|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.
Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process, appropriate disclosure personnel collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.
We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks. As part of this process, and our processes to provide for the availability of critical data and systems, maintain regulatory compliance, identify and manage our risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we undertake the below listed activities, among others:
•periodic comparison of our processes to standards set by the National Institute of Standards and Technology;
•closely monitor emerging data protection laws and implement changes to our processes designed to comply;
•undertake an annual review of our consumer-facing policies and statements related to cybersecurity;
•conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
•conduct annual cybersecurity training for all employees and contractors, along with targeted training on a quarterly basis for specific subsets of employees identified through our phishing simulations;
•through policy, practice and contract (as applicable) require employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care;
•conduct regular network and endpoint monitoring and vulnerability assessments to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K;
•carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident;
•conduct vulnerability scans and leverage the scan results to continuously patch and manage our network as new threats emerge; and
•constant active monitoring by our contracted Security Operations Center.
Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of higher severity cybersecurity incidents provided to our management team. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response processes define the steps to disclose such a material cybersecurity incident.
As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including by regularly conducting technical and data reviews with our cybersecurity partners to help identify areas for continued focus, improvement and/or compliance.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our broader overall risk assessment process, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Item 1.A – Risk Factors – Technology and Cybersecurity Risks,” which disclosure is incorporated by reference herein.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.
Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process, appropriate disclosure personnel collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our audit committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the audit committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
Our audit committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the audit committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the audit committee generally receives materials indicating current and emerging material cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discusses such matters with our Chief Information Officer. Members of the audit committee regularly engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer (“CIO”). The CIO has been responsible for cybersecurity for over ten years across multiple organizations, leading enterprise security programs, business continuity planning, cybersecurity response planning, and the implementation of the National Institute of Standards and Technology (NIST) cybersecurity framework. In the CIO's most recent role, the CIO established and led a dedicated Cybersecurity Department, developing comprehensive security strategies, implementing cutting-edge cybersecurity tools, and designing response plans to support the entire company. At our Company, the CIO continues to drive proactive risk management, regulatory compliance, and a culture of cybersecurity awareness.
The firm’s senior executive team, inclusive of the CEO, CFO, COOs, CAO and CLO, are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
As discussed above, these members of management report to the audit committee about cybersecurity threat risks, among other cybersecurity related matters.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer (“CIO”). The CIO has been responsible for cybersecurity for over ten years across multiple organizations, leading enterprise security programs, business continuity planning, cybersecurity response planning, and the implementation of the National Institute of Standards and Technology (NIST) cybersecurity framework. In the CIO's most recent role, the CIO established and led a dedicated Cybersecurity Department, developing comprehensive security strategies, implementing cutting-edge cybersecurity tools, and designing response plans to support the entire company. At our Company, the CIO continues to drive proactive risk management, regulatory compliance, and a culture of cybersecurity awareness.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
Our audit committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the audit committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the audit committee generally receives materials indicating current and emerging material cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discusses such matters with our Chief Information Officer. Members of the audit committee regularly engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer (“CIO”). The CIO has been responsible for cybersecurity for over ten years across multiple organizations, leading enterprise security programs, business continuity planning, cybersecurity response planning, and the implementation of the National Institute of Standards and Technology (NIST) cybersecurity framework. In the CIO's most recent role, the CIO established and led a dedicated Cybersecurity Department, developing comprehensive security strategies, implementing cutting-edge cybersecurity tools, and designing response plans to support the entire company. At our Company, the CIO continues to drive proactive risk management, regulatory compliance, and a culture of cybersecurity awareness.
The firm’s senior executive team, inclusive of the CEO, CFO, COOs, CAO and CLO, are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
As discussed above, these members of management report to the audit committee about cybersecurity threat risks, among other cybersecurity related matters.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer (“CIO”)
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our audit committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the audit committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the audit committee generally receives materials indicating current and emerging material cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discusses such matters with our Chief Information Officer. Members of the audit committee regularly engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef