|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We recognize the importance of maintaining the trust and confidence of our customers, business partners, and employees, and cybersecurity represents an important component of our overall approach to enterprise risk management. Our approach to cybersecurity risk management is aligned with our risk profile and business, and includes efforts towards meeting the standards for an organization of our size and type in conjunction with the National Institute of Standards and Technology. We also utilize a third-party IT vendor to manage the technological security and efficacy of our systems, including a Virtual Chief Information Officer, a Virtual Chief Information Security Officer, and other IT specialists who manage our IT and cybersecurity needs. In April 2024, the Company engaged the services of a cybersecurity company that works in conjunction with our managed IT vendor to provide additional cybersecurity management.
Our cybersecurity risk management is designed to employ technology and security practices across our operations and business functions, including vulnerability assessments, detecting and responding to cybersecurity incidents, cybersecurity crisis preparedness and incident response resources, vulnerability scans and IT security risk assessments, and progressive investments in cybersecurity infrastructure and technology designed to reduce cybersecurity risks. Notable aspects of our cybersecurity risk management include:
We intend to continue to leverage the support of third-party information technology and security providers, including to perform risk assessments designed to identify, assess, and manage cybersecurity risks. We assess on an ad-hoc basis the data protection practices of certain of our third-party vendors who handle our data, which assessments include the assessment of vendor data protection policies, disclosure of changes to data protection policies or practices, maintenance of cyber liability insurance, and provision of certifications, assessments, or other documentation as deemed relevant.
As of the date of this annual report, we maintain cyber liability insurance that provides cyber incident response coverage. However, costs, damages, and remediation associated with cybersecurity incidents may not be adequately insured under our insurance policy and may be subject to applicable deductibles, to the extent that they are covered. See also “We cannot assure that we can maintain cyber liability insurance coverage and we could be subject to uninsured liabilities.” in Item 1A, Risk Factors, of this annual report for additional discussion of risks related to our cyber liability insurance.
As previously disclosed, in fiscal year 2023, Fortra, LLC, the third-party vendor that provides the GoAnywhere managed file transfer as a service system (MFTaaS), experienced a data security incident that affected many of Fortra’s customers, including us. We use GoAnywhere as a means by which our customers electronically share certain data regarding their employees and other third parties with us. Our understanding is that this activity was the result of the threat actor’s exploit of a zero-day vulnerability in Fortra’s systems. Based on the information we have obtained from Fortra and our own diligence, we understand that this activity only affected Fortra’s systems, and did not involve unauthorized access to our information systems. However, the threat actor in this incident accessed certain of our customers’ employees’ and other third parties’ data and such data included protected health information, as defined by the Health Insurance Portability and Accountability Act, and personally identifiable information. We engaged outside experts to assist in investigating and responding to this incident and have provided the required notifications to the data owners, and where appropriate, to the individuals affected by the incident and to various State Attorneys General.
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We recognize the importance of maintaining the trust and confidence of our customers, business partners, and employees, and cybersecurity represents an important component of our overall approach to enterprise risk management. Our approach to cybersecurity risk management is aligned with our risk profile and business, and includes efforts towards meeting the standards for an organization of our size and type in conjunction with the National Institute of Standards and Technology. We also utilize a third-party IT vendor to manage the technological security and efficacy of our systems, including a Virtual Chief Information Officer, a Virtual Chief Information Security Officer, and other IT specialists who manage our IT and cybersecurity needs. In April 2024, the Company engaged the services of a cybersecurity company that works in conjunction with our managed IT vendor to provide additional cybersecurity management.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our entire board of directors is responsible for the strategic leadership and direction of our cybersecurity program and has oversight over cybersecurity risks. Our management may provide periodic presentations to the board on our cybersecurity program, including updates on cybersecurity risks, strategy and incident management, as applicable. Our cybersecurity risk management is also administrated at a management level through a multi-disciplinary Technology Business Review Committee comprised of members of our operational and organizational management, as well as our outsourced Virtual Chief Information Officer. The Technology Business Review Committee is tasked with identifying and monitoring what we believe to be the key technology risks currently facing the Company, including cybersecurity risks. The committee meets on at least a quarterly basis and on an as-needed basis to address risks, regulatory requirements, potential threats, vulnerabilities, available mitigation strategies and technologies, operational imperatives and changes, and progress updates on relevant projects related to our IT and cybersecurity.
In addition, we undergo an annual IT risk assessment reviewed by a third-party IT vendor, with significant or actionable findings reported to the Technology Business Review Committee. The annual IT risk assessment identifies our risk status on various IT security metrics and prioritizes remediation, external vulnerability scan results, patching reports, dark web status, and personnel IT security training reports. This annual third-party review helps further monitor and inform our Technology Business Review Committee’s work and our cybersecurity risk management and strategy.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our entire board of directors is responsible for the strategic leadership and direction of our cybersecurity program and has oversight over cybersecurity risks. Our management may provide periodic presentations to the board on our cybersecurity program, including updates on cybersecurity risks, strategy and incident management, as applicable. Our cybersecurity risk management is also administrated at a management level through a multi-disciplinary Technology Business Review Committee comprised of members of our operational and organizational management, as well as our outsourced Virtual Chief Information Officer. The Technology Business Review Committee is tasked with identifying and monitoring what we believe to be the key technology risks currently facing the Company, including cybersecurity risks. The committee meets on at least a quarterly basis and on an as-needed basis to address risks, regulatory requirements, potential threats, vulnerabilities, available mitigation strategies and technologies, operational imperatives and changes, and progress updates on relevant projects related to our IT and cybersecurity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our entire board of directors is responsible for the strategic leadership and direction of our cybersecurity program and has oversight over cybersecurity risks. Our management may provide periodic presentations to the board on our cybersecurity program, including updates on cybersecurity risks, strategy and incident management, as applicable. Our cybersecurity risk management is also administrated at a management level through a multi-disciplinary Technology Business Review Committee comprised of members of our operational and organizational management, as well as our outsourced Virtual Chief Information Officer. The Technology Business Review Committee is tasked with identifying and monitoring what we believe to be the key technology risks currently facing the Company, including cybersecurity risks. The committee meets on at least a quarterly basis and on an as-needed basis to address risks, regulatory requirements, potential threats, vulnerabilities, available mitigation strategies and technologies, operational imperatives and changes, and progress updates on relevant projects related to our IT and cybersecurity.
|Cybersecurity Risk Role of Management [Text Block]
|
Our entire board of directors is responsible for the strategic leadership and direction of our cybersecurity program and has oversight over cybersecurity risks. Our management may provide periodic presentations to the board on our cybersecurity program, including updates on cybersecurity risks, strategy and incident management, as applicable. Our cybersecurity risk management is also administrated at a management level through a multi-disciplinary Technology Business Review Committee comprised of members of our operational and organizational management, as well as our outsourced Virtual Chief Information Officer. The Technology Business Review Committee is tasked with identifying and monitoring what we believe to be the key technology risks currently facing the Company, including cybersecurity risks. The committee meets on at least a quarterly basis and on an as-needed basis to address risks, regulatory requirements, potential threats, vulnerabilities, available mitigation strategies and technologies, operational imperatives and changes, and progress updates on relevant projects related to our IT and cybersecurity.
In addition, we undergo an annual IT risk assessment reviewed by a third-party IT vendor, with significant or actionable findings reported to the Technology Business Review Committee. The annual IT risk assessment identifies our risk status on various IT security metrics and prioritizes remediation, external vulnerability scan results, patching reports, dark web status, and personnel IT security training reports. This annual third-party review helps further monitor and inform our Technology Business Review Committee’s work and our cybersecurity risk management and strategy.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our entire board of directors is responsible for the strategic leadership and direction of our cybersecurity program and has oversight over cybersecurity risks. Our management may provide periodic presentations to the board on our cybersecurity program, including updates on cybersecurity risks, strategy and incident management, as applicable. Our cybersecurity risk management is also administrated at a management level through a multi-disciplinary Technology Business Review Committee comprised of members of our operational and organizational management, as well as our outsourced Virtual Chief Information Officer. The Technology Business Review Committee is tasked with identifying and monitoring what we believe to be the key technology risks currently facing the Company, including cybersecurity risks.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
In addition, we undergo an annual IT risk assessment reviewed by a third-party IT vendor, with significant or actionable findings reported to the Technology Business Review Committee. The annual IT risk assessment identifies our risk status on various IT security metrics and prioritizes remediation, external vulnerability scan results, patching reports, dark web status, and personnel IT security training reports. This annual third-party review helps further monitor and inform our Technology Business Review Committee’s work and our cybersecurity risk management and strategy.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|In addition, we undergo an annual IT risk assessment reviewed by a third-party IT vendor, with significant or actionable findings reported to the Technology Business Review Committee. The annual IT risk assessment identifies our risk status on various IT security metrics and prioritizes remediation, external vulnerability scan results, patching reports, dark web status, and personnel IT security training reports.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef