|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
The Company has processes in place to, assess, and monitor material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management process and have been embedded in the Company’s operating procedures, internal controls, and information systems.
The Company’s comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”) for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls.
The Company contracts with external firms to assess the Company’s cybersecurity controls relative to its peers using the NIST CSF. The Company also has a-party risk management program that assesses risks from vendors and suppliers. In addition, the Company maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy.
The Company has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy, and information security policies and procedures is mandatory at least annually for all employees. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors, or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Company communications with frequent updates to educate on the latest adversary trends and social engineering techniques. Certain employees also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.
The Companyin cyber crisis response simulations to assess the Company’s ability to adapt to information and operational technology threats. Improper or illegitimate use of the Company’s information system resources or violation of the Company’s information security policies and procedures is subject to disciplinary action. The Company’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including multi-factor authentication and principles of zero trust to ensure that access to information and communication is vetted and secure.
The Company also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management, and benchmarking against peers in the industry to validate the Company’s security posture. The Company also engages external firms to measure the Company’s NIST CSF maturity level.
risks from cybersecurity , including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Company has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy, and information security policies and procedures is mandatory at least annually for all employees. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors, or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Company communications with frequent updates to educate on the latest adversary trends and social engineering techniques. Certain employees also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|No risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Role of the Board and Management
The Company’s board recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage, and mitigate risk, at least annually. The board has delegated responsibility for oversight of the Company’s cybersecurity, information security framework, and risk management to the Company’s management cybersecurity committee (the “Cybersecurity Committee”).
Pursuant to its charter, the Cybersecurity Committee must consist of at least four members of the Company’s executive management team, which shall include the Company’s director of technology, chief operating officer, chief compliance officer, and chief financial officer, each of whom is required to have working familiarity, knowledge, and competencies in relevant areas, including data privacy, public policy, information technology (“IT”) strategy, IT development and deployment, or IT risk assessment and management, including information security management. In addition, the Company’s director of technology has formal education in IT and extensive experience working in and leading the Company’s information systems and technology function.
The principal responsibilities and duties of the Cybersecurity Committee, pursuant to its written charter, are to:
The Cybersecurity Committee, including the Company’s director of technology, receives regular updates from the Company’s management on cybersecurity matters, results of mitigation efforts, and cybersecurity incident response and remediation.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s board recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage, and mitigate risk, at least annually. The board has delegated responsibility for oversight of the Company’s cybersecurity, information security framework, and risk management to the Company’s management cybersecurity committee (the “Cybersecurity Committee”).
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Pursuant to its charter, the Cybersecurity Committee must consist of at least four members of the Company’s executive management team, which shall include the Company’s director of technology, chief operating officer, chief compliance officer, and chief financial officer, each of whom is required to have working familiarity, knowledge, and competencies in relevant areas, including data privacy, public policy, information technology (“IT”) strategy, IT development and deployment, or IT risk assessment and management, including information security management. In addition, the Company’s director of technology has formal education in IT and extensive experience working in and leading the Company’s information systems and technology function.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef