|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
As part of our enterprise risk management, we maintain a comprehensive cybersecurity program that proactively monitors, assesses, identifies, mitigates and responds to cybersecurity threats, including threats relating to disruption of business operations or financial reporting systems, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal and reputational risks, and that emphasizes governance and compliance. Our cybersecurity program and related cybersecurity policies are reviewed annually.
Risk Management and Strategy
As part of our risk management strategy, we maintain an insurance policy to cover cybersecurity incidents.
CoreSite maintains several certifications related to cybersecurity processes for nearly all of its data center facilities, including: (i) System and Organization Controls (SOC) 1 Type 2 examination; (ii) SOC 2 Type 2 examination; (iii) International Organization for Standardization (ISO/IEC 27001); (iv) National Institute of Standards and Technology Publication Series 800-53 (NIST 800-53) attestation based on the high-impact baseline controls and additional Federal Risk and Authorization Management Program (FedRAMP) requirements for a subset of control families applicable to colocation services; (v) Payment Card Industry Data Security Standard (PCI DSS) validation; and (vi) Health Insurance Portability and Accountability Act (HIPAA) attestation for the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.
Our cybersecurity awareness program provides training for all global employees at onboarding and subsequently three times every year. In 2024, across our organization, employees completed over 8,943 training classes related to cybersecurity. Additionally, in 2024, to elevate cybersecurity awareness, we also conducted live training as part of our Employee Development program, sent monthly phishing tips to all employees and provided weekly communications during October, which is cybersecurity awareness month.
Operationally, we, along with CoreSite, each perform periodic penetration testing to identify weaknesses in systems and networks so that they can be addressed appropriately. At least once per year, we also engage an outside cybersecurity firm to perform independent testing. Our vulnerability management program is in place to adequately identify, classify, prioritize and remediate vulnerabilities affecting assets. Our security operations program monitors our systems and networks, and is responsible for investigating, responding to, and reporting any potential security incidents in a timely manner. Our Incident Response Plan includes steps to determine materiality of any such incident and escalate matters to the Board and our employees are regularly trained on the plan. We conduct an incident response exercise at least annually to ensure a timely, consistent and compliant response. In 2024, we performed an IT-focused tabletop exercise which simulated multiple types of cybersecurity incidents, including (a) compromised credentials, (b) brute force attack, (c) uncleaned malware and (d) ransomware. This tabletop exercise was facilitated by a third-party.
Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party vendors and service providers. We have in place a Third-Party Cybersecurity Risk Management program to assess the cybersecurity practices of third-party vendors and service providers with access to our and CoreSite’s systems or information.
We have not been materially impacted by any cybersecurity threats or prior cybersecurity incidents, including with respect to our business strategy, results of operations or financial condition. However, we cannot provide assurance that we will not be materially affected in the future by such risks, threats or any future material incidents. See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on our cybersecurity-related risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|As part of our enterprise risk management, we maintain a comprehensive cybersecurity program that proactively monitors, assesses, identifies, mitigates and responds to cybersecurity threats, including threats relating to disruption of business operations or financial reporting systems, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal and reputational risks, and that emphasizes governance and compliance.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
Our cybersecurity program is overseen by the independent Audit Committee of our Board. Our Chief Information Security Officer (“CISO”) presents a quarterly report of cybersecurity updates to the Audit Committee. Each quarter, the Board receives a report from the Audit Committee chair on items covered during that quarter’s meeting. In 2024, the topics included, among other items, our focus on cybersecurity resilience, new cybersecurity initiatives and our approach to responsible use of artificial intelligence. Our Board's and Audit Committee’s inputs are key components in the development of our long-term cybersecurity strategy, aligning the program’s goals within our risk tolerance.In addition, a periodic cybersecurity risk assessment is completed with an external third party to provide us with a more complete view of our cybersecurity risk. We retain a prominent cybersecurity consulting firm to assist with, and advise on, our cybersecurity and incident response program. We engage on a quarterly basis with our internal auditors on matters regarding cybersecurity and maintain a robust control environment, in compliance with the Sarbanes-Oxley Act of 2002, as amended, that includes controls to protect the confidentiality, integrity and availability our data.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our cybersecurity program is overseen by the independent Audit Committee of our Board.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Each quarter, the Board receives a report from the Audit Committee chair on items covered during that quarter’s meeting. In 2024, the topics included, among other items, our focus on cybersecurity resilience, new cybersecurity initiatives and our approach to responsible use of artificial intelligence. Our Board's and Audit Committee’s inputs are key components in the development of our long-term cybersecurity strategy, aligning the program’s goals within our risk tolerance.
|Cybersecurity Risk Role of Management [Text Block]
|
We, along with CoreSite, our data centers operations subsidiary, each maintain a management information security steering committee. We maintain two steering committees because of the distinct nature of CoreSite’s business. Each committee works in collaboration with the other, including through the overlap of certain key steering committee members. Each committee meets quarterly. These committees provide direction and support for our and CoreSite’s security initiatives and review operational metrics.Our steering committee includes our CISO, our Chief Information Officer, our Senior Vice President and Chief Security Officer, our Senior Vice President, Internal Audit, our Chief Technology Officer, our Vice President, Corporate Legal, CoreSite’s Senior Vice President of IT & Digitization and CoreSite’s Vice President of Information Security and IT Infrastructure.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our steering committee includes our CISO, our Chief Information Officer, our Senior Vice President and Chief Security Officer, our Senior Vice President, Internal Audit, our Chief Technology Officer, our Vice President, Corporate Legal, CoreSite’s Senior Vice President of IT & Digitization and CoreSite’s Vice President of Information Security and IT Infrastructure.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has held information security and IT leadership positions across large organizations for eight years, which included overseeing governance and compliance programs. Our Chief Information Officer has held IT leadership positions across large, multi-national companies for nearly three decades, where he has overseen cybersecurity programs. Our Chief Security Officer heads our converged physical and information security team and has over 26 years of experience in the corporate security, crisis management, and security consulting industries, including as head of global security for a major mining company and through leadership positions in several international risk consultancies. Our Senior Vice President, Internal Audit, has over 30 years of international finance leadership experience and heads our Internal Audit function, including the evaluation of risk and vulnerabilities for both physical and system assets and the testing of related controls. Our Chief Technology Officer has over 30 years of experience in the technology space, including leadership roles with wireless carriers
and chip manufacturers, where cybersecurity was critical to the delivery of secure solutions. Our Vice President, Corporate Legal also serves as our lead Privacy Officer and is a lawyer who has led our privacy program since its inception. CoreSite’s Senior Vice President of IT & Digitization has led CoreSite’s IT function for over 5 years, including having responsibility for securing the business’s cybersecurity environment. CoreSite’s Vice President of Information Security and IT Infrastructure has over 25 years of experience building secure IT solutions across large network and data center environments and has been responsible for the day-to-day operation of CoreSite’s business-critical IT environment since 2015.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Chief Information Security Officer (“CISO”) presents a quarterly report of cybersecurity updates to the Audit Committee. Each quarter, the Board receives a report from the Audit Committee chair on items covered during that quarter’s meeting.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef