XML 47 R21.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Monitoring and assessing cybersecurity risk is a critical part of our overall enterprise risk management (“ERM”).  Our Board regularly discusses significant areas of risk, including those that may be related to cybersecurity, as necessary. We have designed and implemented an information security program tailored to our operations, the nature of our products and services, and the sensitivity of the data that we process.  We have implemented cybersecurity risk management processes that include, for example, developing organizational understandings to manage cybersecurity risk, identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities, and developing a vendor risk management policy for assessing supply chain and vendor-related risks.  As part of these processes, we have implemented an Incident Response Plan, which provides protocols for incident evaluation, including processes for notification and internal escalation of information to our senior management and the appropriate Board committees.  Our Incident Response Plan is updated annually and tested in tabletop exercises.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Monitoring and assessing cybersecurity risk is a critical part of our overall enterprise risk management (“ERM”).  Our Board regularly discusses significant areas of risk, including those that may be related to cybersecurity, as necessary. We have designed and implemented an information security program tailored to our operations, the nature of our products and services, and the sensitivity of the data that we process.  We have implemented cybersecurity risk management processes that include, for example, developing organizational understandings to manage cybersecurity risk, identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities, and developing a vendor risk management policy for assessing supply chain and vendor-related risks.  As part of these processes, we have implemented an Incident Response Plan, which provides protocols for incident evaluation, including processes for notification and internal escalation of information to our senior management and the appropriate Board committees.  Our Incident Response Plan is updated annually and tested in tabletop exercises.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board, including the Audit Committee of the Board, and our management team are actively involved in the oversight of risks from cybersecurity threats.  

Our Audit Committee discusses risks related to cybersecurity quarterly, and reports to the Board quarterly on such risks and events.  Our Senior Director of Information Systems presents information to the Audit Committee regarding cybersecurity risks and events quarterly.  The full Board also discusses cybersecurity risks and events annually.  If there are direct risks rising to the level of potential materiality, the management team reports such risks and events to the Board.  
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Audit Committee discusses risks related to cybersecurity quarterly, and reports to the Board quarterly on such risks and events.  Our Senior Director of Information Systems presents information to the Audit Committee regarding cybersecurity risks and events quarterly.  The full Board also discusses cybersecurity risks and events annually.  If there are direct risks rising to the level of potential materiality, the management team reports such risks and events to the Board.  
Cybersecurity Risk Role of Management [Text Block]

Our Senior Director of Information Systems and our Director of Information Systems are responsible for day-to-day oversight of cybersecurity risk.  The individual currently holding the position of Senior Director of Information Systems has held the role for two years, has sixteen years of experience in IT and software development (with eight of those years in management roles), and holds certification from MIT Sloan School of Management in cybersecurity risk management.  The individual currently holding the position of Director of Information Systems—who reports directly to the Senior Director of Information Systems—was formerly an IT Audit Senior Associate at PricewaterhouseCoopers, performed security assessments as a consultant at PricewaterhouseCoopers, and passed his CISA exam (though certification is currently pending).  These individuals are responsible for coordinating resources internally and externally regarding cybersecurity risk management and incident response, and they report directly to our Chief Administrative Officer.  

Our management team has also established a Cybersecurity Incident Response Team (the “CSIRT”), which is comprised of our Chief Executive Officer, the Chair of the Audit Committee of our Board, our General Counsel, our Chief Administrative Officer, and our Senior Vice President of Human Resources. The CSIRT is also responsible for responding to cybersecurity incidents.

Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Senior Director of Information Systems and our Director of Information Systems
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The individual currently holding the position of Senior Director of Information Systems has held the role for two years, has sixteen years of experience in IT and software development (with eight of those years in management roles), and holds certification from MIT Sloan School of Management in cybersecurity risk management.  The individual currently holding the position of Director of Information Systems—who reports directly to the Senior Director of Information Systems—was formerly an IT Audit Senior Associate at PricewaterhouseCoopers, performed security assessments as a consultant at PricewaterhouseCoopers, and passed his CISA exam (though certification is currently pending).  
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Monitoring and assessing cybersecurity risk is a critical part of our overall enterprise risk management (“ERM”).  Our Board regularly discusses significant areas of risk, including those that may be related to cybersecurity, as necessary. We have designed and implemented an information security program tailored to our operations, the nature of our products and services, and the sensitivity of the data that we process.  We have implemented cybersecurity risk management processes that include, for example, developing organizational understandings to manage cybersecurity risk, identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities, and developing a vendor risk management policy for assessing supply chain and vendor-related risks.  As part of these processes, we have implemented an Incident Response Plan, which provides protocols for incident evaluation, including processes for notification and internal escalation of information to our senior management and the appropriate Board committees.  Our Incident Response Plan is updated annually and tested in tabletop exercises.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true