|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have a cybersecurity-specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our process to industry standards and best practices standards set by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization (“ISO”), as well as by engaging experts to attempt to infiltrate our
information systems, as such term is defined in Item 106(a) of Regulation S-K. Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from information and cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, and to provide for the availability of critical data and systems and to maintain regulatory compliance. These controls include the following activities:
a.closely monitor emerging data protection laws and implement changes to our processes designed to comply;
b.conduct annual customer data handling and use requirements training for all our employees;
c.conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data;
d.conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
e.through policy, practice and contract (as applicable), require employees, as well as third-parties who provide services on our behalf, to protect customer information and data;
f.run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
g.leverage the NIST and ISO incident handling frameworks to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and
h.maintain multiple layers of controls, including embedding security into our technology investments.
We perform periodic internal and third-party assessments to test our cybersecurity controls and regularly evaluate our policies and procedures surrounding our handling and control of personal data and the systems we have in place to help protect us from cybersecurity or personal data breaches, and we perform periodic internal and third-party assessments to test our controls and to help us identify areas for continued focus, improvement, and/or compliance. An example of the assessment we use is the ISO 27001 assessment that was implemented started in 2020. Our team is continually evaluating our technology vendors and tools to ensure that we are managing evolving threats to the best of our ability.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. Finally, all users employed by or contracted to the Company are required to complete annual cybersecurity education and training, which includes identifying suspicious emails, internet threats, telecommunication threats and ransomware.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Breaches of security and viruses in our systems could result in client claims against us and harm to our reputation causing us to incur expenses and/or lose clients” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K,which disclosure is incorporated by reference herein. Although we maintain cybersecurity insurance to reduce potential financial losses that may stem from cybersecurity incidents, the costs related to cybersecurity threats or disruptions may not be fully insured.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have a cybersecurity-specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our process to industry standards and best practices standards set by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization (“ISO”), as well as by engaging experts to attempt to infiltrate ourinformation systems, as such term is defined in Item 106(a) of Regulation S-K. Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from information and cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, and to provide for the availability of critical data and systems and to maintain regulatory compliance.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board of Directors is responsible for exercising oversight of management’s identification of, and planning for, the material risks facing the Company, and we believe our risk management policies and procedures are adequate to ensure that relevant information about cybersecurity risks and incidents is appropriately reported and disclosed. In October 2017, the Board authorized the formation of a Cybersecurity Committee, which is now known as the Governance, Risk & Compliance (“GRC”) Committee. Our cybersecurity risk management process, which are discussed in greater detail below, are led by the GRC Committee. The GRC Committee is currently comprised of the Chief Technology and Innovation Officer, Chief Financial Officer, General Managers of the business units, Corporate Security Officer, Corporate Privacy Officer, and General Counsel and Corporate Compliance Officer. The GRC Committee generally meets weekly, and has a formal meeting quarterly, to discuss the primary security and compliance-related risks currently facing the Company, including cybersecurity risks. The General Counsel and Corporate Compliance Officer then provides updates to the Board at each regular quarterly meeting. Annually, the full Board participates in cybersecurity training and discusses the internal incident management process with the GRC Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In October 2020, the Board created the Innovation and Technology Committee to aid the Board in its duties to assess and oversee the management of risks in the areas of information technology, information and data security, cybersecurity, disaster recovery, data privacy and business continuity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The General Counsel and Corporate Compliance Officer then provides updates to the Board at each regular quarterly meeting.
|Cybersecurity Risk Role of Management [Text Block]
|Our cybersecurity risk management process, which are discussed in greater detail below, are led by the GRC Committee. The GRC Committee is currently comprised of the Chief Technology and Innovation Officer, Chief Financial Officer, General Managers of the business units, Corporate Security Officer, Corporate Privacy Officer, and General Counsel and Corporate Compliance Officer. The GRC Committee generally meets weekly, and has a formal meeting quarterly, to discuss the primary security and compliance-related risks currently facing the Company, including cybersecurity risks. The General Counsel and Corporate Compliance Officer then provides updates to the Board at each regular quarterly meeting. Annually, the full Board participates in cybersecurity training and discusses the internal incident management process with the GRC Committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity risk management process, which are discussed in greater detail below, are led by the GRC Committee. The GRC Committee is currently comprised of the Chief Technology and Innovation Officer, Chief Financial Officer, General Managers of the business units, Corporate Security Officer, Corporate Privacy Officer, and General Counsel and Corporate Compliance Officer.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our SOC team members have over 35 years of combined work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, and developing and overseeing programs and policies related to various areas, including incident response, eDiscovery, forensic investigations, log analysis, malware analysis, risk management, physical security, and enterprise security operations, as well as several relevant degrees and certifications, including Masters degrees in Cybersecurity and Information Assurance, Bachelors degrees in Information Technology, BS Information Systems and Cybersecurity, Certified Information Systems Security Professional, Certified Ethical Hacker, Computer Hacking Forensic Investigator, A+, Network+, Security+, MS Sentinel, a Degree in forensic science and others being worked on. Prior work experience, knowledge, skills, or background for the SOC team include: law enforcement, DoD contractor work in cybersecurity, heavy involvement in numerous large scale intrusion investigations, published author of an Intrusion Analysis book, presentations at numerous conferences focused on cybersecurity, hundreds of forensic analysis cases, prior employment by other companies as cybersecurity/SOC analysts, and continuous on the job training
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The General Counsel and Corporate Compliance Officer then provides updates to the Board at each regular quarterly meeting. Annually, the full Board participates in cybersecurity training and discusses the internal incident management process with the GRC Committee.
In October 2020, the Board created the Innovation and Technology Committee to aid the Board in its duties to assess and oversee the management of risks in the areas of information technology, information and data security, cybersecurity, disaster recovery, data privacy and business continuity. This committee oversees the GRC Committee’s activities relating to information technology and cybersecurity matters, and seeks to enhance communication and coordination of efforts between the Board and management in these areas. The members of the Innovation and Technology Committee monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of and participation in the cybersecurity risk management process described below, including the operation of our incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef