|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Our engineering security team, led by our Chief Information Security Officer, or CISO, uses a multi-pronged approach to assessing, identifying, and managing material risks from cybersecurity threats. This approach includes identifying and assessing risks through: (1) an enterprise risk management program, which is periodically refreshed and includes an identification of our top risks, including cybersecurity risks; (2) formalized security and privacy reviews designed to identify risks from many new features, software, and vendors; (3) a vulnerability management program designed to identify hardware and software vulnerabilities; (4) an internal “red team” program, which simulates cyber threats, intended to allow us to fix vulnerabilities before threat actors identify them; (5) a threat intelligence program designed to model and research our adversaries; and (6) a privacy and security incident response program designed to investigate, respond to, and remediate known incidents. These processes vary in scope and maturity across the business and are processes we work to improve.
Our risk management approach is supplemented by external and internal enterprise risk management audits, which are designed to test the effectiveness of our controls. We conduct penetration testing or other application security testing on a periodic basis, and have established an external bug bounty program to allow security researchers to help identify vulnerabilities and weaknesses in our controls and configurations in our systems. We also maintain a vendor risk management program designed to identify and mitigate potential risks associated with third-party suppliers and business partners. This program includes pre-engagement diligence, use of contractual cybersecurity and incident notification provisions, and ongoing monitoring of vendors, as appropriate. We also conduct employee training on data protection, including cybersecurity, among other topics.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example professional service firms (including legal counsel), threat intelligence services, and cybersecurity consultants. The material cybersecurity threats identified through these processes are managed by our CISO and are escalated to senior management and our risk and compliance committee, in each case where appropriate. Together, they identify responsive actions for inclusion in our annual strategic planning, or earlier resolution depending on the nature of the risk.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see “Risk Factors” in Part I, Item 1A in this Annual Report on Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our engineering security team, led by our Chief Information Security Officer, or CISO, uses a multi-pronged approach to assessing, identifying, and managing material risks from cybersecurity threats. This approach includes identifying and assessing risks through: (1) an enterprise risk management program, which is periodically refreshed and includes an identification of our top risks, including cybersecurity risks; (2) formalized security and privacy reviews designed to identify risks from many new features, software, and vendors; (3) a vulnerability management program designed to identify hardware and software vulnerabilities; (4) an internal “red team” program, which simulates cyber threats, intended to allow us to fix vulnerabilities before threat actors identify them; (5) a threat intelligence program designed to model and research our adversaries; and (6) a privacy and security incident response program designed to investigate, respond to, and remediate known incidents. These processes vary in scope and maturity across the business and are processes we work to improve.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Our board of directors maintains oversight of risks from cybersecurity threats by meeting with and receiving periodic updates from our CISO, via our audit committee, which is assigned oversight of cybersecurity risks. In addition, the chair of our audit committee meets with our CISO periodically to discuss cybersecurity threats and incidents, as well as the business’s approach to responding to them. Our incident response plans also provide that our board of directors and audit committee will be notified in the event of certain cybersecurity incidents.
Our CISO, Jim Higgins, has over 30 years of experience in the technology sector, including senior leadership roles in product security, information security engineering, and cloud enterprise. Mr. Higgins assisted the Linux Foundation in starting the Open Source Security Foundation to help increase awareness and promote technical solutions to address validation of Open Source software. Mr. Higgins has worked in information security at Chevron, Eastman Kodak, and Google, and, mostly recently, spent two years as the CISO of Block, Inc. (formerly Square).
Our CISO also regularly meets with our CEO and other senior management, including as part of the cybersecurity incident response process.
Our CISO, and where appropriate our management team and risk and compliance committee, are informed about and monitor the prevention, detection, mitigation, and remediation of identified cybersecurity incidents, through our security incident response process. We maintain internal and external channels and signals to receive reports of cybersecurity or privacy threats or incidents. A reported incident triggers our Security Incident Response Policy or
associated plans, which has defined roles for our cross-functional incident response team to investigate, contain, eradicate, and remediate the incident. The incident response team assesses the severity and priority of reported incidents on a rolling basis, with escalations of cybersecurity incidents provided to our management team by our CISO and General Counsel (or their designees) and escalations of certain cybersecurity incidents as appropriate to our board of directors. If a cybersecurity incident is determined to be a material cybersecurity incident, our Security Incident Response Policy and associated plans define the process to file a report regarding the incident with the SEC.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors maintains oversight of risks from cybersecurity threats by meeting with and receiving periodic updates from our CISO, via our audit committee, which is assigned oversight of cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In addition, the chair of our audit committee meets with our CISO periodically to discuss cybersecurity threats and incidents, as well as the business’s approach to responding to them. Our incident response plans also provide that our board of directors and audit committee will be notified in the event of certain cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
Our board of directors maintains oversight of risks from cybersecurity threats by meeting with and receiving periodic updates from our CISO, via our audit committee, which is assigned oversight of cybersecurity risks. In addition, the chair of our audit committee meets with our CISO periodically to discuss cybersecurity threats and incidents, as well as the business’s approach to responding to them. Our incident response plans also provide that our board of directors and audit committee will be notified in the event of certain cybersecurity incidents.
Our CISO, Jim Higgins, has over 30 years of experience in the technology sector, including senior leadership roles in product security, information security engineering, and cloud enterprise. Mr. Higgins assisted the Linux Foundation in starting the Open Source Security Foundation to help increase awareness and promote technical solutions to address validation of Open Source software. Mr. Higgins has worked in information security at Chevron, Eastman Kodak, and Google, and, mostly recently, spent two years as the CISO of Block, Inc. (formerly Square).
Our CISO also regularly meets with our CEO and other senior management, including as part of the cybersecurity incident response process.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our board of directors maintains oversight of risks from cybersecurity threats by meeting with and receiving periodic updates from our CISO, via our audit committee, which is assigned oversight of cybersecurity risks. In addition, the chair of our audit committee meets with our CISO periodically to discuss cybersecurity threats and incidents, as well as the business’s approach to responding to them. Our incident response plans also provide that our board of directors and audit committee will be notified in the event of certain cybersecurity incidents.
Our CISO, Jim Higgins, has over 30 years of experience in the technology sector, including senior leadership roles in product security, information security engineering, and cloud enterprise. Mr. Higgins assisted the Linux Foundation in starting the Open Source Security Foundation to help increase awareness and promote technical solutions to address validation of Open Source software. Mr. Higgins has worked in information security at Chevron, Eastman Kodak, and Google, and, mostly recently, spent two years as the CISO of Block, Inc. (formerly Square).
Our CISO also regularly meets with our CEO and other senior management, including as part of the cybersecurity incident response process.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO, Jim Higgins, has over 30 years of experience in the technology sector, including senior leadership roles in product security, information security engineering, and cloud enterprise. Mr. Higgins assisted the Linux Foundation in starting the Open Source Security Foundation to help increase awareness and promote technical solutions to address validation of Open Source software. Mr. Higgins has worked in information security at Chevron, Eastman Kodak, and Google, and, mostly recently, spent two years as the CISO of Block, Inc. (formerly Square).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO also regularly meets with our CEO and other senior management, including as part of the cybersecurity incident response process.Our CISO, and where appropriate our management team and risk and compliance committee, are informed about and monitor the prevention, detection, mitigation, and remediation of identified cybersecurity incidents, through our security incident response process.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef