XML 23 R9.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

 

We have integrated processes in place to manage information technology vulnerabilities, including technological tools and applications, and controls. Two step and multi-factor authentication is required for both internal and external access. Anti-virus and malware endpoint protection software is used on all Company and non-Company information systems workstations and laptops, as well as email filtering protection. We also subscribe to a Managed Threat Response service that proactively monitors all systems. System event logs are produced and reviewed, with all exceptions and anomalies of actions affecting or relevant to information security identified and investigated. The Security Operations Center from Sophos manages this service which reviews, identifies, and investigates threats in coordination with our internal teams.

 

Software updates and configuration changes applied to information resources are tested prior to widespread implementation and are implemented in accordance with our change control policy. All information resources are scanned on a regular basis to identify missing updates. Missing software updates are evaluated and updates that pose an unacceptable risk to us are implemented and installed to the relevant information resources. Penetration testing and vulnerability scans of the internal network, external network, and hosted applications is conducted at scheduled intervals and after any significant changes to the information system environment. Any exploitable vulnerabilities found during a penetration test are remediated and the systems re-tested to verify vulnerabilities are resolved. Evidence of compromised or exploited information resource found during vulnerability scanning is reported to the Information Security Committee.

 

Third-Party Engagement

 

To maintain the highest standards of cybersecurity, we actively engage with specialized third-party assessors. This engagement is crucial for an unbiased evaluation of our cybersecurity posture and for gaining insights into industry best practices. The following outlines our general approach in engaging these external entities:

 

Selection of Qualified Assessors: We select third-party assessors based on their expertise, industry reputation, and alignment with our cybersecurity needs. Preference is given to assessors with proven track records in identifying and mitigating complex cybersecurity risks in similar industries.

 

Scope of Assessment: The assessment process is comprehensive, covering all critical aspects of our cybersecurity infrastructure. This includes evaluations of our network security, data protection measures, incident response capabilities, and employee cybersecurity awareness. The assessors are also tasked with identifying potential vulnerabilities in our systems and processes.

 

Regular and Ad-hoc Assessments: Assessments are conducted on a regular basis to ensure continuous monitoring of our cybersecurity health. Additionally, ad-hoc assessments may be conducted in response to significant changes in our IT infrastructure or emerging cybersecurity threats.

 

Assessment Methodology: The third-party assessors employ a range of methodologies, including penetration testing, vulnerability assessments, and security audits. These methodologies are aligned with industry standards and best practices to ensure a thorough and effective evaluation.

 

Collaboration and Transparency: We maintain an open line of communication with our assessors throughout the evaluation process. This collaboration allows for a clear understanding of their findings and recommendations. Transparency in this process is key to effectively addressing any identified vulnerabilities.

 

Action on Findings: Upon receiving the assessment reports, we promptly act on the findings. This includes addressing identified vulnerabilities, implementing recommended security measures, and continuously updating our cybersecurity strategies.

 

Feedback and Continuous Improvement: Feedback from these assessments is integral to our continuous improvement process. We regularly update our cybersecurity policies and practices based on the insights gained from these assessments to stay ahead of evolving cyber threats.

 

In today’s interconnected business environment, reliance on third-party service providers is inevitable. However, this reliance introduces additional cybersecurity risks that must be effectively managed. Our approach to identifying and mitigating these risks involves several key steps:

 

 Risk Assessment and Due Diligence: Prior to engaging with any third-party service provider, we conduct a comprehensive risk assessment. This assessment evaluates the provider's cybersecurity policies, data management practices, and compliance with industry standards. We also assess their history of cybersecurity incidents and responses to understand their resilience and reliability.
   
 Contractual Safeguards and Compliance Requirements: To ensure robust cybersecurity, our contracts with third-party providers include specific clauses that mandate adherence to our security policies and standards. These contractual obligations cover data protection, incident reporting, and compliance with relevant laws and regulations. Regular compliance audits are conducted to ensure these standards are continuously met.
   
 Incident Response and Communication: In the event of a cybersecurity incident involving a third-party provider, we have a well-defined incident response plan. This plan outlines the steps for quick and effective action, including communication strategies to manage the impact on stakeholders. We require our third-party providers to promptly notify us of any breaches or potential security threats.
   
 Review and Continuous Improvement: Our processes for managing third-party cybersecurity risks are regularly reviewed and updated. This ensures that we adapt to new threats and integrate best practices into our risk management framework.

 

Through these measures, we strive to mitigate the cybersecurity risks associated with third-party service providers, ensuring the resilience and security of our operations and data.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We have integrated processes in place to manage information technology vulnerabilities, including technological tools and applications, and controls. Two step and multi-factor authentication is required for both internal and external access. Anti-virus and malware endpoint protection software is used on all Company and non-Company information systems workstations and laptops, as well as email filtering protection. We also subscribe to a Managed Threat Response service that proactively monitors all systems. System event logs are produced and reviewed, with all exceptions and anomalies of actions affecting or relevant to information security identified and investigated. The Security Operations Center from Sophos manages this service which reviews, identifies, and investigates threats in coordination with our internal teams.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] In today’s interconnected business environment, reliance on third-party service providers is inevitable. However, this reliance introduces additional cybersecurity risks that must be effectively managed. Our approach to identifying and mitigating these risks involves several key steps: ? Risk Assessment and Due Diligence: Prior to engaging with any third-party service provider, we conduct a comprehensive risk assessment. This assessment evaluates the provider's cybersecurity policies, data management practices, and compliance with industry standards. We also assess their history of cybersecurity incidents and responses to understand their resilience and reliability. ? Contractual Safeguards and Compliance Requirements: To ensure robust cybersecurity, our contracts with third-party providers include specific clauses that mandate adherence to our security policies and standards. These contractual obligations cover data protection, incident reporting, and compliance with relevant laws and regulations. Regular compliance audits are conducted to ensure these standards are continuously met. ? Incident Response and Communication: In the event of a cybersecurity incident involving a third-party provider, we have a well-defined incident response plan. This plan outlines the steps for quick and effective action, including communication strategies to manage the impact on stakeholders. We require our third-party providers to promptly notify us of any breaches or potential security threats. ? Review and Continuous Improvement: Our processes for managing third-party cybersecurity risks are regularly reviewed and updated. This ensures that we adapt to new threats and integrate best practices into our risk management framework. Through these measures, we strive to mitigate the cybersecurity risks associated with third-party service providers, ensuring the resilience and security of our operations and data.
Cybersecurity Risk Board of Directors Oversight [Text Block]

We recognize that our business information is a critical asset and as such our ability to manage, control, and protect this asset will have a direct and significant impact on our future success. Our Board of Directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Audit Committee of the Board is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”). Our cybersecurity policies, standards, processes, and practices are fully integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

 

Governance

 

We have an Information Security Committee, which is comprised of our Vice President of Information Technology (“VPIT”) and our network administrators. The Information Security Committee works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery policies. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the Information Security Committee monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Risk Management Committee when appropriate.

 

The Information Security Committee is assisted by a Virtual Chief Information Security Officer (the “vCISO”) which is a contracted third-party security irm whose responsibilities include the formulation, review and recommendation of information security policies, ensuring compliance with applicable information security requirements, assessing the adequacy and effectiveness of the information security policies and coordinate the implementation of information security controls, identifying and recommending how to handle an instance of non-compliance, providing clear direction and visible management support for information security initiatives, promoting information security education, training, and awareness throughout the Company, and initiating plans and programs to maintain information security awareness, educating the team and staff on ongoing legal, regulatory and compliance changes as well as industry news and trends, and reporting annually, in coordination with the vCISO, to Executive Management on the effectiveness of our information security program, including progress of remedial actions.

 

Our VPIT and vCISO provide frequent reporting and updates to our executive management and provides a full report to the Audit Committee of the Board on the cybersecurity audit and its cybersecurity roadmap for improvements and new infrastructure implementations annually, or more frequently if the need arises.

 

Our vCISO has employees and consultants that have served in various roles in information technology and information security for over 25 years, including serving as the Chief Information Security Officer of two large public companies. Our VPIT holds several information technology licenses and certificates and has served in various roles in information technology for over 25 years, including experience managing risks arising from cybersecurity threats.

 

The Information Security Committee oversees our ERM process, including the management of risks arising from cybersecurity threats. The Audit Committee of the Board receives regular presentations and reports on cybersecurity risks from the Information Security Committee, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Audit Committee of the Board and the Risk Management Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. 
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] We have an Information Security Committee, which is comprised of our Vice President of Information Technology (“VPIT”) and our network administrators. The Information Security Committee works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery policies. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the Information Security Committee monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Risk Management Committee when appropriate.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Information Security Committee is assisted by a Virtual Chief Information Security Officer (the “vCISO”) which is a contracted third-party security irm whose responsibilities include the formulation, review and recommendation of information security policies, ensuring compliance with applicable information security requirements, assessing the adequacy and effectiveness of the information security policies and coordinate the implementation of information security controls, identifying and recommending how to handle an instance of non-compliance, providing clear direction and visible management support for information security initiatives, promoting information security education, training, and awareness throughout the Company, and initiating plans and programs to maintain information security awareness, educating the team and staff on ongoing legal, regulatory and compliance changes as well as industry news and trends, and reporting annually, in coordination with the vCISO, to Executive Management on the effectiveness of our information security program, including progress of remedial actions.
Cybersecurity Risk Role of Management [Text Block] Our VPIT and vCISO provide frequent reporting and updates to our executive management and provides a full report to the Audit Committee of the Board on the cybersecurity audit and its cybersecurity roadmap for improvements and new infrastructure implementations annually, or more frequently if the need arises.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our vCISO has employees and consultants that have served in various roles in information technology and information security for over 25 years, including serving as the Chief Information Security Officer of two large public companies. Our VPIT holds several information technology licenses and certificates and has served in various roles in information technology for over 25 years, including experience managing risks arising from cybersecurity threats.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Information Security Committee oversees our ERM process, including the management of risks arising from cybersecurity threats. The Audit Committee of the Board receives regular presentations and reports on cybersecurity risks from the Information Security Committee, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Audit Committee of the Board and the Risk Management Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true