|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information, which includes a cybersecurity Incident Response Plan (“IRP”). Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Cybersecurity Risk Identification and Management
We design and assess our program based on the Center for Internet Security Critical Security Controls Version 8 (CIS V8). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CIS V8 controls as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program includes the following:
•third party risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
•a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•end-user testing to assess the effectiveness of our security measures;
•cybersecurity awareness training of our employees, incident response personnel, and senior management, including mandatory computer-based training, phishing awareness campaigns, and internal communications;
•a cybersecurity IRP that includes procedures designed for identifying, analyzing, containing, remedying and otherwise responding to cybersecurity incidents;
•testing of our incident response readiness through Disaster Recovery and Business Continuity Plan exercises; and
•a third-party risk management process for service providers, suppliers, and vendors who have access to our critical systems and information.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information, see the section titled “Risk Factors–Risks Related to Our Stores and Operations–We and our vendors rely on information technology, and any material failure, inadequacy, interruption or security incident affecting that technology could harm our business, results of operations and financial condition.”
Our management team, including our Senior Vice President of Information Systems and Vice President of Information Security and Compliance, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team overseeing cybersecurity has over 25+ years of technology and cybersecurity experience, and certain of our team hold various cybersecurity certifications, including the Certified Information Systems Security Professional (CISSP) certification.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.
We are able to identify cybersecurity breaches through various channels, including but not limited to automated event detection alerts, reports from employees, notifications from external entities such as third-party IT service providers, and proactive threat investigations in collaboration with our external partners. Upon spotting a potential cybersecurity breach, including those involving third-party cyber events, our designated incident response team outlined in the IRP adheres to the policy's protocols to investigate the suspected incident. This investigation entails determining the nature of the event (e.g., ransomware attack or breach of personal data), evaluating the severity of the incident, and gauging the sensitivity of any compromised data.
In the event of a cybersecurity breach, our primary objective is to swiftly contain it by the procedures detailed in our IRP. Once containment is achieved, our focus shifts to remediation and recovery efforts. These actions are tailored to the specifics of the breach and may involve tasks such as rebuilding systems or hosts, replacing compromised files with clean versions, verifying the integrity of affected files or data, enhancing network surveillance or logging to detect future attacks, adjusting administrative account privileges, fortifying network security like firewall configurations, and providing additional training to employees. Additionally, we carry cybersecurity insurance to cover certain expenses associated with security lapses and specified cyber incidents that disrupt our network or those of our vendors, subject to predefined limits and exclusions.
Our IRP includes clear communication guidelines, outlining procedures for engaging executive management, internal and external legal counsel, the Audit Committee, and the Board. These protocols also encompass a framework for evaluating our regulatory reporting obligations to entities such as the SEC in the aftermath of a cybersecurity incident.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information, which includes a cybersecurity Incident Response Plan (“IRP”). Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board considers cybersecurity risk as part of its risk oversight function and oversees management’s implementation of our cybersecurity risk management program. In addition, management updates the Board, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
The Board receives briefings from management on our cyber risk management program on a quarterly basis. Board members receive presentations on cybersecurity topics from our Senior Vice President of Information Systems as well as our Vice President of Information Security and Compliance, internal security staff or external experts as part of the Board’s
continuing education on topics that impact public companies. The Audit Committee oversees required disclosures in the event of a cybersecurity breach.
As part of our board refreshment efforts in recent years, we have added directors with information technology governance skills. Currently, five members of our Board have cybersecurity experience from their principal occupation, other professional experience or third-party director education courses on cybersecurity, including cyber risk governance, and data privacy and security issues and trends.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board considers cybersecurity risk as part of its risk oversight function and oversees management’s implementation of our cybersecurity risk management program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Board receives briefings from management on our cyber risk management program on a quarterly basis. Board members receive presentations on cybersecurity topics from our Senior Vice President of Information Systems as well as our Vice President of Information Security and Compliance, internal security staff or external experts as part of the Board’scontinuing education on topics that impact public companies. The Audit Committee oversees required disclosures in the event of a cybersecurity breach.
|Cybersecurity Risk Role of Management [Text Block]
|oversees management’s implementation of our cybersecurity risk management program. In addition, management updates the Board, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
The Board receives briefings from management on our cyber risk management program on a quarterly basis. Board members receive presentations on cybersecurity topics from our Senior Vice President of Information Systems as well as our Vice President of Information Security and Compliance, internal security staff or external experts as part of the Board’s
continuing education on topics that impact public companies. The Audit Committee oversees required disclosures in the event of a cybersecurity breach.
As part of our board refreshment efforts in recent years, we have added directors with information technology governance skills. Currently, five members of our Board have cybersecurity experience from their principal occupation, other professional experience or third-party director education courses on cybersecurity, including cyber risk governance, and data privacy and security issues and trends.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our Board considers cybersecurity risk as part of its risk oversight function and oversees management’s implementation of our cybersecurity risk management program. In addition, management updates the Board, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
The Board receives briefings from management on our cyber risk management program on a quarterly basis. Board members receive presentations on cybersecurity topics from our Senior Vice President of Information Systems as well as our Vice President of Information Security and Compliance, internal security staff or external experts as part of the Board’s
continuing education on topics that impact public companies. The Audit Committee oversees required disclosures in the event of a cybersecurity breach.
As part of our board refreshment efforts in recent years, we have added directors with information technology governance skills. Currently, five members of our Board have cybersecurity experience from their principal occupation, other professional experience or third-party director education courses on cybersecurity, including cyber risk governance, and data privacy and security issues and trends.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
As part of our board refreshment efforts in recent years, we have added directors with information technology governance skills. Currently, five members of our Board have cybersecurity experience from their principal occupation, other professional experience or third-party director education courses on cybersecurity, including cyber risk governance, and data privacy and security issues and trends.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Board receives briefings from management on our cyber risk management program on a quarterly basis. Board members receive presentations on cybersecurity topics from our Senior Vice President of Information Systems as well as our Vice President of Information Security and Compliance, internal security staff or external experts as part of the Board’scontinuing education on topics that impact public companies. The Audit Committee oversees required disclosures in the event of a cybersecurity breach.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef