|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
At 111, cybersecurity risk management is an integral part of our overall enterprise risk management program. We are intensely focused on risks arising from cybersecurity threats and incidents, including with respect to our own information assets and those of our customers and other third parties with whom we do business.
Our cybersecurity risk management program, which includes programs with respect to data privacy, product security, and information security, is designed to align with our industry’s applicable practices and standards. Our program provides a framework for identifying, monitoring, evaluating, and responding to cybersecurity threats and incidents, including those associated with our use of software, applications, services, and cloud infrastructure developed or provided by third-party vendors and service providers. This framework includes steps for identifying the source of a cybersecurity threat or incident, including whether such cybersecurity threat or incident is associated with a third-party vendor or service provider, assessing the severity and risk of a cybersecurity threat or incident, implementing cybersecurity countermeasures and mitigation strategies, and informing management and the Board of Directors of potentially material cybersecurity threats and incidents or other significant changes in the evolving cybersecurity threat landscape.
Our cybersecurity team is responsible for assessing our cybersecurity risk management program and our incident response plan, which we regularly test through emergency drills, and testing of our security capabilities through additional techniques, such as penetration testing. In addition, we regularly engage independent third-party auditors to evaluate our compliance with various security compliance standards. We also conduct internal annual assessments of our cybersecurity risk management program and retest the results for validation on a regular basis. We review or update our cybersecurity policies, processes and procedures annually, or more frequently as needed, to account for changes in the threat landscape, as well as in response to legal and regulatory developments. Our cybersecurity efforts also include mandatory training for all employees and contractors on 111’s security and privacy policies, processes, and procedures. We also have clearly defined expectations for acceptable use policies, and we require employees to certify their adherence to our code of conduct. We also periodically send our employees simulated phishing and spear-phishing emails to test their compliance with our policies. Although we have continued to invest in our diligence, onboarding, monitoring, and surveillance capabilities over our critical third parties, including our third-party vendors and service providers, and cease engagement with third parties who we determine not to meet our cybersecurity standards, our control over the security posture of our critical third parties remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the information assets owned or controlled by such third parties.
A cross-functional incident response team, comprised of representatives from information technology, information security, product operation and maintenance, privacy compliance and legal, is responsible for identifying, monitoring, evaluating, and resolving potential threats or incidents, such as cyberattacks, data breaches, intrusions, and other security incidents and implementing our detailed incident response plan. Our detailed incident response plan includes processes and procedures designed to assess potential internal and external threats, deploy countermeasures, and notify relevant members of our management team, as well as crisis management, and activating post-incident recovery designed to safeguard the confidentiality, availability, and integrity of our information assets.
In 2024, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors – Risks Related to Doing Business in China” in this annual report.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity risk management program, which includes programs with respect to data privacy, product security, and information security, is designed to align with our industry’s applicable practices and standards. Our program provides a framework for identifying, monitoring, evaluating, and responding to cybersecurity threats and incidents, including those associated with our use of software, applications, services, and cloud infrastructure developed or provided by third-party vendors and service providers. This framework includes steps for identifying the source of a cybersecurity threat or incident, including whether such cybersecurity threat or incident is associated with a third-party vendor or service provider, assessing the severity and risk of a cybersecurity threat or incident, implementing cybersecurity countermeasures and mitigation strategies, and informing management and the Board of Directors of potentially material cybersecurity threats and incidents or other significant changes in the evolving cybersecurity threat landscape.
Our cybersecurity team is responsible for assessing our cybersecurity risk management program and our incident response plan, which we regularly test through emergency drills, and testing of our security capabilities through additional techniques, such as penetration testing. In addition, we regularly engage independent third-party auditors to evaluate our compliance with various security compliance standards. We also conduct internal annual assessments of our cybersecurity risk management program and retest the results for validation on a regular basis. We review or update our cybersecurity policies, processes and procedures annually, or more frequently as needed, to account for changes in the threat landscape, as well as in response to legal and regulatory developments. Our cybersecurity efforts also include mandatory training for all employees and contractors on 111’s security and privacy policies, processes, and procedures. We also have clearly defined expectations for acceptable use policies, and we require employees to certify their adherence to our code of conduct. We also periodically send our employees simulated phishing and spear-phishing emails to test their compliance with our policies. Although we have continued to invest in our diligence, onboarding, monitoring, and surveillance capabilities over our critical third parties, including our third-party vendors and service providers, and cease engagement with third parties who we determine not to meet our cybersecurity standards, our control over the security posture of our critical third parties remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the information assets owned or controlled by such third parties.
A cross-functional incident response team, comprised of representatives from information technology, information security, product operation and maintenance, privacy compliance and legal, is responsible for identifying, monitoring, evaluating, and resolving potential threats or incidents, such as cyberattacks, data breaches, intrusions, and other security incidents and implementing our detailed incident response plan. Our detailed incident response plan includes processes and procedures designed to assess potential internal and external threats, deploy countermeasures, and notify relevant members of our management team, as well as crisis management, and activating post-incident recovery designed to safeguard the confidentiality, availability, and integrity of our information assets.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors has oversight responsibility for our overall enterprise risk management. The Board of directors is responsible for ensuring that management (i) has policies, processes, and procedures designed to identify, monitor, evaluate, and respond to cybersecurity risks to which the company is exposed and (ii) takes steps to resolve cybersecurity risks and mitigate and remediate cybersecurity threats and incidents, including monitoring the activities of the cybersecurity team and incident response team and reviewing and updating our cybersecurity policies, processes and procedures.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Board of Directors
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of directors is responsible for ensuring that management (i) has policies, processes, and procedures designed to identify, monitor, evaluate, and respond to cybersecurity risks to which the company is exposed and (ii) takes steps to resolve cybersecurity risks and mitigate and remediate cybersecurity threats and incidents, including monitoring the activities of the cybersecurity team and incident response team and reviewing and updating our cybersecurity policies, processes and procedures.Management, including the CTO, shall update the Board of Directors on the Company’s cybersecurity programs, material cybersecurity risks (including risks identified by third party cybersecurity assessments or arising from other developments in the cybersecurity threat landscape) and mitigation and remediation strategies.
|Cybersecurity Risk Role of Management [Text Block]
|
Management is responsible for day-to-day risk management activities, including identifying and assessing cybersecurity risks, establishing processes to ensure that potential cybersecurity risk exposures are monitored, implementing appropriate mitigation and remediation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Chief Technology Officer (“CTO”). Our CTO and dedicated personnel are certified and experienced information systems security professionals and information security managers with many years of experience across a variety of technology sub-specialties.
Our CTO receives reports from our cybersecurity and incident response team and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks. Management, including the CTO, shall update the Board of Directors on the Company’s cybersecurity programs, material cybersecurity risks (including risks identified by third party cybersecurity assessments or arising from other developments in the cybersecurity threat landscape) and mitigation and remediation strategies.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity programs are under the direction of our Chief Technology Officer (“CTO”).
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CTO and dedicated personnel are certified and experienced information systems security professionals and information security managers with many years of experience across a variety of technology sub-specialties.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our CTO receives reports from our cybersecurity and incident response team and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef