|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
Risk Assessment, Identification and Management Processes
We have implemented a cybersecurity risk management strategy to assess, identify and manage material risks from cybersecurity threats. This strategy is designed to protect our systems, data and operations from potential cyber threats and to ensure the continuity of our business operations.
We conduct regular risk assessments to identify potential cybersecurity threats. These assessments involve evaluating our systems, networks and data for vulnerabilities that could be exploited by cyber threats through, among other things, vulnerability scanning and penetration testing. Once risks are identified, we implement measures to manage and mitigate these risks. This includes updating and patching our systems, implementing security controls and monitoring our networks for suspicious activity. We have a process in place to respond to any identified threats, which includes containment, eradication and recovery measures. We also monitor and update our cybersecurity risk management strategy to respond to the evolving cyber threat landscape. This includes staying abreast of the latest cybersecurity threats and trends and updating our systems and processes accordingly.
Integration with Overall Risk Management. Our cybersecurity processes are integrated into our overall enterprise risk management program and business continuity processes. In this regard, we address cybersecurity risks through a comprehensive, cross-functional approach across our technology, legal, compliance, finance and other teams aimed at preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. This integration helps ensure that the breadth of potential impacts from cybersecurity risks are considered and that our approach to managing these risks is consistent and coordinated across teams within our business. Through our enterprise risk management program, our cybersecurity risk is regularly evaluated, and we regularly report this assessment of our cybersecurity risk to management and to the audit committee of our board of directors. We also periodically review our cybersecurity risk with our entire board of directors.
Engaging Third Parties in Risk Management. We use a combination of internal resources and external assessors, consultants and auditors to conduct our cybersecurity risk assessments and identification. We periodically examine our cybersecurity program with these third parties, evaluating its effectiveness in part by considering industry standards and established frameworks, such as the National Institute of Standards and Technology, as guidelines, along with compliance with our internal cybersecurity controls. We also work with third parties to assess our incident response preparedness and to manage and track our risks.
Overseeing Risks Associated with Third-Party Service Providers. We have established a third-party risk management program to evaluate new and existing third-party service providers for their security controls and processes; identify cyber risks associated to the third-party service providers requiring remediation tracking; and continuously monitor the cyber risk posture of third-party service providers.
Where appropriate, our contracts with third-party service providers require agreement and adherence to security and privacy requirements, including: the proper access, use, retention and deletion of data; security awareness training; security incident response and breach notification; our rights to security assessment, testing and audits; compliance with laws and industry standards; and system and services requirements. For example, we require our business process outsourcers, which are providers that support certain customer services operations and other services, to complete security awareness training and payment card industry data security standards training.
Risks from Cybersecurity Threats
As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition; however, see Item IA. Risk Factors in Part I of this Annual Report on Form 10-K for a discussion of effects that a cybersecurity threat or incident could have on our business strategy, results of operations or financial condition. We also maintain an incident response plan to respond to any cybersecurity incident. This plan outlines the steps we will take to respond to an incident, including identifying and containing the incident, eradicating the threat, recovering our systems and communicating with relevant stakeholders.
Board of Directors Oversight of Cybersecurity Risk
Our board of directors is responsible for oversight of our enterprise risk management program, which incorporates cybersecurity risk. The audit committee undertakes primary responsibility for assisting the board of directors in overseeing cybersecurity risk, including policies and procedures for assessing, managing and responding to cybersecurity risk. The audit committee meets with appropriate members of our management team at least quarterly—and third-party assessors, consultants and auditors as needed—to review and discuss cybersecurity risk.
The full board of directors receives quarterly updates from the audit committee on its oversight of cybersecurity risk and engages in further review for the full board of directors from time to time as appropriate.
Management’s Role in Assessing and Managing Material Risks
Our technology team, and particularly our information security team, is actively involved in the development and implementation of policies and tools to assess risk and identify emergent risks, with cross-functional support from enterprise risk management, legal, compliance and finance, among other teams. We have established governance structures to increase the maturity of our cybersecurity program with a governance, risk and compliance approach. This includes the identification of internal weaknesses and the mitigation of information technology risks through training programs or new policies and internal controls.
Management is also responsible for the testing of the overall security posture and the documentation of risk management and security for regulatory examinations and for regular review of security and privacy requirements. In addition to our internal cybersecurity team, our company has retained a third-party security firm to aid in the identification, containment, eradication and recovery of systems, data or both in the event of a material security incident.
Risk Management Personnel. Among management, our Chief Information Security Officer (“CISO”), together with our Chief Operating Officer (“COO”), is responsible for leading efforts to assess and manage cybersecurity risks. Our CISO has over 20 years of experience assessing and managing cybersecurity risk, including leading information security teams at complex web-based businesses, and has a Master’s degree in Computer Information Systems and multiple professional and cybersecurity certifications, including CISM, CDPSE, CIPM, CIPT, and PMP. Our COO oversees, among other things, our company’s technology strategy and architecture and the integration and delivery of technology into our operations and service offerings. Our COO has over 10 years of experience supervising teams in implementations of key internal- and external-facing technology systems. Prior to joining the Company, our COO worked at a multinational public technology company and led teams in solving operations problems with technology. Our COO has a Bachelor’s degree in Chemical Engineering, a Master's degree in Business Administration and a Juris Doctorate.
Monitoring Cybersecurity Incidents. On a daily basis, our information security team monitors, identifies and classifies potential cybersecurity events and is responsible for notifying the COO and CISO of such events as appropriate based on risk to our organization. Our COO and CISO are responsible for notifying executive leadership, other functional teams and our audit committee, as appropriate.
Reporting to the Board of Directors. Our COO and CISO report to the audit committee at least quarterly about the detection, prevention, mitigation and remediation of cybersecurity events, including information about the latest cybersecurity threats, the status of our prevention and detection measures and the effectiveness of our mitigation and remediation efforts, as well as any other cybersecurity risk management activities and the progress of related projects. These briefings include updates on the formalized incident response plan, communications and escalation procedures. Management will apprise the board of directors of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Integration with Overall Risk Management. Our cybersecurity processes are integrated into our overall enterprise risk management program and business continuity processes. In this regard, we address cybersecurity risks through a comprehensive, cross-functional approach across our technology, legal, compliance, finance and other teams aimed at preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. This integration helps ensure that the breadth of potential impacts from cybersecurity risks are considered and that our approach to managing these risks is consistent and coordinated across teams within our business. Through our enterprise risk management program, our cybersecurity risk is regularly evaluated, and we regularly report this assessment of our cybersecurity risk to management and to the audit committee of our board of directors. We also periodically review our cybersecurity risk with our entire board of directors.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors Oversight of Cybersecurity Risk
Our board of directors is responsible for oversight of our enterprise risk management program, which incorporates cybersecurity risk. The audit committee undertakes primary responsibility for assisting the board of directors in overseeing cybersecurity risk, including policies and procedures for assessing, managing and responding to cybersecurity risk. The audit committee meets with appropriate members of our management team at least quarterly—and third-party assessors, consultants and auditors as needed—to review and discuss cybersecurity risk.
The full board of directors receives quarterly updates from the audit committee on its oversight of cybersecurity risk and engages in further review for the full board of directors from time to time as appropriate.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our board of directors is responsible for oversight of our enterprise risk management program, which incorporates cybersecurity risk. The audit committee undertakes primary responsibility for assisting the board of directors in overseeing cybersecurity risk, including policies and procedures for assessing, managing and responding to cybersecurity risk. The audit committee meets with appropriate members of our management team at least quarterly—and third-party assessors, consultants and auditors as needed—to review and discuss cybersecurity risk.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The full board of directors receives quarterly updates from the audit committee on its oversight of cybersecurity risk and engages in further review for the full board of directors from time to time as appropriate.
|Cybersecurity Risk Role of Management [Text Block]
|
Management’s Role in Assessing and Managing Material Risks
Our technology team, and particularly our information security team, is actively involved in the development and implementation of policies and tools to assess risk and identify emergent risks, with cross-functional support from enterprise risk management, legal, compliance and finance, among other teams. We have established governance structures to increase the maturity of our cybersecurity program with a governance, risk and compliance approach. This includes the identification of internal weaknesses and the mitigation of information technology risks through training programs or new policies and internal controls.
Management is also responsible for the testing of the overall security posture and the documentation of risk management and security for regulatory examinations and for regular review of security and privacy requirements. In addition to our internal cybersecurity team, our company has retained a third-party security firm to aid in the identification, containment, eradication and recovery of systems, data or both in the event of a material security incident.
Risk Management Personnel. Among management, our Chief Information Security Officer (“CISO”), together with our Chief Operating Officer (“COO”), is responsible for leading efforts to assess and manage cybersecurity risks. Our CISO has over 20 years of experience assessing and managing cybersecurity risk, including leading information security teams at complex web-based businesses, and has a Master’s degree in Computer Information Systems and multiple professional and cybersecurity certifications, including CISM, CDPSE, CIPM, CIPT, and PMP. Our COO oversees, among other things, our company’s technology strategy and architecture and the integration and delivery of technology into our operations and service offerings. Our COO has over 10 years of experience supervising teams in implementations of key internal- and external-facing technology systems. Prior to joining the Company, our COO worked at a multinational public technology company and led teams in solving operations problems with technology. Our COO has a Bachelor’s degree in Chemical Engineering, a Master's degree in Business Administration and a Juris Doctorate.
Monitoring Cybersecurity Incidents. On a daily basis, our information security team monitors, identifies and classifies potential cybersecurity events and is responsible for notifying the COO and CISO of such events as appropriate based on risk to our organization. Our COO and CISO are responsible for notifying executive leadership, other functional teams and our audit committee, as appropriate.
Reporting to the Board of Directors. Our COO and CISO report to the audit committee at least quarterly about the detection, prevention, mitigation and remediation of cybersecurity events, including information about the latest cybersecurity threats, the status of our prevention and detection measures and the effectiveness of our mitigation and remediation efforts, as well as any other cybersecurity risk management activities and the progress of related projects. These briefings include updates on the formalized incident response plan, communications and escalation procedures. Management will apprise the board of directors of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Among management, our Chief Information Security Officer (“CISO”), together with our Chief Operating Officer (“COO”), is responsible for leading efforts to assess and manage cybersecurity risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over 20 years of experience assessing and managing cybersecurity risk, including leading information security teams at complex web-based businesses, and has a Master’s degree in Computer Information Systems and multiple professional and cybersecurity certifications, including CISM, CDPSE, CIPM, CIPT, and PMP. Our COO oversees, among other things, our company’s technology strategy and architecture and the integration and delivery of technology into our operations and service offerings. Our COO has over 10 years of experience supervising teams in implementations of key internal- and external-facing technology systems. Prior to joining the Company, our COO worked at a multinational public technology company and led teams in solving operations problems with technology. Our COO has a Bachelor’s degree in Chemical Engineering, a Master's degree in Business Administration and a Juris Doctorate.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|On a daily basis, our information security team monitors, identifies and classifies potential cybersecurity events and is responsible for notifying the COO and CISO of such events as appropriate based on risk to our organization. Our COO and CISO are responsible for notifying executive leadership, other functional teams and our audit committee, as appropriate.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef