|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. Our board of directors is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”).
Risk Management and Strategy
We have policies, standards, processes and practices for assessing, identifying, and managing material risk from cybersecurity threats that are integrated into our ERM systems and processes. Our cross-functional approach to cybersecurity risk management is focused on preserving the confidentiality, integrity, and availability of our information systems by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. As part of this approach, we have implemented controls and procedures that provide for the prompt escalation of certain cybersecurity incidents to enable timely decisions by management regarding the public disclosure and reporting of such incidents.
Our cybersecurity program is focused on the following key areas:
•Governance. As discussed in more detail under the heading “Governance” below, our board of directors’ oversight of cybersecurity risk is supported by our audit committee, which regularly interacts with our ERM function, our Chief Digital Officer (“CDO”), our Chief Information Security Officer (“CISO”), other members of management, and relevant committees and working groups, including management’s Enterprise Risk Committee (“ERC”), Cyber Incident Task Force (“CITF”), and Security Incident Response Team (“SIRT”), in its oversight of cybersecurity-related risk.
•Risk Assessment. We devote significant resources and designate high-level personnel, including our ERC, which includes our CDO, our CISO, our Chief Legal Officer (“CLO”), our Vice President of Internal Audit, and our Vice President of Ethics, Compliance and Risk Management, to manage the cybersecurity risk assessment and mitigation process. We conduct security assessments both internally and with the assistance of third parties to identify cybersecurity threats periodically and to
identify any potentially material changes in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These security assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential impact of such risks, and the sufficiency and effectiveness of existing policies, procedures, systems, and controls to manage such risks. Risk themes identified during our risk assessments guide annual cybersecurity planning activities and investments to improve security coverage, technology capabilities and processes.
•Technical Safeguards. We deploy, maintain, and regularly monitor the effectiveness of technical safeguards that are designed to protect our information systems from cybersecurity threats. We align our security program to recognized frameworks and industry standards. We make investments in core security capabilities, including awareness and training, identity and access, incident response, product security, cloud security, enterprise security, risk management, and supply chain risk, in order to enable us to better identify, protect, detect, respond to, and recover from evolving security threats. Our technical safeguards include firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through internal and external security assessments and cybersecurity threat intelligence. We regularly assess our safeguards through internal testing by our assurance teams. We also leverage external third-party testing (e.g., penetration testing, attack surface mapping, and security maturity assessments) and seek third-party certifications (e.g., SOC2, ISO, and PCI DSS). Following our risk assessments, we evaluate whether and/or how to re-design and/or enhance our safeguards to reasonably address any identified risks or gaps.
•Incident Response and Recovery Planning. We have established comprehensive incident response and recovery plans that address the full lifecycle of our response to a cybersecurity incident. These plans are periodically tested and evaluated.
•Third-Party Risk Management. We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. We perform due diligence on vendors, service providers and other third-party users of our systems at initial onboarding and periodically thereafter. We require that third-party service providers have the ability to implement and maintain reasonable and appropriate security measures, consistent with applicable laws, in connection with their work with us, and to promptly report any actual or suspected breach of their security measures that may affect our company.
•Security Awareness and Training. Our security awareness program requires that employees and certain contractors complete comprehensive security training upon joining the company and annually thereafter. The training covers critical security topics to ensure our workforce stays informed about top-of-mind security areas, such as phishing. The training helps ensure that our personnel have the knowledge and skills required to protect our digital assets and critical data. In addition, we conduct awareness campaigns on cybersecurity threats as a means to equip our personnel with effective tools to address such threats and to communicate our evolving information security policies, standards, processes and practices.
We engage in the periodic assessment and testing of our cybersecurity policies, standards, processes and practices, including through audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. To assist with such assessment and testing, we engage assessors, consultants, auditors, and other third parties to perform assessments on our cybersecurity measures, including for third-party testing and certifications (as described above under “Technical Safeguards”), information security maturity assessments, customer audits, and independent reviews of our information security control environment and operating effectiveness. The material results of such assessments, audits and reviews are reported to our audit committee, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our company, including our business strategy, results of operations, or financial condition. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, are reasonably likely to materially affect our company in the future, including our business strategy, results of operations, or financial condition, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have policies, standards, processes and practices for assessing, identifying, and managing material risk from cybersecurity threats that are integrated into our ERM systems and processes. Our cross-functional approach to cybersecurity risk management is focused on preserving the confidentiality, integrity, and availability of our information systems by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. As part of this approach, we have implemented controls and procedures that provide for the prompt escalation of certain cybersecurity incidents to enable timely decisions by management regarding the public disclosure and reporting of such incidents.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our board of directors, in coordination with our audit committee, oversees our ERM process, including the management of cybersecurity risks, and is responsible for monitoring and assessing strategic risk exposure.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our board of directors administers its cybersecurity risk oversight function as a whole, as well as through our audit committee. Our audit committee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties, and risks relating to cybersecurity incidents. Our board of directors has previously received quarterly updates from our audit committee on ERM and cybersecurity risks after the audit committee is updated by management but, as a reflection of the importance we place on managing and overseeing cybersecurity risk, management expects to provide quarterly updates directly to the board of directors beginning in 2025.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our audit committee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties, and risks relating to cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
Our ERC, comprised of our CLO, our CDO, our CISO, our Vice President of Internal Audit, and our Vice President of Ethics, Compliance and Risk Management, among others, oversees our ERM activities, including cybersecurity-related risks. Our CDO and our CISO (who reports to our CDO) are primarily responsible for the assessment and management of our material risks from cybersecurity threats, working collaboratively and cross-functionally to design and implement our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above, and for responding to any cybersecurity incidents. In addition, our CITF (which includes our CDO, our CISO, our CLO, and our Chief Financial Officer (“CFO”)) is primarily responsible for evaluating cybersecurity incidents, gathering and assessing facts relevant to applicable regulatory reporting and disclosure obligations, making recommendations to our Chief Executive Officer and CFO regarding such disclosure, and advising our board of directors and audit committee on the effectiveness of policies and procedures related to the disclosure of cybersecurity incidents.To facilitate our cybersecurity risk management program, multidisciplinary teams throughout our company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, our CDO, our CISO, and the SIRT monitor the detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the CITF when appropriate.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our ERC, comprised of our CLO, our CDO, our CISO, our Vice President of Internal Audit, and our Vice President of Ethics, Compliance and Risk Management, among others, oversees our ERM activities, including cybersecurity-related risks. Our CDO and our CISO (who reports to our CDO) are primarily responsible for the assessment and management of our material risks from cybersecurity threats, working collaboratively and cross-functionally to design and implement our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above, and for responding to any cybersecurity incidents. In addition, our CITF (which includes our CDO, our CISO, our CLO, and our Chief Financial Officer (“CFO”)) is primarily responsible for evaluating cybersecurity incidents, gathering and assessing facts relevant to applicable regulatory reporting and disclosure obligations, making recommendations to our Chief Executive Officer and CFO regarding such disclosure, and advising our board of directors and audit committee on the effectiveness of policies and procedures related to the disclosure of cybersecurity incidents.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CDO has over 25 years of experience at technology companies and has been in the security space for over 18 years, including serving as chief security officer at a public company and leading security engineering at another public company. Our CDO also serves on the board of directors of a publicly traded cybersecurity company. Our CDO holds an undergraduate degree in electronics engineering and a graduate degree in business administration and management. Our CISO has over 18 years of experience managing cybersecurity risks in the technology industry, including serving as the acting chief security officer at a public company and holding other senior cybersecurity leadership and operational roles at other companies. Our CISO holds an undergraduate degree in computer engineering and graduate degrees in electrical engineering and business administration. Our CFO, VP of Internal Audit, and VP of Ethics, Compliance and Risk Management each hold undergraduate and/or graduate degrees in their respective fields, and have over 10 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our board of directors has previously received quarterly updates from our audit committee on ERM and cybersecurity risks after the audit committee is updated by management but, as a reflection of the importance we place on managing and overseeing cybersecurity risk, management expects to provide quarterly updates directly to the board of directors beginning in 2025.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef