|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
The safe and efficient operation of our business including, but not limited to, billing, disbursements, accounting, vessel scheduling and vessel operations is dependent on computer hardware and software systems.
Information systems are vulnerable to security breaches by computer hackers and cyber terrorists. We rely on industry-accepted security measures and technology to securely maintain confidential and proprietary information maintained on our information systems. Our processes for assessing, identifying and managing material risks from
cybersecurity threats include:
|
•
|
periodic discussion and assessment of perceived material risks from cybersecurity;
|
•
|
internal and external system assessments such as penetration and vulnerability testing;
|
•
|
system protection measures, such as email filtering and access management;
|
•
|
regular threat monitoring, both against the Company and against other companies in the industry;
|
•
|
incident response procedures, for identification, reporting and remediation;
|
•
|
analysis of cybersecurity incidents and results of security operations monitoring;
|
•
|
regular employee training;
|
•
|
compliance procedures in place designed to assist in complying with mandatory data protection legislation; and
|
•
|
the existence and periodic review of internal cybersecurity policies.
We also have processes to oversee and identify cybersecurity risks from cybersecurity threats associated with our use of our managers and other service providers. More specifically, we periodically discuss with our key third-party managers technical and organizational measures in terms of cybersecurity. In terms of Software as a Service (“SaaS”) providers, we monitor the relevant IT security measures through receiving and assessing third-party assurance reports. The results of these processes are taken into consideration in our annual risk assessment process, during which we identify mitigating actions and new security initiatives.
For a description of how risks from cybersecurity threats could materially affect us, including our
business strategy, results of operations or financial condition, see “Item 3. Key Information—D. Risk Factors—Risks related to our Company—We rely on our information systems to conduct our business, and failure to protect these systems against
security breaches could adversely affect our business and results of operations. Additionally, if these systems fail or become unavailable for any significant period of time, our business could be harmed.” which is incorporated by reference into
this Item 16K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our processes for assessing, identifying and managing material risks from
cybersecurity threats include:
|
•
|
periodic discussion and assessment of perceived material risks from cybersecurity;
|
•
|
internal and external system assessments such as penetration and vulnerability testing;
|
•
|
system protection measures, such as email filtering and access management;
|
•
|
regular threat monitoring, both against the Company and against other companies in the industry;
|
•
|
incident response procedures, for identification, reporting and remediation;
|
•
|
analysis of cybersecurity incidents and results of security operations monitoring;
|
•
|
regular employee training;
|
•
|
compliance procedures in place designed to assist in complying with mandatory data protection legislation; and
|
•
|
the existence and periodic review of internal cybersecurity policies.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
For a description of how risks from cybersecurity threats could materially affect us, including our
business strategy, results of operations or financial condition, see “Item 3. Key Information—D. Risk Factors—Risks related to our Company—We rely on our information systems to conduct our business, and failure to protect these systems against
security breaches could adversely affect our business and results of operations. Additionally, if these systems fail or become unavailable for any significant period of time, our business could be harmed.” which is incorporated by reference into
this Item 16K.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Audit Committee has ultimate responsibility for the oversight of cybersecurity risks and responses to cybersecurity incidents, should they arise. The Audit Committee is informed periodically regarding the status of initiatives to further reduce cybersecurity risk by the IT function and other functions as needed.
The key individuals responsible for the overall assessment and management of material risks from cybersecurity threats include the head of the IT function of
Costamare Shipping and our general counsel. The head of our IT function possesses approximately 25 years of experience with informational technology and cybersecurity risk management and our
general counsel employs extensive regulatory, risk assessment and organizational experience in oversight of our internal processes.
They receive information regarding the monitoring, prevention, detection, mitigation and remediation of cybersecurity incidents and proceed with necessary actions
such as:
|
•
|
updating relevant policies and procedures;
|
•
|
implementing additional technical and organizational measures to reduce the level of cyber risk;
|
•
|
engaging specialized third-party service providers;
|
•
|
assessing the materiality and determination of disclosure obligations (in the event of a cybersecurity incident); and
|
•
|
reporting to the Audit Committee.
Where events occur that do not escalate to cybersecurity incidents, the details of the relevant assessments are communicated to the general manager on an as-needed
basis. However, if we were to become the subject of a cybersecurity incident, according to our
policies, the key management would take the following steps:
|
•
|
conduct an incident investigation;
|
•
|
conduct an incident evaluation and classification;
|
•
|
internal escalation to our executives;
|
•
|
containment of the incident and recovery of any affected infrastructure;
|
•
|
conduct a materiality assessment;
|
•
|
determine reporting obligations; and
|
•
|
report to the Audit Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Audit Committee has ultimate responsibility for the oversight of cybersecurity risks and responses to cybersecurity incidents, should they arise. The Audit Committee is informed periodically regarding the status of initiatives to further reduce cybersecurity risk by the IT function and other functions as needed.
The key individuals responsible for the overall assessment and management of material risks from cybersecurity threats include the head of the IT function of
Costamare Shipping and our general counsel. The head of our IT function possesses approximately 25 years of experience with informational technology and cybersecurity risk management and our
general counsel employs extensive regulatory, risk assessment and organizational experience in oversight of our internal processes.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|if we were to become the subject of a cybersecurity incident, according to our
policies, the key management would take the following steps:
|
•
|
conduct an incident investigation;
|
•
|
conduct an incident evaluation and classification;
|
•
|
internal escalation to our executives;
|
•
|
containment of the incident and recovery of any affected infrastructure;
|
•
|
conduct a materiality assessment;
|
•
|
determine reporting obligations; and
|
•
|
report to the Audit Committee.
|Cybersecurity Risk Role of Management [Text Block]
|
They receive information regarding the monitoring, prevention, detection, mitigation and remediation of cybersecurity incidents and proceed with necessary actions
such as:
|
•
|
updating relevant policies and procedures;
|
•
|
implementing additional technical and organizational measures to reduce the level of cyber risk;
|
•
|
engaging specialized third-party service providers;
|
•
|
assessing the materiality and determination of disclosure obligations (in the event of a cybersecurity incident); and
|
•
|
reporting to the Audit Committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The key individuals responsible for the overall assessment and management of material risks from cybersecurity threats include the head of the IT function of
Costamare Shipping and our general counsel. The head of our IT function possesses approximately 25 years of experience with informational technology and cybersecurity risk management and our
general counsel employs extensive regulatory, risk assessment and organizational experience in oversight of our internal processes.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The head of our IT function possesses approximately 25 years of experience with informational technology and cybersecurity risk management and our
general counsel employs extensive regulatory, risk assessment and organizational experience in oversight of our internal processes.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|if we were to become the subject of a cybersecurity incident, according to our
policies, the key management would take the following steps:
|
•
|
conduct an incident investigation;
|
•
|
conduct an incident evaluation and classification;
|
•
|
internal escalation to our executives;
|
•
|
containment of the incident and recovery of any affected infrastructure;
|
•
|
conduct a materiality assessment;
|
•
|
determine reporting obligations; and
|
•
|
report to the Audit Committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true