|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We have adopted a comprehensive risk management system to manage various risks that we face, including financial risks, operational risks, compliance risks, public opinion risks, risks associated with stability of information technology systems, cybersecurity risks and supplier management risks. Cybersecurity risk management is a core component of our overall risk management framework. We have established an array of risk management procedures to identify, assess and manage such risks, including risk identification, risk assessment, risk control and risk monitoring. We have also implemented procedural design, evaluation mechanism as well as risk grading and liability assessment mechanism to enhance our risk management. Set forth below are measures that we undertake to manage cybersecurity risks.
Cybersecurity Governance Group
We have formed a Cybersecurity Governance Group, which is led by our management and comprised of personnel from our legal department, internal audit, information technology department and various business departments, to carry out cybersecurity risk management. The cybersecurity department is a professional technical team dedicated to managing cybersecurity risks. The cyber-security department is comprised of experts in devising cyber security strategies, conducting security audits of operating source code, tracking and analyzing risks, and solving technology related troubles.
Internal Policies
Preventive Policies
We have adopted the following internal policies and procedures to prevent cybersecurity incidents:
Remediation Policies
We have also adopted the following internal policies and procedures to remediate cybersecurity incidents:
Technical Measures
We have implemented various technical measures, such as real-time monitoring of traffic logs, host-based vulnerability scanning, transmission encryption and authentication, firewalls and intrusion prevention systems, in order to timely identify and address cybersecurity threats and protect the security and integrity of our information technology systems and data stored in our systems.
Engagement of Third-Party Service Providers
We have engaged independent auditors to conduct independent audits and assessments on our compliance with the internal control requirements under the Sarbanes-Oxley Act of 2002, and IT general controls, or ITGC, is an important part of it. ITGC audits cover cybersecurity, including information technology governance, information security (network and data security), access controls, system change management and operation maintenance management.
In addition, to comply with the requirements under the Cybersecurity Law and Data Security Law of the PRC and enhance the security of our information technology systems, we have engaged third-party agencies to perform classifications, filings, assessments and rectifications for hierarchical cybersecurity protection on a periodic basis.
We have adopted third-party security assessment procedures and data outflow control procedures to manage risks from cybersecurity threats associated with our use of any third-party service provider. We perform security assessments on third parties that provide information technology systems to us or have access to our data by assessing their basic data security capabilities, information security compliance and application security vulnerabilities. All data outbound transfers to third parties require internal approval, and upon approval, data shall be transmitted externally via email or other traceable means.
We enter into a Data Security Confidentiality Agreement with third-party suppliers before engaging them to stipulate the cybersecurity responsibilities of such third parties and remediation measures to be taken in the event of cybersecurity incidents. When data are transmitted through API interfaces, we monitor the sensitivity and volume of data involved in API calls and the authority of interfaces through API interface monitoring applications.
Risks from Cybersecurity Threats
As we generate and process a large amount of data through our platform and rely on our information technology systems for our business operations, we face risks associated with cybersecurity threats. For more details, see “Item 4. Information on the Company—D. Risk Factors—Risks Related to Our Business and Industry—Any significant disruption in the Group’s information technology systems, including events beyond our control, could prevent the Group from offering its services and products, thereby reduce the attractiveness of the Group’s services and products and result in a loss of customers”; “—If the Group is unable to protect the confidential information it has access to in its day-to-day operation and adapt to the relevant regulatory framework as to protection of such information, the Group’s business and operations may be adversely affected”; and “—Privacy concerns relating to the Group’s products and services and the use of confidential information could damage our reputation, deter current and potential users and customers from using the Group’s products and services.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have established an array of risk management procedures to identify, assess and manage such risks, including risk identification, risk assessment, risk control and risk monitoring. We have also implemented procedural design, evaluation mechanism as well as risk grading and liability assessment mechanism to enhance our risk management. Set forth below are measures that we undertake to manage cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents. The board reviews reports from management on material cybersecurity risks and incidents and discusses remediation plans with the management.
In addition, our audit committee is responsible for risk assessment and risk management, including risks relating to cybersecurity threats or incidents. The responsibilities of our audit committee include discussing policies with respect to risk assessment and risk management periodically with the management, internal auditors, and independent auditors, and our plans or processes to monitor, control and minimize such risks and exposures.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents.In addition, our audit committee is responsible for risk assessment and risk management, including risks relating to cybersecurity threats or incidents.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The board reviews reports from management on material cybersecurity risks and incidents and discusses remediation plans with the management.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
Our management is informed about and monitors the prevention, detection, mitigation, and re-mediation of cybersecurity risks and incidents primarily through (i) Cybersecurity Governance Group, (ii) cybersecurity, legal and internal audit departments, and (iii) review and approval of cybersecurity-related policies and procedures.
Cybersecurity Governance Group
Our Cybersecurity Governance Group, led by our management, is in charge of cybersecurity risk management, including assessing and managing material risks from cybersecurity threats, as well as prevention (through implementation of policies and cybersecurity awareness training), detection, mitigation and remediation of cybersecurity incidents. The Cybersecurity Governance Group reports its cybersecurity work to the management through periodic meetings. The Cybersecurity Governance Group is co-led by our chief executive officer.
Mr. Xu has abundant experience in cybersecurity and data security. He was deeply involved in the establishment and management of information security frame-work at those companies. Mr. Xu is in charge of establishing our cybersecurity risk management framework, building up our cybersecurity governance and technical capabilities, covering network border security protection, data security and privacy compliance, and formulating cybersecurity policies and procedures that tailor to the nature of our business, with a focus on prevention, risk control and continuous improvement.
Mr. Yang is experienced in legal affairs. Prior to joining our Company, Mr. Yang served as a director at Xiamen C&D Corporation, responsible for finance, tax and legal affairs. Mr. Yang currently leads our legal department and he is in charge of interpreting and reviewing cybersecurity-related laws, regulations and policies.
Mr. Jiang is experienced in internal audit. Prior to joining our Company, Mr. Jiang served as a manager of Risk Assurance department at PwC, responsible for information technology audit and internal control advisory. Mr. Jiang currently leads our internal audit department to perform internal audits on the implementation of cybersecurity-related policies and procedures.
Cybersecurity, Legal and Internal Audit Departments
Our cybersecurity, legal and internal audit departments also perform different functions with respect to cybersecurity management. The legal department is responsible for interpreting cybersecurity-related laws and regulations and reviewing cybersecurity-related internal policies. The internal audit department is responsible for internal audits on the implementation of cyber-security-related policies and procedures. The internal audit department and the legal department jointly report to our Vice President of Finance. The cybersecurity department is responsible for formulating and implementing cybersecurity-related policies and procedures, and reports to senior director of information technology and leaders of the Cybersecurity Governance Group.
Policy Review and Approval
All cybersecurity-related internal policies shall be reviewed and approved by the management personnel in charge of the proposing department as well as the information technology department prior to adoption.
Based on information obtained through such channels, our management makes assessments of cybersecurity risks and incidents and reports the nature, origin and potential impact of cybersecurity risks and incidents to the board of directors based on an assessment of materiality so that the board can learn about material cybersecurity risks and incidents on a timely basis and make decisions accordingly.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Cybersecurity Governance Group
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Mr. Xu has abundant experience in cybersecurity and data security. He was deeply involved in the establishment and management of information security frame-work at those companies. Mr. Xu is in charge of establishing our cybersecurity risk management framework, building up our cybersecurity governance and technical capabilities, covering network border security protection, data security and privacy compliance, and formulating cybersecurity policies and procedures that tailor to the nature of our business, with a focus on prevention, risk control and continuous improvement.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our management is informed about and monitors the prevention, detection, mitigation, and re-mediation of cybersecurity risks and incidents primarily through (i) Cybersecurity Governance Group, (ii) cybersecurity, legal and internal audit departments, and (iii) review and approval of cybersecurity-related policies and procedures.The Cybersecurity Governance Group reports its cybersecurity work to the management through periodic meetings.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef