|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
CPKC’s cybersecurity risk management program is an integrated and essential component of the Company’s overall risk management strategy. Through its Security Management Plan, CPKC maintains a comprehensive, risk-based plan that is modelled on and was developed in conjunction with the security plan prepared by the Association of American Railroads post-September 11, 2001. This plan also covers regulatory requirements such as TSA Cyber Security Directives and auditing requirements. Under this plan, the Company routinely examines and prioritizes cyber vulnerabilities and threats while also testing and revising protective measures for its assets and operations, both physical or cyber. Likewise, the Company’s cybersecurity risk management program entails real-time review and monitoring of CPKC’s cyber-risk exposures and implements strategic processes to manage those risks.
The Company's cybersecurity program utilizes the National Institute of Standards and Technology Cybersecurity Framework as its foundation. Accordingly, CPKC’s program includes periodic risk assessments, penetration testing by a third-party, audit participation, employee and contractor training, and the implementation of technologies to assist in mitigating cybersecurity risks and harms. Incident response procedures, including escalation procedures, are designed, implemented, and periodically tested to assist the Company in detecting, responding to, and recovering from a potential cybersecurity incident, and making any timely notification or disclosure that may be required under the circumstances. The Company scopes the third-party penetration tests as real-world attacks against perimeter defenses and internal processes such as social engineering and phishing.
The Company's cybersecurity risk management program also includes ongoing threat research and analysis conducted with the assistance of third parties, including on emerging threat attack vectors, tactics, actors and motivations. The Company also engages in ongoing network monitoring and has implemented a vulnerability management and patching program. Further, CPKC employs structured vetting and ongoing risk management processes to identify and mitigate cyber risks associated with the use of third-party service providers, including specifically in the area of technology.To date, risks arising from cybersecurity threats have not materially affected the Company, its results of its operations, or its financial condition. However, the Company also recognizes the reality of the ever-evolving cyber risk landscape faced by industries and businesses across the world. Depending on their source and nature, cyber incidents could in the future materially affect CPKC and its operations, and financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
CPKC’s cybersecurity risk management program is an integrated and essential component of the Company’s overall risk management strategy. Through its Security Management Plan, CPKC maintains a comprehensive, risk-based plan that is modelled on and was developed in conjunction with the security plan prepared by the Association of American Railroads post-September 11, 2001. This plan also covers regulatory requirements such as TSA Cyber Security Directives and auditing requirements. Under this plan, the Company routinely examines and prioritizes cyber vulnerabilities and threats while also testing and revising protective measures for its assets and operations, both physical or cyber. Likewise, the Company’s cybersecurity risk management program entails real-time review and monitoring of CPKC’s cyber-risk exposures and implements strategic processes to manage those risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board of Directors oversees the work of all its committees, including the Audit and Finance Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit and Finance Committee is responsible for, among other things, overseeing the Company’s financial disclosures and its internal and external audit functions, maintaining the integrity of financial reporting and internal controls, and providing stewardship and guidance to management in its approach to the assessment and mitigation of cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Chief Information Officer ("CIO") provides annual and periodic updates to the Audit and Finance Committee and the Board of Directors on cybersecurity risks and the Company’s strategy for mitigating such risks. Additionally, the Chief Information Security Officer ("CISO") briefs the Audit and Finance Committee periodically. The Audit and Finance Committee also receives updates on information systems and cybersecurity audit and advisory engagements from the Chief Internal Auditor.
|Cybersecurity Risk Role of Management [Text Block]
|Additionally, the Chief Information Security Officer ("CISO") briefs the Audit and Finance Committee periodically. The Audit and Finance Committee also receives updates on information systems and cybersecurity audit and advisory engagements from the Chief Internal Auditor.
The CISO reports directly to the CIO and is responsible for:
•Overseeing and implementing CPKC's cybersecurity strategy;
•Aligning cybersecurity objectives with the overall business objectives;
•Ensuring compliance with regulatory directives related to cybersecurity;
•Promoting a cybersecurity culture through comprehensive awareness and training programs; and
•Managing and coordinating incident response activities.
The Company's cybersecurity risk management program is supervised by the Managing Director of Enterprise Security who reports directly to the CISO. The CIO and CISO regularly update senior leadership and the executive committee on cybersecurity risks.The CISO, CIO, and certain members of their management team who are involved in implementing the Company's cybersecurity program possess expertise in cybersecurity risk management. Our CISO and CIO each have many years of experience in designing and implementing cybersecurity frameworks and working to mitigate cyber threats. Among other qualifications, certain members of the CISO's and CIO's management team also have certifications as a CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager).
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The CISO reports directly to the CIO and is responsible for:
•Overseeing and implementing CPKC's cybersecurity strategy;
•Aligning cybersecurity objectives with the overall business objectives;
•Ensuring compliance with regulatory directives related to cybersecurity;
•Promoting a cybersecurity culture through comprehensive awareness and training programs; and
•Managing and coordinating incident response activities.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO and CIO each have many years of experience in designing and implementing cybersecurity frameworks and working to mitigate cyber threats. Among other qualifications, certain members of the CISO's and CIO's management team also have certifications as a CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Chief Information Officer ("CIO") provides annual and periodic updates to the Audit and Finance Committee and the Board of Directors on cybersecurity risks and the Company’s strategy for mitigating such risks. Additionally, the Chief Information Security Officer ("CISO") briefs the Audit and Finance Committee periodically. The Audit and Finance Committee also receives updates on information systems and cybersecurity audit and advisory engagements from the Chief Internal Auditor.
The CISO reports directly to the CIO and is responsible for:
•Overseeing and implementing CPKC's cybersecurity strategy;
•Aligning cybersecurity objectives with the overall business objectives;
•Ensuring compliance with regulatory directives related to cybersecurity;
•Promoting a cybersecurity culture through comprehensive awareness and training programs; and
•Managing and coordinating incident response activities.
The Company's cybersecurity risk management program is supervised by the Managing Director of Enterprise Security who reports directly to the CISO. The CIO and CISO regularly update senior leadership and the executive committee on cybersecurity risks.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef