|
Cybersecurity Risk Management and Strategy
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K. CYBERSECURITY
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. Our cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. However, this does not mean that our policies, standards, processes, or practices meet any particular technical standards, specifications, or requirements, but only that we use these frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity policies, standards, and practices are integrated into our overall risk management system and processes as part of our IT security policy and IT security incident response plan.
Cybersecurity Risk Management and Strategy
Our cybersecurity risk management strategy focuses on several areas:
•
Identification and Reporting: We have implemented a cross-functional approach to assessing, identifying and managing cybersecurity threats and incidents. Our program includes controls and procedures that are designed to identify, classify and escalate certain cybersecurity incidents to enable management to provide visibility and direction as to the public disclosure and reporting of material incidents in a timely manner.
•
Technical Safeguards: We have implemented technical safeguards that are designed to protect our information system from cybersecurity threats, including a firewall, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability and cybersecurity threat intelligence analysis, as well as third-party audits and certifications.
•
Incident Response and Recovery Planning: We have established and maintain comprehensive incident response, business continuity, and disaster recovery plans designed to address our response to a cybersecurity incident. We conduct regular tabletop exercises to test these plans and familiarize personnel with their roles in a response scenario.
•
Third-Party Risk Management: We maintain a risk-based approach to identifying and overseeing material risks from cybersecurity threats presented by our use of third parties, including vendors, service providers, and other external users of our systems, including any outside auditors and consultants who advice on our cybersecurity systems, as well as the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems.
•
Education and Awareness: We provide regular, mandatory training for our employees regarding cybersecurity threats as a means to equip our employees with tools to make employees aware of and to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes, and practices.
We conduct periodic assessments and testing of our policies, standards, processes, and practices in a manner intended to address cybersecurity threats and events. The results of such assessments, audits, and reviews are evaluated by management and reported to our audit and finance committee and our board of directors, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on information provided by these assessments, audits, and reviews. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition. See “Risk Factors—Risks Related to Operational Compliance and Risk Management—Our internal computer systems, or those of our third-party contractors or consultants, may fail or suffer security breaches, which could result in a material disruption of our product development programs or loss of personal data.”
Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our board of directors and management. Our audit and finance committee is responsible for the oversight of risks from cybersecurity threats. At least annually, the audit and finance committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Members of the audit and finance committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by a team of senior level management, including our Chief Executive Officer, Chief Financial Officer, General Counsel, and Chief Information Officer. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these members of management report to the audit and finance committee about material risks from cybersecurity threats, among other cybersecurity related matters.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity policies, standards, and practices are integrated into our overall risk management system and processes as part of our IT security policy and IT security incident response plan.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our board of directors and management. Our audit and finance committee is responsible for the oversight of risks from cybersecurity threats. At least annually, the audit and finance committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Members of the audit and finance committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by a team of senior level management, including our Chief Executive Officer, Chief Financial Officer, General Counsel, and Chief Information Officer. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these members of management report to the audit and finance committee about material risks from cybersecurity threats, among other cybersecurity related matters.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|We conduct periodic assessments and testing of our policies, standards, processes, and practices in a manner intended to address cybersecurity threats and events.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The results of such assessments, audits, and reviews are evaluated by management and reported to our audit and finance committee and our board of directors, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on information provided by these assessments, audits, and reviews.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk management strategy focuses on several areas:
•
Identification and Reporting: We have implemented a cross-functional approach to assessing, identifying and managing cybersecurity threats and incidents. Our program includes controls and procedures that are designed to identify, classify and escalate certain cybersecurity incidents to enable management to provide visibility and direction as to the public disclosure and reporting of material incidents in a timely manner.
•
Technical Safeguards: We have implemented technical safeguards that are designed to protect our information system from cybersecurity threats, including a firewall, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability and cybersecurity threat intelligence analysis, as well as third-party audits and certifications.
•
Incident Response and Recovery Planning: We have established and maintain comprehensive incident response, business continuity, and disaster recovery plans designed to address our response to a cybersecurity incident. We conduct regular tabletop exercises to test these plans and familiarize personnel with their roles in a response scenario.
•
Third-Party Risk Management: We maintain a risk-based approach to identifying and overseeing material risks from cybersecurity threats presented by our use of third parties, including vendors, service providers, and other external users of our systems, including any outside auditors and consultants who advice on our cybersecurity systems, as well as the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems.
•
Education and Awareness: We provide regular, mandatory training for our employees regarding cybersecurity threats as a means to equip our employees with tools to make employees aware of and to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes, and practices.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
•
Identification and Reporting: We have implemented a cross-functional approach to assessing, identifying and managing cybersecurity threats and incidents. Our program includes controls and procedures that are designed to identify, classify and escalate certain cybersecurity incidents to enable management to provide visibility and direction as to the public disclosure and reporting of material incidents in a timely manner.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Members of the audit and finance committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by a team of senior level management, including our Chief Executive Officer, Chief Financial Officer, General Counsel, and Chief Information Officer. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these members of management report to the audit and finance committee about material risks from cybersecurity threats, among other cybersecurity related matters.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef