|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY.
Cybersecurity Risk Management and Strategy
We recognize the importance of developing, implementing and maintaining the integrity of our information technology systems and safeguarding the personal data and confidential information we receive, process or transmit, and store in any format. We have a cybersecurity risk management program, which we refer to as our information security risk management program, in place designed to assess, identify, and manage material risks from cybersecurity threats to our information, data, or information technology systems utilizing a defense-in-depth security strategy that integrates our staff, technology, and operations to establish various security barriers across multiple layers of our operations. Our information security risk management program is designed to employ industry standard practices across our operations and business functions, including access controls, monitoring and analysis of the threat environment, vulnerability assessments, and third-party cybersecurity risks; resilience through detecting and responding to cybersecurity events, incidents, and data disclosures or breaches, business continuity, and disaster recovery capabilities; and investments in cybersecurity infrastructure and technology needs. Key aspects of our information security risk management program include, but are not limited to, the following:
•
Surveillance controls and technical protective capabilities, including a centralized security incident event management system, or SIEM, continuous threat detection and response monitoring, and full incident response;
•
Routine cybersecurity training for all employees, including social engineering techniques, simulated phishing campaigns, physical access such as tailgating, privacy or handling of sensitive data, and other related topics;
•
Established policies and procedures that govern information security and cybersecurity which apply to all employees and information systems we control;
•
Business continuity, incident response, and disaster recovery procedures, including routine tabletop incident response exercises, disaster recovery tests, unannounced penetration tests, and security control assessments;
•
Network, infrastructure, and application security such as database activity monitoring, encryption, secure file transfer protocols, and application firewalls; and
•
Maintaining cybersecurity insurance covering certain security and privacy damages and claim expenses resulting from cybersecurity incidents (we periodically meet with our insurer to discuss trends in cybersecurity).
We engage third parties in connection with assessing, identifying and managing our cybersecurity risks, including, but not limited to, the following:
•
Incident response expertise to provide intelligence-based cybersecurity solutions and services to assist us with preparing for, investigating, and responding to cybersecurity incidents, including attacks that target on premise, cloud, and critical infrastructure environments;
•
Annual security program assessment of the controls, maturity and performance of our information security risk management program and the information security risks associated with our technology and business systems;
•
External and internal penetration and intrusion testing using industry standard tools and techniques;
•
Compliance assessments with certain information security standards required under some of our federal contracts;
•
Established cadence of reviews, reporting and coordination with government agencies to review cybersecurity metrics, findings and any applicable remediation efforts in accordance with the National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF; and
•
Review processes and procedures designed to control access to information systems as part of our Sarbanes-Oxley Act, or SOX, testing.
In addition to the third parties described above, we regularly engage consultants, advisors, service providers and other third parties to help develop and manage our information security risk management program. Further, our internal audit team conducts annual assessments of our information security risk management program and controls.
To help identify and manage cybersecurity and information security risks associated with our use of third-party service providers, we have implemented processes to assess third-party systems which could be compromised in a manner that adversely impacts us and our technology systems. We conduct diligence of significant third-party service providers who will have access to our data or information technology systems and incorporate certain cybersecurity protections in our engagement contracts with such providers. In addition, we require such third-party service providers to promptly notify us of any actual or suspected breach impacting our data or operations.
Our information security risk management program is designed to, among other things, assess, identify and manage material risks from cybersecurity threats. Cybersecurity risks we face include cyberattacks, computer viruses, malicious or destructive code (such as ransomware), social engineering (including phishing, vishing and smishing), denial of service to information or security breach tactics as well as attacks to our website, financial applications, operational technology, telecommunications and human resources data. Our information security risk management program includes technology and processes designed to maintain active awareness of risks to the security of our information or systems. We do not believe that any risks we have identified to date from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we cannot ensure that future cybersecurity incidents will not materially affect our business strategy, results of operations or financial condition.
For more information on the Company’s risks associated with cybersecurity threats and incidents, information and security breaches and technology failures, see Part I, Item 1A. Risk Factors - Interruption, delay or failure of the provision of our technology services or information systems, or the compromise of the security thereof, could adversely affect our business, financial condition or results of operations.
Governance
Our information security risk management program is integrated into our overall risk management program. Our BOD has a formalized enterprise risk management program, or ERM Program, which the Risk Committee of the BOD, or Risk Committee, on behalf of the BOD and the Audit Committee of the BOD, oversees. Our ERM Program addresses the identification, prioritization and assessment of a broad range of risks (e.g., cybersecurity, financial, operational, business, reputational, governance and managerial), and the formulation of plans to develop and improve controls for managing these risks or mitigating their effects in an integrated effort involving our BOD, relevant committees of the BOD, management, and other personnel. Our ERM Program is led by our General Counsel and is a component of management’s strategic planning process. Our BOD and Risk Committee have primary oversight responsibility regarding our information security risk management program. Our BOD and Risk Committee each receives regular and frequent updates on cybersecurity and information technology matters from management (including our Chief Information Officer, or CIO) and, periodically, from outside experts. For example, the CIO provides reports to our BOD, Technology Steering Committee and Risk Committee regarding information security risks, as well as plans and strategies to mitigate those risks, on a periodic basis.
In addition, our Enterprise Risk Council, or ERC, is a management-level team comprised of a select group of executive officers, vice presidents, and senior managers overseeing risk, which is responsible for managing enterprise risks and planning and organizing the activities of our organization to minimize the effects of risk on our business, operations and financial results. The ERC is led by our General Counsel and our Managing Director, Litigation & Risk Management. The ERC coordinates enterprise risk management reports to the Risk Committee and/or our BOD. Further, the Risk Committee reviews management’s information security risk management program controls, including management’s assessment of recent information security incidents meeting certain criteria.
We also have a Technology Steering Committee that assists with fulfilling oversight responsibilities of information technology risks, including cybersecurity risks. The Technology Steering Committee is comprised of our executive officers and relevant business leaders from the information security, information technology, legal, human resources, audit, finance, communication and risk functions, and identifies, defines, manages and measures information technology and cybersecurity risks applicable to us on an enterprise level. The Technology Steering Committee meets quarterly, and reviews all cybersecurity risks and incidents meeting certain criteria, and provides oversight with respect to cybersecurity matters at a management level. Further, the Technology Steering Committee reviews management’s information security risk management program controls meeting certain criteria.
Our Technology Cybersecurity Committee is comprised of a subset of our Technology Department, including our CIO. The Technology Cybersecurity Committee meets bi-weekly and reviews all cybersecurity risks and incidents meeting certain criteria, provides oversight with respect to cybersecurity matters at a technology management level, and reports through our CIO to the Technology Steering Committee.
We also maintain a management governance structure for reviewing and approving changes related to new and existing systems, software and infrastructure design. Any new items that would require a material change must be reviewed and approved by our architecture review board, or ARB. Non-material changes are governed by the change advisory board, or CAB. The ARB and CAB each meet on a weekly basis and take security impacts into consideration during the decision-making process. All changes, whether approved or rejected, are formally documented in our information technology service management system.
As mentioned above, our SIEM tool monitors threat detection and response continuously. Identified threats create alerts which are monitored and addressed by our information technology team in accordance with internal policies, industry standard practices, and regulatory requirements. Audit logs of external security threats are reviewed weekly as part of general event threat intelligence monitoring procedures. Other ongoing monitoring includes data from our information services team, which maintains an audit trail to detect risks in areas such as unauthorized local connections, network use and remote connections. Vulnerability scans are performed frequently and are supplemented on an ad-hoc basis for specific threats or to test patch status.
Our Sr. Director, Information Security and Privacy Compliance, prepares an incident summary and collaborates with the CIO to conduct an initial assessment of information and cybersecurity incidents. They perform an impact assessment with respect to information or cybersecurity incidents meeting certain criteria and elevate the review of any such information or cybersecurity incidents for review by our executive officers.
Cybersecurity incidents meeting certain criteria are escalated to our Disclosure Committee for SEC disclosure consideration. The materiality of any cybersecurity incident is ultimately evaluated and determined by our Disclosure Committee in collaboration with our CIO. Our Disclosure Committee is comprised of our executive officers, our CIO, our Chief Ethics and Compliance Officer, and relevant business leaders from our finance and legal departments. The Disclosure Committee is presented with a detailed overview of the cybersecurity incident by the CIO. The Disclosure Committee then evaluates the cybersecurity incident and its potential materiality based on SEC guidance and by considering relevant quantitative and qualitative factors.
We have also adopted a cybersecurity incident response plan which provides for controls and procedures in connection with cybersecurity incidents, including these escalation procedures.
At a management level, our information security risk management program is led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance. As of the date of this Annual Report, our Technology Department, led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance, is comprised of nearly 100 technology professionals, with currently 11 of such technology professionals exclusively dedicated to cybersecurity. These security professionals have an average information security/cybersecurity tenure of 6 years and over 30 active certifications from ISC2, ISACA, CompTIA and other industry certification leaders including certifications such as CISSP, CISM, Security+, and CEH, among other advanced Cybersecurity and Technology degrees, tool and process specific certifications, and cybersecurity related work experience. Our Technology Department stays current on cybersecurity issues and trends through continuing education activities such as conferences and participating in webinars, maintaining continuous education requirements for certification bodies, as well as through the monitoring of security and vendor feeds on cybersecurity trends and threats.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We recognize the importance of developing, implementing and maintaining the integrity of our information technology systems and safeguarding the personal data and confidential information we receive, process or transmit, and store in any format. We have a cybersecurity risk management program, which we refer to as our information security risk management program, in place designed to assess, identify, and manage material risks from cybersecurity threats to our information, data, or information technology systems utilizing a defense-in-depth security strategy that integrates our staff, technology, and operations to establish various security barriers across multiple layers of our operations. Our information security risk management program is designed to employ industry standard practices across our operations and business functions, including access controls, monitoring and analysis of the threat environment, vulnerability assessments, and third-party cybersecurity risks; resilience through detecting and responding to cybersecurity events, incidents, and data disclosures or breaches, business continuity, and disaster recovery capabilities; and investments in cybersecurity infrastructure and technology needs
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our information security risk management program is integrated into our overall risk management program. Our BOD has a formalized enterprise risk management program, or ERM Program, which the Risk Committee of the BOD, or Risk Committee, on behalf of the BOD and the Audit Committee of the BOD, oversees. Our ERM Program addresses the identification, prioritization and assessment of a broad range of risks (e.g., cybersecurity, financial, operational, business, reputational, governance and managerial), and the formulation of plans to develop and improve controls for managing these risks or mitigating their effects in an integrated effort involving our BOD, relevant committees of the BOD, management, and other personnel. Our ERM Program is led by our General Counsel and is a component of management’s strategic planning process. Our BOD and Risk Committee have primary oversight responsibility regarding our information security risk management program. Our BOD and Risk Committee each receives regular and frequent updates on cybersecurity and information technology matters from management (including our Chief Information Officer, or CIO) and, periodically, from outside experts. For example, the CIO provides reports to our BOD, Technology Steering Committee and Risk Committee regarding information security risks, as well as plans and strategies to mitigate those risks, on a periodic basis.
In addition, our Enterprise Risk Council, or ERC, is a management-level team comprised of a select group of executive officers, vice presidents, and senior managers overseeing risk, which is responsible for managing enterprise risks and planning and organizing the activities of our organization to minimize the effects of risk on our business, operations and financial results. The ERC is led by our General Counsel and our Managing Director, Litigation & Risk Management. The ERC coordinates enterprise risk management reports to the Risk Committee and/or our BOD. Further, the Risk Committee reviews management’s information security risk management program controls, including management’s assessment of recent information security incidents meeting certain criteria.
We also have a Technology Steering Committee that assists with fulfilling oversight responsibilities of information technology risks, including cybersecurity risks. The Technology Steering Committee is comprised of our executive officers and relevant business leaders from the information security, information technology, legal, human resources, audit, finance, communication and risk functions, and identifies, defines, manages and measures information technology and cybersecurity risks applicable to us on an enterprise level. The Technology Steering Committee meets quarterly, and reviews all cybersecurity risks and incidents meeting certain criteria, and provides oversight with respect to cybersecurity matters at a management level. Further, the Technology Steering Committee reviews management’s information security risk management program controls meeting certain criteria.
Our Technology Cybersecurity Committee is comprised of a subset of our Technology Department, including our CIO. The Technology Cybersecurity Committee meets bi-weekly and reviews all cybersecurity risks and incidents meeting certain criteria, provides oversight with respect to cybersecurity matters at a technology management level, and reports through our CIO to the Technology Steering Committee.
We also maintain a management governance structure for reviewing and approving changes related to new and existing systems, software and infrastructure design. Any new items that would require a material change must be reviewed and approved by our architecture review board, or ARB. Non-material changes are governed by the change advisory board, or CAB. The ARB and CAB each meet on a weekly basis and take security impacts into consideration during the decision-making process. All changes, whether approved or rejected, are formally documented in our information technology service management system.
As mentioned above, our SIEM tool monitors threat detection and response continuously. Identified threats create alerts which are monitored and addressed by our information technology team in accordance with internal policies, industry standard practices, and regulatory requirements. Audit logs of external security threats are reviewed weekly as part of general event threat intelligence monitoring procedures. Other ongoing monitoring includes data from our information services team, which maintains an audit trail to detect risks in areas such as unauthorized local connections, network use and remote connections. Vulnerability scans are performed frequently and are supplemented on an ad-hoc basis for specific threats or to test patch status.
Our Sr. Director, Information Security and Privacy Compliance, prepares an incident summary and collaborates with the CIO to conduct an initial assessment of information and cybersecurity incidents. They perform an impact assessment with respect to information or cybersecurity incidents meeting certain criteria and elevate the review of any such information or cybersecurity incidents for review by our executive officers.
Cybersecurity incidents meeting certain criteria are escalated to our Disclosure Committee for SEC disclosure consideration. The materiality of any cybersecurity incident is ultimately evaluated and determined by our Disclosure Committee in collaboration with our CIO. Our Disclosure Committee is comprised of our executive officers, our CIO, our Chief Ethics and Compliance Officer, and relevant business leaders from our finance and legal departments. The Disclosure Committee is presented with a detailed overview of the cybersecurity incident by the CIO. The Disclosure Committee then evaluates the cybersecurity incident and its potential materiality based on SEC guidance and by considering relevant quantitative and qualitative factors.
We have also adopted a cybersecurity incident response plan which provides for controls and procedures in connection with cybersecurity incidents, including these escalation procedures.
At a management level, our information security risk management program is led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance. As of the date of this Annual Report, our Technology Department, led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance, is comprised of nearly 100 technology professionals, with currently 11 of such technology professionals exclusively dedicated to cybersecurity. These security professionals have an average information security/cybersecurity tenure of 6 years and over 30 active certifications from ISC2, ISACA, CompTIA and other industry certification leaders including certifications such as CISSP, CISM, Security+, and CEH, among other advanced Cybersecurity and Technology degrees, tool and process specific certifications, and cybersecurity related work experience. Our Technology Department stays current on cybersecurity issues and trends through continuing education activities such as conferences and participating in webinars, maintaining continuous education requirements for certification bodies, as well as through the monitoring of security and vendor feeds on cybersecurity trends and threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our BOD has a formalized enterprise risk management program, or ERM Program, which the Risk Committee of the BOD, or Risk Committee, on behalf of the BOD and the Audit Committee of the BOD, oversees.Our BOD and Risk Committee have primary oversight responsibility regarding our information security risk management program
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our BOD and Risk Committee each receives regular and frequent updates on cybersecurity and information technology matters from management (including our Chief Information Officer, or CIO) and, periodically, from outside experts. For example, the CIO provides reports to our BOD, Technology Steering Committee and Risk Committee regarding information security risks, as well as plans and strategies to mitigate those risks, on a periodic basis.The Technology Steering Committee meets quarterly, and reviews all cybersecurity risks and incidents meeting certain criteria, and provides oversight with respect to cybersecurity matters at a management levelThe Technology Cybersecurity Committee meets bi-weekly and reviews all cybersecurity risks and incidents meeting certain criteria, provides oversight with respect to cybersecurity matters at a technology management level, and reports through our CIO to the Technology Steering Committee
|Cybersecurity Risk Role of Management [Text Block]
|our Enterprise Risk Council, or ERC, is a management-level team comprised of a select group of executive officers, vice presidents, and senior managers overseeing risk, which is responsible for managing enterprise risks and planning and organizing the activities of our organization to minimize the effects of risk on our business, operations and financial results. The ERC is led by our General Counsel and our Managing Director, Litigation & Risk Management. The ERC coordinates enterprise risk management reports to the Risk Committee and/or our BOD. Further, the Risk Committee reviews management’s information security risk management program controls, including management’s assessment of recent information security incidents meeting certain criteria.
We also have a Technology Steering Committee that assists with fulfilling oversight responsibilities of information technology risks, including cybersecurity risks. The Technology Steering Committee is comprised of our executive officers and relevant business leaders from the information security, information technology, legal, human resources, audit, finance, communication and risk functions, and identifies, defines, manages and measures information technology and cybersecurity risks applicable to us on an enterprise level. The Technology Steering Committee meets quarterly, and reviews all cybersecurity risks and incidents meeting certain criteria, and provides oversight with respect to cybersecurity matters at a management level. Further, the Technology Steering Committee reviews management’s information security risk management program controls meeting certain criteria.
Our Technology Cybersecurity Committee is comprised of a subset of our Technology Department, including our CIO. The Technology Cybersecurity Committee meets bi-weekly and reviews all cybersecurity risks and incidents meeting certain criteria, provides oversight with respect to cybersecurity matters at a technology management level, and reports through our CIO to the Technology Steering Committee.
We also maintain a management governance structure for reviewing and approving changes related to new and existing systems, software and infrastructure design. Any new items that would require a material change must be reviewed and approved by our architecture review board, or ARB. Non-material changes are governed by the change advisory board, or CAB. The ARB and CAB each meet on a weekly basis and take security impacts into consideration during the decision-making process. All changes, whether approved or rejected, are formally documented in our information technology service management system.
As mentioned above, our SIEM tool monitors threat detection and response continuously. Identified threats create alerts which are monitored and addressed by our information technology team in accordance with internal policies, industry standard practices, and regulatory requirements. Audit logs of external security threats are reviewed weekly as part of general event threat intelligence monitoring procedures. Other ongoing monitoring includes data from our information services team, which maintains an audit trail to detect risks in areas such as unauthorized local connections, network use and remote connections. Vulnerability scans are performed frequently and are supplemented on an ad-hoc basis for specific threats or to test patch status.
Our Sr. Director, Information Security and Privacy Compliance, prepares an incident summary and collaborates with the CIO to conduct an initial assessment of information and cybersecurity incidents. They perform an impact assessment with respect to information or cybersecurity incidents meeting certain criteria and elevate the review of any such information or cybersecurity incidents for review by our executive officers.
Cybersecurity incidents meeting certain criteria are escalated to our Disclosure Committee for SEC disclosure consideration. The materiality of any cybersecurity incident is ultimately evaluated and determined by our Disclosure Committee in collaboration with our CIO. Our Disclosure Committee is comprised of our executive officers, our CIO, our Chief Ethics and Compliance Officer, and relevant business leaders from our finance and legal departments. The Disclosure Committee is presented with a detailed overview of the cybersecurity incident by the CIO. The Disclosure Committee then evaluates the cybersecurity incident and its potential materiality based on SEC guidance and by considering relevant quantitative and qualitative factors.
We have also adopted a cybersecurity incident response plan which provides for controls and procedures in connection with cybersecurity incidents, including these escalation procedures.
At a management level, our information security risk management program is led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance. As of the date of this Annual Report, our Technology Department, led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance, is comprised of nearly 100 technology professionals, with currently 11 of such technology professionals exclusively dedicated to cybersecurity. These security professionals have an average information security/cybersecurity tenure of 6 years and over 30 active certifications from ISC2, ISACA, CompTIA and other industry certification leaders including certifications such as CISSP, CISM, Security+, and CEH, among other advanced Cybersecurity and Technology degrees, tool and process specific certifications, and cybersecurity related work experience. Our Technology Department stays current on cybersecurity issues and trends through continuing education activities such as conferences and participating in webinars, maintaining continuous education requirements for certification bodies, as well as through the monitoring of security and vendor feeds on cybersecurity trends and threats.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|our Enterprise Risk Council, or ERC, is a management-level team comprised of a select group of executive officers, vice presidents, and senior managers overseeing risk, which is responsible for managing enterprise risks and planning and organizing the activities of our organization to minimize the effects of risk on our business, operations and financial results. The ERC is led by our General Counsel and our Managing Director, Litigation & Risk Management. The ERC coordinates enterprise risk management reports to the Risk Committee and/or our BOD. Further, the Risk Committee reviews management’s information security risk management program controls, including management’s assessment of recent information security incidents meeting certain criteria.We also have a Technology Steering Committee that assists with fulfilling oversight responsibilities of information technology risks, including cybersecurity risks. The Technology Steering Committee is comprised of our executive officers and relevant business leaders from the information security, information technology, legal, human resources, audit, finance, communication and risk functions, and identifies, defines, manages and measures information technology and cybersecurity risks applicable to us on an enterprise level.Our Technology Cybersecurity Committee is comprised of a subset of our Technology Department, including our CIO.Cybersecurity incidents meeting certain criteria are escalated to our Disclosure Committee for SEC disclosure consideration. The materiality of any cybersecurity incident is ultimately evaluated and determined by our Disclosure Committee in collaboration with our CIOAt a management level, our information security risk management program is led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance. As of the date of this Annual Report, our Technology Department, led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance, is comprised of nearly 100 technology professionals, with currently 11 of such technology professionals exclusively dedicated to cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|our Technology Department, led by our CIO, along with our Sr. Director, Information Security and Privacy Compliance, is comprised of nearly 100 technology professionals, with currently 11 of such technology professionals exclusively dedicated to cybersecurity. These security professionals have an average information security/cybersecurity tenure of 6 years and over 30 active certifications from ISC2, ISACA, CompTIA and other industry certification leaders including certifications such as CISSP, CISM, Security+, and CEH, among other advanced Cybersecurity and Technology degrees, tool and process specific certifications, and cybersecurity related work experience. Our Technology Department stays current on cybersecurity issues and trends through continuing education activities such as conferences and participating in webinars, maintaining continuous education requirements for certification bodies, as well as through the monitoring of security and vendor feeds on cybersecurity trends and threats.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|ERC, is a management-level team comprised of a select group of executive officers, vice presidents, and senior managers overseeing risk, which is responsible for managing enterprise risks and planning and organizing the activities of our organization to minimize the effects of risk on our business, operations and financial resultsour SIEM tool monitors threat detection and response continuously. Identified threats create alerts which are monitored and addressed by our information technology team in accordance with internal policies, industry standard practices, and regulatory requirementsOur Disclosure Committee is comprised of our executive officers, our CIO, our Chief Ethics and Compliance Officer, and relevant business leaders from our finance and legal departments. The Disclosure Committee is presented with a detailed overview of the cybersecurity incident by the CIO. The Disclosure Committee then evaluates the cybersecurity incident and its potential materiality based on SEC guidance and by considering relevant quantitative and qualitative factors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef