XML 54 R24.htm IDEA: XBRL DOCUMENT

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

We believe that cybersecurity is fundamental to our operations and, as such, we are committed to maintaining robust governance and oversight of cybersecurity risks and implementing comprehensive processes and procedures for identifying, assessing, and managing material risks from cybersecurity threats as part of our broader risk management system and processes. Our cybersecurity risk management strategy prioritizes detection, analysis, and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. With the ever‐changing cybersecurity landscape and continual emergence of new cybersecurity threats, our senior management team ensures that significant resources are devoted to cybersecurity risk management and the technologies, processes and people that support it. We implement risk‐based controls to protect our information, our information systems, our business operations, and our vessels.

Risk Management and Strategy

The safe and efficient operation of our business—including, but not limited to, billing, disbursements, accounting, vessel scheduling, and vessel operations—depends on computer hardware and software systems. These information systems are vulnerable to security breaches by computer hackers and cyber terrorists. We rely on industry‐accepted security measures and technology to securely maintain confidential and proprietary information on our information systems.

Our processes for assessing, identifying, and managing material risks from cybersecurity threats include:

•

Periodic discussion and assessment of perceived material cybersecurity risks.

•

Internal and external system assessments, such as penetration and vulnerability testing.

•

System protection measures, such as email filtering and access management.

•

Regular threat monitoring, both against the Company and against other companies in the industry.

•

Incident response procedures, for identification, reporting, and remediation.

•

Analysis of cybersecurity incidents and results of security operations monitoring.

•

Regular employee training.

•

Procedures designed to assist in complying with mandatory data protection legislation.

•

The existence and periodic review of internal cybersecurity policies.

We also have processes to oversee and identify cybersecurity risks from threats associated with our use of other service providers. More specifically, we periodically discuss with our key third‐party managers the technical and organizational measures in place for cybersecurity. In terms of Software as a Service providers, we monitor the relevant IT security measures through receiving and assessing third‐party assurance reports as well as protect against potential risk factors from them. The results of these processes are taken into consideration in our annual risk assessment process, during which we identify mitigating actions and new security initiatives.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Ongoing Investment and Potential Impact

We continue to invest in our cybersecurity systems and to enhance our internal controls and processes. Our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats to date, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. While we have dedicated significant resources to identifying, assessing, and managing these risks, our efforts may not be adequate, may fail to accurately assess the severity of an incident, may not be sufficient to prevent or limit harm, or may fail to sufficiently remediate an incident in a timely fashion. Any such failure could harm our business, reputation, results of operations, and financial condition.

For further information regarding the risks associated with cybersecurity, see the risk factor under “Item 3. Key Information—D. Risk Factors” entitled “A cyber‐attack could materially disrupt our business”.

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Our Audit Committee has ultimate responsibility for the oversight of cybersecurity risks and responses to cybersecurity incidents, should they arise. The Audit Committee is informed periodically regarding the status of initiatives undertaken by the IT department and internal auditors and other relevant functions to further reduce cybersecurity risk.

The key individuals responsible for the overall assessment and management of material risks from cybersecurity threats include the head of our IT (who possesses approximately 20 years of experience with informational technology and cybersecurity risk management) and our or internal auditor, who brings extensive regulatory, risk assessment, and organizational experience to the oversight of our internal processes.

This leadership team receives information regarding the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents and proceeds with necessary actions such as:

•

Updating relevant policies and procedures.

•

Implementing additional technical and organizational measures to reduce the level of cyber risk.

•

Engaging specialized third‐party service providers.

•

Assessing the materiality and determining disclosure obligations in the event of a cybersecurity incident.

•

Reporting to senior management.

Incident Management and Reporting

As part of our cybersecurity risk management system, our incident management teams track and log privacy and security incidents across our Company, including our vessels, to remediate and resolve any such incidents. All incidents are reviewed regularly to determine whether further escalation is appropriate. Any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment, and then reported to our senior management, who then consult with our Audit Committee. We consult with our outside counsel as appropriate, including on materiality analysis and disclosure matters, and our senior management makes the final materiality determinations and disclosure and other compliance decisions. Our senior management apprises our independent public accounting firm of matters and any relevant developments.

Where events occur that do not escalate to cybersecurity incidents, the details of the relevant assessments are communicated to senior management on an as‐needed basis. However, if we were to become the subject of a cybersecurity incident, according to our policies, the key management would take the following steps:

Conduct an incident investigation.

Conduct an incident evaluation and classification.

Undertake internal escalation to our executives.

Pursue containment of the incident and recovery of any affected infrastructure.

Conduct a materiality assessment.

Determine reporting obligations.

Report to the Audit Committee.

Training and Awareness

We have various information technology policies relating to cybersecurity. We also provide mandatory employee training on a periodic basis that reinforces our information technology policies, standards, and practices, as well as the expectation that employees comply with these policies and identify and report potential cybersecurity risks. We also require all employees, directors and officers to sign the company’s Privacy Policy for Personal Data protection.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Incident Management and Reporting

Conduct an incident investigation.

Conduct an incident evaluation and classification.

Undertake internal escalation to our executives.

Pursue containment of the incident and recovery of any affected infrastructure.

Conduct a materiality assessment.

Determine reporting obligations.

Report to the Audit Committee.

Cybersecurity Risk Role of Management [Text Block]

This leadership team receives information regarding the monitoring, prevention, detection, mitigation, and remediation of cybersecurity incidents and proceeds with necessary actions such as:

•

Updating relevant policies and procedures.

•

Implementing additional technical and organizational measures to reduce the level of cyber risk.

•

Engaging specialized third‐party service providers.

•

Assessing the materiality and determining disclosure obligations in the event of a cybersecurity incident.

•

Reporting to senior management.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true