|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K. CYBERSECURITY
Risk Management and Strategy
We have adopted a comprehensive risk management system to manage various risks that we face, including financial risks, operational risks, compliance risks, public opinion risks, risks associated with stability of information technology systems, cybersecurity risks and supplier management risks. Cybersecurity risk management is a core component of our overall risk management framework. We have established an array of risk management procedures to identify, assess and manage such risks, including risk identification, risk assessment, risk control and risk monitoring. We have also implemented procedural design, evaluation mechanism as well as risk grading and liability assessment mechanism to enhance our risk management. Set forth below are measures that we undertake to manage cybersecurity risks.
Cybersecurity Leadership Team
We have formed a Cybersecurity Leadership Team, which is led by our Chief Executive Officer, Chief Financial Officer and Vice President of technology department and comprised of personnel from our legal department, internal audit, technology department and various business and content production departments, to carry out cybersecurity risk management. The Cybersecurity Leadership Team is a professional technical team dedicated to managing cybersecurity risks, and is in charge of devising cybersecurity strategies, conducting security audits of operating source code, tracking and analyzing risks, and solving technology related troubles.
Internal Policies
Preventive Policies
We have adopted the following internal policies and procedures to prevent cybersecurity incidents:
•
Information Security Management Policy, which prevents unauthorized access, use and control of network resources to enhance the safety and stability of our network space;
•
Data Security Management Policy, which standardizes the management of data classification, backup and destruction, and ensures reasonable storage of historical data and data security;
•
Technology Department Cybersecurity Management Policy, which specifies the operation process of network equipment to ensure its safe, stable and continuous operation.
Remediation Policies
We have also adopted a Cybersecurity Emergency Response Plan which sets out the procedures for reporting, response and handling of cybersecurity incidents to reduce losses caused by cybersecurity incidents and enhance business continuity.
Technical Measures
We have implemented various technical measures, such as real-time monitoring of traffic logs, host-based vulnerability scanning, transmission encryption and authentication, firewalls and intrusion prevention systems, in order to timely identify and
address cybersecurity threats and protect the security and integrity of our information technology systems and data stored in our systems.
Engagement of Third-Party Service Providers
We have (i) communicated closely with several external security organizations, to acquire zero-day vulnerability information and (ii) purchased third-party security services, including vulnerability scanning services, and penetration and vulnerability testing every year.
In addition, to comply with the requirements under the Cybersecurity Law and Data Security Law of the PRC and enhance the security of our information technology systems, we have engaged third-party agencies to perform the Classified Cybersecurity Protection Evaluations on an annual basis, which evaluates the Company’s cybersecurity situation from aspects of physical environment, communication networks, perimeter, computing environment, management center, management systems, management institutions, personnel management, construction management, and operations and maintenance management.
Risks from Cybersecurity Threats
As we generate and process a large amount of data through our platform and rely on our IT systems for our business operations, we face risks associated with cybersecurity threats. For more details, see “Item 4. Information on the Company—D. Risk Factors—Risks Relating to Our Business and Industry— Our business and operating results may be harmed by service disruptions, or by our failure to timely and effectively scale and adapt our existing technology and infrastructure”; “—Security breaches or computer virus attacks could have a material adverse effect on our business prospects and operating results”; and “—We are subject to a variety of laws and other obligations regarding cybersecurity, data security and personal information protection in China, and our failure to comply with any of them could result in proceedings against us by governmental entities or others and harm our public image and reputation, which could have a material adverse effect on our business, results of operations and financial condition.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have adopted a comprehensive risk management system to manage various risks that we face, including financial risks, operational risks, compliance risks, public opinion risks, risks associated with stability of information technology systems, cybersecurity risks and supplier management risks. Cybersecurity risk management is a core component of our overall risk management framework. We have established an array of risk management procedures to identify, assess and manage such risks, including risk identification, risk assessment, risk control and risk monitoring. We have also implemented procedural design, evaluation mechanism as well as risk grading and liability assessment mechanism to enhance our risk management. Set forth below are measures that we undertake to manage cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
Risks from Cybersecurity Threats
As we generate and process a large amount of data through our platform and rely on our IT systems for our business operations, we face risks associated with cybersecurity threats. For more details, see “Item 4. Information on the Company—D. Risk Factors—Risks Relating to Our Business and Industry— Our business and operating results may be harmed by service disruptions, or by our failure to timely and effectively scale and adapt our existing technology and infrastructure”; “—Security breaches or computer virus attacks could have a material adverse effect on our business prospects and operating results”; and “—We are subject to a variety of laws and other obligations regarding cybersecurity, data security and personal information protection in China, and our failure to comply with any of them could result in proceedings against us by governmental entities or others and harm our public image and reputation, which could have a material adverse effect on our business, results of operations and financial condition.”
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents. The board reviews reports from management on material cybersecurity risks and incidents and discusses remediation plans with the management. At board meetings, the board also hears period reports from the management on cybersecurity risk management and governance and have follow-up discussions with the management.
In addition, our audit committee is responsible for risk assessment and risk management, including risks relating to cybersecurity threats or incidents. The responsibilities of our audit committee include discussing policies with respect to risk assessment and risk management periodically with the management, internal auditors, and independent auditors, and our plans or processes to monitor, control and minimize such risks and exposures.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents. The board reviews reports from management on material cybersecurity risks and incidents and discusses remediation plans with the management. At board meetings, the board also hears period reports from the management on cybersecurity risk management and governance and have follow-up discussions with the management.
In addition, our audit committee is responsible for risk assessment and risk management, including risks relating to cybersecurity threats or incidents. The responsibilities of our audit committee include discussing policies with respect to risk assessment and risk management periodically with the management, internal auditors, and independent auditors, and our plans or processes to monitor, control and minimize such risks and exposures.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The board reviews reports from management on material cybersecurity risks and incidents and discusses remediation plans with the management. At board meetings, the board also hears period reports from the management on cybersecurity risk management and governance and have follow-up discussions with the management.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
Our management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents primarily through (i) Cybersecurity Leadership Team, and (ii) review and approval of cybersecurity-related policies and procedures.
Cybersecurity Leadership Team
Our Cybersecurity Leadership Team, led by our Chief Executive Officer, Chief Financial Officer and Vice President of technology department, is in charge of cybersecurity risk management, including assessing and managing material risks from cybersecurity threats, prevention (through formulating and implementation of policies and procedures and cybersecurity awareness training), detection, mitigation and remediation of cybersecurity incidents. The Vice President of technology department reports the cybersecurity work to the management through periodic meetings.
Technology, Legal and Internal Audit Departments
Our technology, legal and internal audit departments also perform different functions with respect to cybersecurity management. The legal department is responsible for interpreting cybersecurity-related laws and regulations and reviewing cybersecurity-related internal policies. The internal audit department is responsible for internal audits on the implementation of cybersecurity-related policies and procedures. The internal audit department and the legal department jointly report to our Chief Financial Officer. The technology department is responsible for monitoring our data security, information security and application security systems, fixing technical vulnerabilities, and reports to our Vice President of technology department.
Policy Review and Approval
All cybersecurity-related internal policies shall be reviewed and approved by the management personnel in charge of the proposing department as well as the Cybersecurity Leadership Team prior to adoption.
Based on information obtained through such channels, our management makes assessments of cybersecurity risks and incidents and reports the nature, origin and potential impact of cybersecurity risks and incidents to the board of directors based on an assessment of materiality so that the board can learn about material cybersecurity risks and incidents on a timely basis and make decisions accordingly. To keep the management regularly informed about and discuss cybersecurity matters, the Vice President of technology department makes periodic reports to the Chief Executive Officer on cybersecurity risk management and governance at management meetings, have live discussions with the management and address their questions. Based on the management’sassessment of the cybersecurity risks, the Chief Executive Officer or the Chief Financial Officer makes report to the board if he/she considers it necessary.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Cybersecurity Leadership Team
Our Cybersecurity Leadership Team, led by our Chief Executive Officer, Chief Financial Officer and Vice President of technology department, is in charge of cybersecurity risk management, including assessing and managing material risks from cybersecurity threats, prevention (through formulating and implementation of policies and procedures and cybersecurity awareness training), detection, mitigation and remediation of cybersecurity incidents. The Vice President of technology department reports the cybersecurity work to the management through periodic meetings.
Technology, Legal and Internal Audit Departments
Our technology, legal and internal audit departments also perform different functions with respect to cybersecurity management. The legal department is responsible for interpreting cybersecurity-related laws and regulations and reviewing cybersecurity-related internal policies. The internal audit department is responsible for internal audits on the implementation of cybersecurity-related policies and procedures. The internal audit department and the legal department jointly report to our Chief Financial Officer. The technology department is responsible for monitoring our data security, information security and application security systems, fixing technical vulnerabilities, and reports to our Vice President of technology department.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Cybersecurity Leadership Team, led by our Chief Executive Officer, Chief Financial Officer and Vice President of technology department, is in charge of cybersecurity risk management, including assessing and managing material risks from cybersecurity threats, prevention (through formulating and implementation of policies and procedures and cybersecurity awareness training), detection, mitigation and remediation of cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef