|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Cybersecurity
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include internal and external threats, data loss, phishing attacks, distributed denial of service attacks, third party risks, unpatched systems, weak authentications and zero-day vulnerabilities.
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT Audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, the Company conducts proactive cybersecurity reviews of systems and applications, audits applicable data policies, performs penetration testing using external third-party tools and techniques to test security controls, conducts employee training, monitors emerging laws and regulations related to data protection and information security and implements appropriate changes.
We have implemented incident response and breach management processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our Information Security, Compliance and Legal teams regarding matters of cybersecurity.
Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. As of the date of this Form 10-K, we have not experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations.
We also conduct exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation and remediation strategies.
As part of the above processes, we regularly engage consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. For 2024 and 2023, our Information Security Management System is compliant with ISO 27001. We also had SOC 2, Type 2 reviews performed for the years 2024 and 2023.
Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Disruptions in internet or telecommunication service or damage to our data centers could adversely affect our business by reducing our customers’ confidence in the reliability of our services and products” included as part of our risk factor disclosures in Item 1A of this Annual Report on Form 10-K.
Our Vice President of IT Infrastructure is responsible for overseeing the Company’s cybersecurity. He has a Bachelor’s degree in computer science and has 16 years of extensive experience spanning diverse IT domains, with a specialized emphasis on Information Security across endpoints, servers, data centers, cloud infrastructure, and enterprise applications. He has been actively overseeing the strategic implementation of cybersecurity in accordance with information security management standards, HIPAA, and SOC 2 policies and procedures throughout the entire organization. This multifaceted responsibility involves managing and ensuring compliance with internationally recognized standards such as the ISO 27001 framework, healthcare regulatory guidelines under HIPAA and other recognized standards.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT Audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, the Company conducts proactive cybersecurity reviews of systems and applications, audits applicable data policies, performs penetration testing using external third-party tools and techniques to test security controls, conducts employee training, monitors emerging laws and regulations related to data protection and information security and implements appropriate changes. We have implemented incident response and breach management processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our Information Security, Compliance and Legal teams regarding matters of cybersecurity.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. As of the date of this Form 10-K, we have not experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. Our Cybersecurity subcommittee of the Board of Directors is responsible for the oversight of risks from cybersecurity threats. Members of the Cybersecurity subcommittee receive updates on a quarterly basis from senior management, including leaders from our Information Security, Finance, Internal Audit, Compliance and Legal teams regarding cybersecurity matters. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents, (if any), and the status on key information security initiatives.
Our cybersecurity risk management and strategy processes are overseen by our Vice President of IT Infrastructure and leaders from our Information Technology department. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Cybersecurity subcommittee on any appropriate items.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Cybersecurity subcommittee of the Board of Directors is responsible for the oversight of risks from cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Members of the Cybersecurity subcommittee receive updates on a quarterly basis from senior management, including leaders from our Information Security, Finance, Internal Audit, Compliance and Legal teams regarding cybersecurity matters. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents, (if any), and the status on key information security initiatives.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|cybersecurity risk management and strategy processes are overseen by our Vice President of IT Infrastructure and leaders from our Information Technology department.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Cybersecurity subcommittee on any appropriate items.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef