XML 66 R40.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
The Company’s information risk management program is designed to protect the confidentiality of nonpublic, sensitive information and the integrity and availability of our information systems. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. We have designed our enterprise-wide information security program consistent with industry standards using the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Risk assessment, risk-based analysis, and judgment are used to select security controls to address risks. Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program.
Key components of our cybersecurity risk management program include:
risk assessments designed to help identify cybersecurity risks to our critical systems, information, and services.
a security team principally responsible for managing (1) our cybersecurity policies & risk assessment processes, (2) security architecture and engineering, (3) identifying vulnerabilities, managing remediation, and testing of our security controls, and (4) our cybersecurity monitoring & incident response.
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes.
managing a cybersecurity awareness and training program that covers employees and contractors who access internal systems.
a cybersecurity incident response plan that includes procedures for responding to various types of cybersecurity incidents and tested through periodic tabletop exercises.
a third-party security risk assessment team, which is involved with identifying, assessing, and controlling risks that occur due to interactions with third parties including vendors and procurement.
restricted physical access to critical areas, servers, and network equipment.
support of our business continuity and disaster response plans.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
The Company’s information risk management program is designed to protect the confidentiality of nonpublic, sensitive information and the integrity and availability of our information systems. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. We have designed our enterprise-wide information security program consistent with industry standards using the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Risk assessment, risk-based analysis, and judgment are used to select security controls to address risks. Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
With over 30 years of industry cybersecurity experience, the Company’s Chief Information Security Officer ("CISO") is the member of the Company’s management team with primary responsibility for the development, operation, and maintenance of the Company’s information security program. The CISO supervises the Company’s cybersecurity team, facilitates the incident response plan and acts as the liaison to the Company’s executive management team, including relaying strategies, resource requests and incident updates. The Company’s security event monitoring and detection capabilities are performed by our Cybersecurity team and third parties through the use of processes and tooling. Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Subcommittee, Executive Management, and the Board. The level of escalation will vary depending on the severity and scope of the cyber incident. In the event of a severe cyber incident, the CISO will escalate to the relevant subcommittee to determine the course of action. All relevant roles are trained on their responsibilities regularly. The Board, along with the Risk and Audit Committees of the Board, oversees our information security program. In 2024, our Board and Risk and Audit Committees received periodic updates throughout the year on cybersecurity matters, and these updates are part of their standing agendas. These updates include reports regarding items such as cybersecurity strategies, program effectiveness, key risks and performance metrics related to the Company’s information security program and the Company’s mitigating controls.
The Company has an enterprise risk management function that oversees the identification, prioritization, and mitigation of the Company’s enterprise risks, and cybersecurity is a risk category addressed by that function. The Company uses governance, risk and compliance tools to assess, identify and manage its cybersecurity risks.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board, along with the Risk and Audit Committees of the Board, oversees our information security program.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Subcommittee, Executive Management, and the Board. The level of escalation will vary depending on the severity and scope of the cyber incident. In the event of a severe cyber incident, the CISO will escalate to the relevant subcommittee to determine the course of action. All relevant roles are trained on their responsibilities regularly. The Board, along with the Risk and Audit Committees of the Board, oversees our information security program. In 2024, our Board and Risk and Audit Committees received periodic updates throughout the year on cybersecurity matters, and these updates are part of their standing agendas. These updates include reports regarding items such as cybersecurity strategies, program effectiveness, key risks and performance metrics related to the Company’s information security program and the Company’s mitigating controls.
Cybersecurity Risk Role of Management [Text Block] The CISO supervises the Company’s cybersecurity team, facilitates the incident response plan and acts as the liaison to the Company’s executive management team, including relaying strategies, resource requests and incident updates. The Company’s security event monitoring and detection capabilities are performed by our Cybersecurity team and third parties through the use of processes and tooling. Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Subcommittee, Executive Management, and the Board. The level of escalation will vary depending on the severity and scope of the cyber incident. In the event of a severe cyber incident, the CISO will escalate to the relevant subcommittee to determine the course of action. All relevant roles are trained on their responsibilities regularly.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] With over 30 years of industry cybersecurity experience, the Company’s Chief Information Security Officer ("CISO") is the member of the Company’s management team with primary responsibility for the development, operation, and maintenance of the Company’s information security program.Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Subcommittee, Executive Management, and the Board
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] With over 30 years of industry cybersecurity experience, the Company’s Chief Information Security Officer ("CISO") is the member of the Company’s management team with primary responsibility for the development, operation, and maintenance of the Company’s information security program.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The CISO supervises the Company’s cybersecurity team, facilitates the incident response plan and acts as the liaison to the Company’s executive management team, including relaying strategies, resource requests and incident updates. The Company’s security event monitoring and detection capabilities are performed by our Cybersecurity team and third parties through the use of processes and tooling. Cybersecurity incidents are responded to by a multi-disciplinary Incident Response team and if appropriate, escalated to our Cybersecurity Disclosure Subcommittee, Executive Management, and the Board. The level of escalation will vary depending on the severity and scope of the cyber incident. In the event of a severe cyber incident, the CISO will escalate to the relevant subcommittee to determine the course of action. All relevant roles are trained on their responsibilities regularly.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true