|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We identify, assess, and manage cybersecurity risk as part of our company-wide enterprise risk management program. Our Chief Information Security Officer (“CISO”), Tim Rains, has more than 30 years of experience as an IT professional, with over 20 of those years spent in cybersecurity roles. Mr. Rains has held senior cybersecurity advisor roles at both Amazon Web Services and Microsoft. Mr. Rains has experience across multiple cybersecurity disciplines including vulnerability management, incident response, crisis communications, threat intelligence, cybersecurity architecture and operations, governance, risk, and compliance. Mr. Rains is designated as a Certified Information Systems Security Professional and is responsible for developing and implementing plans and strategies to mitigate cybersecurity risks. Our CISO also leads our cybersecurity risk assessment, which includes security posture scoring, vulnerability assessments, process maturity, and tooling coverage. We log cybersecurity risks into our cybersecurity risk register and track such risks for treatment. Management then discusses these cybersecurity risks for resolution planning and escalation. We leverage recognized cybersecurity frameworks to drive strategic direction and maturity improvement and engage third-party security experts as needed for risk assessments, risk mitigation actions, vulnerability identification, and program enhancements, as appropriate.
As part of this process, we use the following tools and procedures:
•utilizing “SecurityScorecard” (a third-party information security company that rates cybersecurity postures of corporate entities for the purposes of third-party management and information technology risk management), which provides an independent external enterprise view of our security posture with a focus on public-facing systems;
•assessing, regularly developing, and executing on our preventative and detective controls, which we seek to align with current standards and best practices, including the incorporation of recommendations published by the National Institute of Standards and Technology in its cybersecurity framework, such as an annual audit of these internal controls;
•performing attack and breach simulations; and
•working with our cybersecurity vendors to adopt tooling and processes to provide high levels of protection.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We view cybersecurity as the prevention and timely detection and correction of any unauthorized occurrence or series of related unauthorized occurrences that are on or conducted through our information systems and that jeopardizes the confidentiality, integrity, or availability of our systems or any information residing therein. We believe that the safety, security, and privacy of our customers and employees are fundamental to the services we provide. Our cybersecurity policies guide us as we strive to continuously enhance methods, best practices, and technologies to better monitor and protect customer data and inform and enable customers to make choices about their data privacy. We carefully consider data privacy when developing our own products and when incorporating products provided by our business partners.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board of Directors, through its Audit Committee, has primary responsibility for overseeing cybersecurity risk management and receives updates on the status of our cybersecurity program from our CISO. These updates are provided at least once per year, and often multiple times per year, in a special Audit Committee session and includes reports on our security posture and SecurityScorecard assessment (rating and benchmarking), incident response, and vulnerability management. The Audit Committee reviews and discusses with management our cybersecurity threats, vulnerabilities, defenses, and planned responses, including updates to our cybersecurity incident response plan (“IRP”), which has been approved by the Audit Committee. Additionally, the Audit Committee receives and discusses reports from management with the purpose of identifying threats and vulnerabilities, and it monitors the effectiveness and progress of the actions and initiatives undertaken to mitigate such threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors, through its Audit Committee, has primary responsibility for overseeing cybersecurity risk management and receives updates on the status of our cybersecurity program from our CISO.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors, through its Audit Committee, has primary responsibility for overseeing cybersecurity risk management and receives updates on the status of our cybersecurity program from our CISO. These updates are provided at least once per year, and often multiple times per year, in a special Audit Committee session and includes reports on our security posture and SecurityScorecard assessment (rating and benchmarking), incident response, and vulnerability management. The Audit Committee reviews and discusses with management our cybersecurity threats, vulnerabilities, defenses, and planned responses, including updates to our cybersecurity incident response plan (“IRP”), which has been approved by the Audit Committee. Additionally, the Audit Committee receives and discusses reports from management with the purpose of identifying threats and vulnerabilities, and it monitors the effectiveness and progress of the actions and initiatives undertaken to mitigate such threats.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Board of Directors, through its Audit Committee, has primary responsibility for overseeing cybersecurity risk management and receives updates on the status of our cybersecurity program from our CISO. These updates are provided at least once per year, and often multiple times per year, in a special Audit Committee session and includes reports on our security posture and SecurityScorecard assessment (rating and benchmarking), incident response, and vulnerability management. The Audit Committee reviews and discusses with management our cybersecurity threats, vulnerabilities, defenses, and planned responses, including updates to our cybersecurity incident response plan (“IRP”), which has been approved by the Audit Committee. Additionally, the Audit Committee receives and discusses reports from management with the purpose of identifying threats and vulnerabilities, and it monitors the effectiveness and progress of the actions and initiatives undertaken to mitigate such threats.
Our cybersecurity program team is led by our CISO (who ultimately reports to the Chief Operating Officer). The cybersecurity leadership team (“CSLT”), which is chaired by our Chief Operating Officer and includes our Chief Financial Officer, Chief Legal Officer, Chief Information Officer, CISO, and Chief Privacy Officer, among others, collaborates with enterprise risk professionals and is supported by an established Information Security (“InfoSec”) function responsible for certain aspects of maintaining and monitoring our cybersecurity infrastructure. In addition, our Chief Privacy Officer, who reports to our Chief Legal Officer, manages processes and protections around our sensitive data and facilitates compliance with applicable data protection laws, rules, and regulations.
Our Chief Privacy Officer has over 20 years of experience overseeing corporate data privacy and intellectual property policies and procedures. To maintain high levels of awareness and aptitude, all of our employees are required to complete annual trainings regarding current security risks and our InfoSec and privacy policies. Additional education and training are also required for specific groups based on their roles and access within the organization.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Members of the CSLT primarily, the Chief Operating Officer and CISO, will be responsible for updating the Chief Executive Officer, Audit Committee, and the lead independent director of our Board of Directors.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Chief Information Security Officer (“CISO”), Tim Rains, has more than 30 years of experience as an IT professional, with over 20 of those years spent in cybersecurity roles. Mr. Rains has held senior cybersecurity advisor roles at both Amazon Web Services and Microsoft. Mr. Rains has experience across multiple cybersecurity disciplines including vulnerability management, incident response, crisis communications, threat intelligence, cybersecurity architecture and operations, governance, risk, and compliance. Mr. Rains is designated as a Certified Information Systems Security Professional and is responsible for developing and implementing plans and strategies to mitigate cybersecurity risks.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Members of the CSLT primarily, the Chief Operating Officer and CISO, will be responsible for updating the Chief Executive Officer, Audit Committee, and the lead independent director of our Board of Directors. Members of the CSIRT and CSLT, along with the Chief Executive Officer, Audit Committee, and the lead independent director of our Board of Directors regularly participate in cybersecurity incident tabletop exercises and event simulations.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef