|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We recognize the critical importance of maintaining the safety and security of our information technology systems and data. Management’s approach to assessing, identifying and managing cybersecurity and information security risks and threats is embedded in our overall Enterprise Risk Management (“ERM”) program. Management, in turn, reports up to our Board of Directors (the “Board”), which is responsible for oversight of risk, including with respect to cybersecurity threats and information security.
Board and Management’s Role and Expertise and Oversight of Risk Management and Strategy
Our information technology (“IT”) department, which maintains our cybersecurity function, is led by our SVP, Chief Information Officer (“CIO”), who reports directly to our Chief Executive Officer, and has over 25 years of broad IT and digital transformation experience leading large technology organizations and product teams with expertise in IT organizational leadership, network and cloud infrastructure, and enterprise engineering and technology. Our VP, Chief Information Security Officer (“CISO”) reports directly to the CIO, and is responsible for managing our risks from cybersecurity threats, protecting and defending our networks and systems, and overseeing our Information Security Office. Our CISO has over 20 years of experience leading cybersecurity and information security departments and manages a team of professionals who have broad industry experience and expertise, including disaster recovery, IT risk management, detection and mitigation technologies, incident response, threat management, and regulatory compliance, and who hold industry recognized certifications, such as the Certified Information Systems Security Professional and Certified Risk and Information Systems Control.
Our CISO, under the supervision and direction of the CIO, is responsible for developing and implementing our information security program. Our Executive Committee, made up of senior leaders across the organization, including our CIO, receives periodic reports from our CIO on both the state of our IT department and Information Security Office and on our cybersecurity programs.
Our Board administers its risk oversight role directly and through its committee structure. While our Board has ultimate responsibility for overseeing our cyber risk, our Audit Committee oversees risks related to cybersecurity threats, data protection, data privacy and business continuity. Our Audit Committee regularly discusses and, at least annually, reviews with management, including our CIO, CISO, and Global Privacy Officer, our cyber, information security, and data privacy risks and programs. This review includes risk assessments, the implementation of policies, procedures, processes and controls for the management of risks, management’s actions to identify and detect cyber threats and incidents, the results of tests and assessments and updates on our programs to manage disaster recovery, data privacy and compliance. Our management team also provides updates to the Board periodically.
Our IT department and Information Security Office, supported by our Global Privacy Office, regularly evaluate cybersecurity risks. Cybersecurity risks are considered within our ERM framework, which are assigned risk owners to develop and manage mitigation programs. Our annual ERM program is reviewed and overseen by the Audit Committee and is presented to the Board annually. We maintain an internal Privacy and Security Steering Committee, co-chaired by our CISO and Global Privacy Officer and made up of members from IT, legal, privacy and international operations, which is tasked with review of, and oversight over, our privacy and data security programs, policies and strategy. Our Governance, Risk and Compliance Committee, made up of members of legal, operations, human resources and Internal Audit as well as our CISO, provides additional support for ERM assessment and governance by monitoring our ERM program, and engaging with compliance functions across the organization to identify gaps, support corrective action plans and promote best practices. Our internal control over financial reporting, including key business process controls and IT general controls, are reviewed and tested by our Internal Audit function annually.
Assessment, Identification and Mitigation of Cybersecurity Threat Risk
Our cybersecurity threat strategy is based on prevention, detection and mitigation using layered defenses, continuous assessment, monitoring through logging and correlation, vulnerability scans, cyber threat intelligence, end-point detection and response (EDR), and regular defense testing through simulations, penetration tests and table top exercises. While our cybersecurity policies, practices and programs may vary by location or by service line, our overall cybersecurity management program is based on the ISO 27001 standard. Our Information Security Office regularly monitors alerts and threat levels, trends, and remediation efforts, conducts post-incident reviews, conducts maturity testing to assess our processes and procedures and the threat landscape, reviews our operational policies and procedures, and conducts an annual risk assessment as described above. We believe that these steps are useful tools in identifying and assessing risks, giving our team key information and insights used to manage those risks to help protect our clients, families, employees, vendors, investors, and our data and intellectual property.
Employees are required to complete a cybersecurity training annually specific to their role and we also require employees in certain other roles to complete additional role-based, specialized cybersecurity trainings. We have a set of policies and procedures addressing information security concerns governed by our Written Information Security Program (WISP), other policies that directly or indirectly relate to cybersecurity, such as encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information as well as policies related to the use of the internet, social media, email and electronic devices. These policies go through an internal review process and are approved by our internal Policy Board or Privacy and Security Steering Committee. We currently maintain a System and Organization Controls (“SOC”) Type 2 report for material applications and ISO 27001 and ISO 27701 certifications for the United States and United Kingdom. Annually, our Internal Audit function conducts a security audit in accordance with the ISO 27001 standard.
Third parties also play a role in our cybersecurity risk management and strategy. We contract with a third-party cybersecurity incident response team to assist in the management of cybersecurity threats. We also engage and rely on third-party cyber and information security providers for cybersecurity applications and infrastructure to protect our network, systems and data.
Incident Response and Reporting
In the event of a cybersecurity incident, we follow an Incident Response Manual and process led by our CISO which governs our assessment, response, escalation and notifications process, both internally and externally. Depending on the nature and severity of an incident, this process includes review by an incident response team, made up of members of the Information Security Office, with escalating notifications up to our CIO, Legal Department, CFO, and CEO followed by our Audit Committee and the full Board.
Oversight of Third-Party Providers
When engaging with third-party providers or suppliers with access to our network, systems or data or a third party providing cybersecurity support or infrastructure, we assess and evaluate their cybersecurity and disaster recovery preparedness. Depending on location and level of access to data, vendors complete an information security questionnaire and/or provide an independent information security audit report and, for vendors unable to provide such audit reports, we take additional steps to assess their cybersecurity preparedness. We also include security and privacy addenda in our supplier contracts where applicable. Our assessment of cybersecurity threats associated with our third-party providers is part of our overall cybersecurity risk management framework.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We recognize the critical importance of maintaining the safety and security of our information technology systems and data. Management’s approach to assessing, identifying and managing cybersecurity and information security risks and threats is embedded in our overall Enterprise Risk Management (“ERM”) program. Management, in turn, reports up to our Board of Directors (the “Board”), which is responsible for oversight of risk, including with respect to cybersecurity threats and information security.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board and Management’s Role and Expertise and Oversight of Risk Management and Strategy
Our information technology (“IT”) department, which maintains our cybersecurity function, is led by our SVP, Chief Information Officer (“CIO”), who reports directly to our Chief Executive Officer, and has over 25 years of broad IT and digital transformation experience leading large technology organizations and product teams with expertise in IT organizational leadership, network and cloud infrastructure, and enterprise engineering and technology. Our VP, Chief Information Security Officer (“CISO”) reports directly to the CIO, and is responsible for managing our risks from cybersecurity threats, protecting and defending our networks and systems, and overseeing our Information Security Office. Our CISO has over 20 years of experience leading cybersecurity and information security departments and manages a team of professionals who have broad industry experience and expertise, including disaster recovery, IT risk management, detection and mitigation technologies, incident response, threat management, and regulatory compliance, and who hold industry recognized certifications, such as the Certified Information Systems Security Professional and Certified Risk and Information Systems Control.
Our CISO, under the supervision and direction of the CIO, is responsible for developing and implementing our information security program. Our Executive Committee, made up of senior leaders across the organization, including our CIO, receives periodic reports from our CIO on both the state of our IT department and Information Security Office and on our cybersecurity programs.
Our Board administers its risk oversight role directly and through its committee structure. While our Board has ultimate responsibility for overseeing our cyber risk, our Audit Committee oversees risks related to cybersecurity threats, data protection, data privacy and business continuity. Our Audit Committee regularly discusses and, at least annually, reviews with management, including our CIO, CISO, and Global Privacy Officer, our cyber, information security, and data privacy risks and programs. This review includes risk assessments, the implementation of policies, procedures, processes and controls for the management of risks, management’s actions to identify and detect cyber threats and incidents, the results of tests and assessments and updates on our programs to manage disaster recovery, data privacy and compliance. Our management team also provides updates to the Board periodically.
Our IT department and Information Security Office, supported by our Global Privacy Office, regularly evaluate cybersecurity risks. Cybersecurity risks are considered within our ERM framework, which are assigned risk owners to develop and manage mitigation programs. Our annual ERM program is reviewed and overseen by the Audit Committee and is presented to the Board annually. We maintain an internal Privacy and Security Steering Committee, co-chaired by our CISO and Global Privacy Officer and made up of members from IT, legal, privacy and international operations, which is tasked with review of, and oversight over, our privacy and data security programs, policies and strategy. Our Governance, Risk and Compliance Committee, made up of members of legal, operations, human resources and Internal Audit as well as our CISO, provides additional support for ERM assessment and governance by monitoring our ERM program, and engaging with compliance functions across the organization to identify gaps, support corrective action plans and promote best practices. Our internal control over financial reporting, including key business process controls and IT general controls, are reviewed and tested by our Internal Audit function annually.
Assessment, Identification and Mitigation of Cybersecurity Threat Risk
Our cybersecurity threat strategy is based on prevention, detection and mitigation using layered defenses, continuous assessment, monitoring through logging and correlation, vulnerability scans, cyber threat intelligence, end-point detection and response (EDR), and regular defense testing through simulations, penetration tests and table top exercises. While our cybersecurity policies, practices and programs may vary by location or by service line, our overall cybersecurity management program is based on the ISO 27001 standard. Our Information Security Office regularly monitors alerts and threat levels, trends, and remediation efforts, conducts post-incident reviews, conducts maturity testing to assess our processes and procedures and the threat landscape, reviews our operational policies and procedures, and conducts an annual risk assessment as described above. We believe that these steps are useful tools in identifying and assessing risks, giving our team key information and insights used to manage those risks to help protect our clients, families, employees, vendors, investors, and our data and intellectual property.
Employees are required to complete a cybersecurity training annually specific to their role and we also require employees in certain other roles to complete additional role-based, specialized cybersecurity trainings. We have a set of policies and procedures addressing information security concerns governed by our Written Information Security Program (WISP), other policies that directly or indirectly relate to cybersecurity, such as encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information as well as policies related to the use of the internet, social media, email and electronic devices. These policies go through an internal review process and are approved by our internal Policy Board or Privacy and Security Steering Committee. We currently maintain a System and Organization Controls (“SOC”) Type 2 report for material applications and ISO 27001 and ISO 27701 certifications for the United States and United Kingdom. Annually, our Internal Audit function conducts a security audit in accordance with the ISO 27001 standard.
Third parties also play a role in our cybersecurity risk management and strategy. We contract with a third-party cybersecurity incident response team to assist in the management of cybersecurity threats. We also engage and rely on third-party cyber and information security providers for cybersecurity applications and infrastructure to protect our network, systems and data.
Incident Response and Reporting
In the event of a cybersecurity incident, we follow an Incident Response Manual and process led by our CISO which governs our assessment, response, escalation and notifications process, both internally and externally. Depending on the nature and severity of an incident, this process includes review by an incident response team, made up of members of the Information Security Office, with escalating notifications up to our CIO, Legal Department, CFO, and CEO followed by our Audit Committee and the full Board.
Oversight of Third-Party Providers
When engaging with third-party providers or suppliers with access to our network, systems or data or a third party providing cybersecurity support or infrastructure, we assess and evaluate their cybersecurity and disaster recovery preparedness. Depending on location and level of access to data, vendors complete an information security questionnaire and/or provide an independent information security audit report and, for vendors unable to provide such audit reports, we take additional steps to assess their cybersecurity preparedness. We also include security and privacy addenda in our supplier contracts where applicable. Our assessment of cybersecurity threats associated with our third-party providers is part of our overall cybersecurity risk management framework.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board administers its risk oversight role directly and through its committee structure. While our Board has ultimate responsibility for overseeing our cyber risk, our Audit Committee oversees risks related to cybersecurity threats, data protection, data privacy and business continuity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Audit Committee regularly discusses and, at least annually, reviews with management, including our CIO, CISO, and Global Privacy Officer, our cyber, information security, and data privacy risks and programs. This review includes risk assessments, the implementation of policies, procedures, processes and controls for the management of risks, management’s actions to identify and detect cyber threats and incidents, the results of tests and assessments and updates on our programs to manage disaster recovery, data privacy and compliance. Our management team also provides updates to the Board periodically.
Our IT department and Information Security Office, supported by our Global Privacy Office, regularly evaluate cybersecurity risks. Cybersecurity risks are considered within our ERM framework, which are assigned risk owners to develop and manage mitigation programs. Our annual ERM program is reviewed and overseen by the Audit Committee and is presented to the Board annually. We maintain an internal Privacy and Security Steering Committee, co-chaired by our CISO and Global Privacy Officer and made up of members from IT, legal, privacy and international operations, which is tasked with review of, and oversight over, our privacy and data security programs, policies and strategy. Our Governance, Risk and Compliance Committee, made up of members of legal, operations, human resources and Internal Audit as well as our CISO, provides additional support for ERM assessment and governance by monitoring our ERM program, and engaging with compliance functions across the organization to identify gaps, support corrective action plans and promote best practices. Our internal control over financial reporting, including key business process controls and IT general controls, are reviewed and tested by our Internal Audit function annually.
|Cybersecurity Risk Role of Management [Text Block]
|
Board and Management’s Role and Expertise and Oversight of Risk Management and Strategy
Our information technology (“IT”) department, which maintains our cybersecurity function, is led by our SVP, Chief Information Officer (“CIO”), who reports directly to our Chief Executive Officer, and has over 25 years of broad IT and digital transformation experience leading large technology organizations and product teams with expertise in IT organizational leadership, network and cloud infrastructure, and enterprise engineering and technology. Our VP, Chief Information Security Officer (“CISO”) reports directly to the CIO, and is responsible for managing our risks from cybersecurity threats, protecting and defending our networks and systems, and overseeing our Information Security Office. Our CISO has over 20 years of experience leading cybersecurity and information security departments and manages a team of professionals who have broad industry experience and expertise, including disaster recovery, IT risk management, detection and mitigation technologies, incident response, threat management, and regulatory compliance, and who hold industry recognized certifications, such as the Certified Information Systems Security Professional and Certified Risk and Information Systems Control.
Our CISO, under the supervision and direction of the CIO, is responsible for developing and implementing our information security program. Our Executive Committee, made up of senior leaders across the organization, including our CIO, receives periodic reports from our CIO on both the state of our IT department and Information Security Office and on our cybersecurity programs.
Our Board administers its risk oversight role directly and through its committee structure. While our Board has ultimate responsibility for overseeing our cyber risk, our Audit Committee oversees risks related to cybersecurity threats, data protection, data privacy and business continuity. Our Audit Committee regularly discusses and, at least annually, reviews with management, including our CIO, CISO, and Global Privacy Officer, our cyber, information security, and data privacy risks and programs. This review includes risk assessments, the implementation of policies, procedures, processes and controls for the management of risks, management’s actions to identify and detect cyber threats and incidents, the results of tests and assessments and updates on our programs to manage disaster recovery, data privacy and compliance. Our management team also provides updates to the Board periodically.
Our IT department and Information Security Office, supported by our Global Privacy Office, regularly evaluate cybersecurity risks. Cybersecurity risks are considered within our ERM framework, which are assigned risk owners to develop and manage mitigation programs. Our annual ERM program is reviewed and overseen by the Audit Committee and is presented to the Board annually. We maintain an internal Privacy and Security Steering Committee, co-chaired by our CISO and Global Privacy Officer and made up of members from IT, legal, privacy and international operations, which is tasked with review of, and oversight over, our privacy and data security programs, policies and strategy. Our Governance, Risk and Compliance Committee, made up of members of legal, operations, human resources and Internal Audit as well as our CISO, provides additional support for ERM assessment and governance by monitoring our ERM program, and engaging with compliance functions across the organization to identify gaps, support corrective action plans and promote best practices. Our internal control over financial reporting, including key business process controls and IT general controls, are reviewed and tested by our Internal Audit function annually.
Assessment, Identification and Mitigation of Cybersecurity Threat Risk
Our cybersecurity threat strategy is based on prevention, detection and mitigation using layered defenses, continuous assessment, monitoring through logging and correlation, vulnerability scans, cyber threat intelligence, end-point detection and response (EDR), and regular defense testing through simulations, penetration tests and table top exercises. While our cybersecurity policies, practices and programs may vary by location or by service line, our overall cybersecurity management program is based on the ISO 27001 standard. Our Information Security Office regularly monitors alerts and threat levels, trends, and remediation efforts, conducts post-incident reviews, conducts maturity testing to assess our processes and procedures and the threat landscape, reviews our operational policies and procedures, and conducts an annual risk assessment as described above. We believe that these steps are useful tools in identifying and assessing risks, giving our team key information and insights used to manage those risks to help protect our clients, families, employees, vendors, investors, and our data and intellectual property.
Employees are required to complete a cybersecurity training annually specific to their role and we also require employees in certain other roles to complete additional role-based, specialized cybersecurity trainings. We have a set of policies and procedures addressing information security concerns governed by our Written Information Security Program (WISP), other policies that directly or indirectly relate to cybersecurity, such as encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information as well as policies related to the use of the internet, social media, email and electronic devices. These policies go through an internal review process and are approved by our internal Policy Board or Privacy and Security Steering Committee. We currently maintain a System and Organization Controls (“SOC”) Type 2 report for material applications and ISO 27001 and ISO 27701 certifications for the United States and United Kingdom. Annually, our Internal Audit function conducts a security audit in accordance with the ISO 27001 standard.
Third parties also play a role in our cybersecurity risk management and strategy. We contract with a third-party cybersecurity incident response team to assist in the management of cybersecurity threats. We also engage and rely on third-party cyber and information security providers for cybersecurity applications and infrastructure to protect our network, systems and data.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|While our Board has ultimate responsibility for overseeing our cyber risk, our Audit Committee oversees risks related to cybersecurity threats, data protection, data privacy and business continuity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over 20 years of experience leading cybersecurity and information security departments and manages a team of professionals who have broad industry experience and expertise, including disaster recovery, IT risk management, detection and mitigation technologies, incident response, threat management, and regulatory compliance, and who hold industry recognized certifications, such as the Certified Information Systems Security Professional and Certified Risk and Information Systems Control.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO, under the supervision and direction of the CIO, is responsible for developing and implementing our information security program. Our Executive Committee, made up of senior leaders across the organization, including our CIO, receives periodic reports from our CIO on both the state of our IT department and Information Security Office and on our cybersecurity programs.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef