between Board and committee meetings, as necessary. Our cybersecurity personnel, and those senior managers who oversee them, including our EVP – EO&T and Chief Information Security Officer, possess demonstrated expertise with cybersecurity matters. For example, our Chief Information Security Officer and members of the Chief Information Security Officer’s leadership team have, on average, over 15 years of work experience in information security or cybersecurity fields and achieved such professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Factor Analysis of Information Risk (FAIR). For additional information on the background of our EVP - EO&T, see Directors, Corporate Governance, and Executive Officers - Executive Officers.
Board of Directors
As discussed above, the Operations and Technology Committee and Risk Committee are the committees of the Board of Directors that oversee our cybersecurity risks. Members of the Board of Directors also receive reports from management regarding certain internal and industry-wide trends and exercises relating to these matters to assist with their oversight responsibilities. The company has written, risk-based procedures to escalate information regarding certain cybersecurity incidents to the appropriate Board members in a timely fashion. Board members have also participated in cybersecurity training exercises. Additionally, certain Board members are informed of, and have an opportunity to provide feedback on management's internal cybersecurity incident simulations referenced above. The Board of Directors and its committees also have authority, as they deem appropriate, to fulfill Board or committee responsibilities, to engage outside consultants or advisors, including technology and cybersecurity experts, and oversee the company's information security program. See Directors, Corporate Governance, and Executive Officers - Corporate Governance - Board of Directors and Board Committee Information for additional information on the Board of Directors' committees.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We manage cybersecurity risk using a three lines risk management model and governance structure that is integrated into our enterprise-wide Risk Framework with oversight by the Board of Directors and its committees and senior management positions, including our EVP – EO&T and Chief Information Security Officer (who reports to our EVP – EO&T).
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
The Board of Directors and two of its committees, the Operations and Technology and Risk Committees, oversee the company's information and cybersecurity operations and risks from cybersecurity threats by receiving periodic reports from our EVP – EO&T, the Chief Information Security Officer, and other members of management.
Management
Our management is responsible for assessing and managing cybersecurity risks by establishing and maintaining processes and programs designed to prevent, detect, respond to, and mitigate potential cybersecurity risks. Senior management is regularly informed by our cybersecurity personnel on cybersecurity matters. Our management also engages in periodic cybersecurity exercises and internal cybersecurity incident simulations, including tabletop exercises relating to cyberattacks, ransomware, and other security events. Escalation of specific incidents from our cybersecurity personnel to senior management follow written, risk-based procedures. Our management periodically reports to the Board of Directors, and its committees. These reports include information regarding management's ongoing efforts to manage cybersecurity risk and the steps management has taken towards addressing and mitigating the evolving cybersecurity threat environment. Management discusses cybersecurity developments with the Chairs of the Operations and Technology Committee and the Risk Committee and other Board members between Board and committee meetings, as necessary. Our cybersecurity personnel, and those senior managers who oversee them, including our EVP – EO&T and Chief Information Security Officer, possess demonstrated expertise with cybersecurity matters. For example, our Chief Information Security Officer and members of the Chief Information Security Officer’s leadership team have, on average, over 15 years of work experience in information security or cybersecurity fields and achieved such professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Factor Analysis of Information Risk (FAIR). For additional information on the background of our EVP - EO&T, see Directors, Corporate Governance, and Executive Officers - Executive Officers.
Board of DirectorsAs discussed above, the Operations and Technology Committee and Risk Committee are the committees of the Board of Directors that oversee our cybersecurity risks. Members of the Board of Directors also receive reports from management regarding certain internal and industry-wide trends and exercises relating to these matters to assist with their oversight responsibilities. The company has written, risk-based procedures to escalate information regarding certain cybersecurity incidents to the appropriate Board members in a timely fashion. Board members have also participated in cybersecurity training exercises. Additionally, certain Board members are informed of, and have an opportunity to provide feedback on management's internal cybersecurity incident simulations referenced above. The Board of Directors and its committees also have authority, as they deem appropriate, to fulfill Board or committee responsibilities, to engage outside consultants or advisors, including technology and cybersecurity experts, and oversee the company's information security program. See Directors, Corporate Governance, and Executive Officers - Corporate Governance - Board of Directors and Board Committee Information for additional information on the Board of Directors' committees
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors and two of its committees, the Operations and Technology and Risk Committees, oversee the company's information and cybersecurity operations and risks from cybersecurity threats by receiving periodic reports from our EVP – EO&T, the Chief Information Security Officer, and other members of management.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our management periodically reports to the Board of Directors, and its committees. These reports include information regarding management's ongoing efforts to manage cybersecurity risk and the steps management has taken towards addressing and mitigating the evolving cybersecurity threat environment. Management discusses cybersecurity developments with the Chairs of the Operations and Technology Committee and the Risk Committee and other Board members between Board and committee meetings, as necessary.Members of the Board of Directors also receive reports from management regarding certain internal and industry-wide trends and exercises relating to these matters to assist with their oversight responsibilities. The company has written, risk-based procedures to escalate information regarding certain cybersecurity incidents to the appropriate Board members in a timely fashion. Board members have also participated in cybersecurity training exercises. Additionally, certain Board members are informed of, and have an opportunity to provide feedback on management's internal cybersecurity incident simulations referenced above. The Board of Directors and its committees also have authority, as they deem appropriate, to fulfill Board or committee responsibilities, to engage outside consultants or advisors, including technology and cybersecurity experts, and oversee the company's information security program.
|Cybersecurity Risk Role of Management [Text Block]
|
ManagementOur management is responsible for assessing and managing cybersecurity risks by establishing and maintaining processes and programs designed to prevent, detect, respond to, and mitigate potential cybersecurity risks. Senior management is regularly informed by our cybersecurity personnel on cybersecurity matters. Our management also engages in periodic cybersecurity exercises and internal cybersecurity incident simulations, including tabletop exercises relating to cyberattacks, ransomware, and other security events. Escalation of specific incidents from our cybersecurity personnel to senior management follow written, risk-based procedures. Our management periodically reports to the Board of Directors, and its committees. These reports include information regarding management's ongoing efforts to manage cybersecurity risk and the steps management has taken towards addressing and mitigating the evolving cybersecurity threat environment. Management discusses cybersecurity developments with the Chairs of the Operations and Technology Committee and the Risk Committee and other Board members between Board and committee meetings, as necessary. Our cybersecurity personnel, and those senior managers who oversee them, including our EVP – EO&T and Chief Information Security Officer, possess demonstrated expertise with cybersecurity matters. For example, our Chief Information Security Officer and members of the Chief Information Security Officer’s leadership team have, on average, over 15 years of work experience in information security or cybersecurity fields and achieved such professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Factor Analysis of Information Risk (FAIR). For additional information on the background of our EVP - EO&T, see Directors, Corporate Governance, and Executive Officers - Executive Officers
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity personnel, and those senior managers who oversee them, including our EVP – EO&T and Chief Information Security Officer
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our cybersecurity personnel, and those senior managers who oversee them, including our EVP – EO&T and Chief Information Security Officer, possess demonstrated expertise with cybersecurity matters. For example, our Chief Information Security Officer and members of the Chief Information Security Officer’s leadership team have, on average, over 15 years of work experience in information security or cybersecurity fields and achieved such professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Factor Analysis of Information Risk (FAIR).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Escalation of specific incidents from our cybersecurity personnel to senior management follow written, risk-based procedures.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef