|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have adopted policies, procedures, processes, and practices and implemented certain controls and procedures that allow our management to assess, identify and manage material risks from cybersecurity threats and for our Board of Directors, through our Audit Committee and Cyber Committee, to actively oversee the strategic direction, objectives, and effectiveness of our cybersecurity risk management framework.
Our cybersecurity processes compliment our enterprise-wide risk assessment architecture having identified cybersecurity risk as a significant enterprise risk. We monitor our processes as they relate to the identified risks and track any cybersecurity risk treatment plans for progress and completion. These processes are aligned with standard industry frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, International Organization for Standardization (ISO) 27001, Center for Internet Security Critical Security Controls and other industry standards. To further improve the effectiveness of our cybersecurity risk management framework, we have in the past, and may continue to do so in the future, engage third party consultants to conduct external evaluations, including the performance of penetration testing, red team testing, maturity testing, independent audits or consulting on best practices to address new challenges.
We seek to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
To identify and assess material risks from cybersecurity threats, we engage in regular network and endpoint monitoring, vulnerability assessments, threat hunting, penetration testing, and tabletop exercises. Data collected from these activities is sent to a secure centralized logs management system, as well to third party providers that we engage for 24x7 security monitoring, detection, and response. Our Global Information Security team (“GIS”), Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) meet regularly, bilaterally and as a team, to discuss threat levels, trends and remediation.
We have developed incident response plans by using the information gained through testing and monitoring to manage any identified vulnerabilities and further improve our cybersecurity preparedness and response infrastructure. Such plans set forth the actions to be taken in responding to and recovering from cybersecurity incidents, which include triage, assessing the severity of incidents, escalation protocols, containment of incidents, investigation of incidents, and remediation. We also regularly perform phishing tests of our employees and provide annual privacy and security training for all employees. Our security training incorporates awareness of cyber threats (including but not limited to malware, ransomware, and social engineering attacks), password hygiene and incident reporting processes.
We review our cybersecurity risk framework and related policies annually with our senior management to help identify areas for continued focus and improvement. We also engage third parties to review and audit our processes annually.
We have also implemented processes to identify, monitor and address material risks from cybersecurity threats associated with our use of third-party service providers, including those in our supply chain or who have access to our systems, data or facilities that house such systems or data. We may also require third parties to manage their cybersecurity risks in specified ways, and to provide us with the results of their cybersecurity audits. Prior to engaging our vendors, we typically perform vendor risk assessment through the use of questionnaires, interviews and assessment on the basis of a structured scorecard, including a vendor’s ability to protect data from unauthorized access, and through the use of cybersecurity ratings tools.
Although in the last three fiscal years we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents, including penalties and settlements, were immaterial, we may experience such incidents in the future and the scope and impact of any such future incidents cannot be
predicted. We have described whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, may materially affect or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition in the risk factors titled “We may be subject to breaches of information technology systems utilized by us or our suppliers, vendors, customers and other third parties with whom we conduct business, which could impact our business or our business data….” and “We may be subject to information technology system failures or network disruptions that could damage our business operations, financial conditions, or reputation ” in “Item 3.D. Risk Factors – Risk Factors Related to Cybersecurity” of this Annual Report on Form 20-F.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have adopted policies, procedures, processes, and practices and implemented certain controls and procedures that allow our management to assess, identify and manage material risks from cybersecurity threats and for our Board of Directors, through our Audit Committee and Cyber Committee, to actively oversee the strategic direction, objectives, and effectiveness of our cybersecurity risk management framework.Our cybersecurity processes compliment our enterprise-wide risk assessment architecture having identified cybersecurity risk as a significant enterprise risk. We monitor our processes as they relate to the identified risks and track any cybersecurity risk treatment plans for progress and completion. These processes are aligned with standard industry frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, International Organization for Standardization (ISO) 27001, Center for Internet Security Critical Security Controls and other industry standards.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Role of the Board of Directors and the Audit Committee
As part of the Board of Directors’ role in overseeing our enterprise risk management program, which includes our cybersecurity risk management framework, the Board is responsible for exercising oversight of management’s identification and management of, and planning for, material cybersecurity risks that may reasonably be expected to impact us. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee. The Audit Committee is responsible for overseeing the strategic direction, objectives, and effectiveness of our cybersecurity risk management framework, taking into account our risk exposures and adequacy of its risk management processes. The Audit Committee is briefed by our CIO on our cybersecurity risk management and receives an overview of the cybersecurity program from management at least quarterly, which covers topics including, among others, recent cybersecurity risk landscape and trends, data security posture, results from third-party assessments, information security training and vulnerability management, our incident response plan, material cybersecurity risks, whether developing or actual, as well as the steps management has taken to respond to such risks, emerging cybersecurity regulations, technologies and best practices. The Board receives a quarterly report from the Audit Committee on its activities, including its oversight on cybersecurity risk. Material cybersecurity risks are also discussed during separate Board meetings as part of the Board’s risk oversight generally. The Audit Committee has engaged and may periodically continue to engage third-party experts to assess the effectiveness of our cybersecurity risk management framework.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee. The Audit Committee is responsible for overseeing the strategic direction, objectives, and effectiveness of our cybersecurity risk management framework, taking into account our risk exposures and adequacy of its risk management processes.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee is briefed by our CIO on our cybersecurity risk management and receives an overview of the cybersecurity program from management at least quarterly, which covers topics including, among others, recent cybersecurity risk landscape and trends, data security posture, results from third-party assessments, information security training and vulnerability management, our incident response plan, material cybersecurity risks, whether developing or actual, as well as the steps management has taken to respond to such risks, emerging cybersecurity regulations, technologies and best practices. The Board receives a quarterly report from the Audit Committee on its activities, including its oversight on cybersecurity risk. Material cybersecurity risks are also discussed during separate Board meetings as part of the Board’s risk oversight generally. The Audit Committee has engaged and may periodically continue to engage third-party experts to assess the effectiveness of our cybersecurity risk management framework.
|Cybersecurity Risk Role of Management [Text Block]
|
Role of Management
Our CIO has oversight of cybersecurity governance, decision-making, risk management, awareness, and compliance across the Company and employs a cybersecurity program designed to protect the Company’s information systems from cybersecurity threats and to respond to incidents in accordance with the Company’s incident response plan and other policies and procedures. The Cyber Committee (a subcommittee to the Company’s Disclosure Committee), chaired by the Chief Financial Officer, brings together the CIO, CISO, Chief Legal Officer, Data Protection Officer and any other representative of the management team who the Cyber Committee determined to be necessary or advisable from time to time depending on certain facts and circumstances. The Cyber Committee meets on an ad hoc basis in response to occurrence of a cybersecurity incident. The Cyber Committee provides a forum for these cross-functional members of management to:
•Design and establish controls and other procedures that facilitate information which the Audit Committee may require to assess if a cybersecurity incident is material, as well as information that may be required to be publicly disclosed to be gathered, recorded and communicated to allow timely materiality and disclosure decisions by the Audit Committee; and
•design and establish controls and other procedures that facilitate information that is required to be publicly disclosed to regulatory authorities or stakeholders, to be gathered and communicated to the Audit Committee, Disclosure Committee or our management, including, as appropriate, the CEO and CFO, as the case may be, to allow timely preparations and/or decisions regarding such required disclosure.
The CISO manages our GIS team. Through ongoing communications with the team, the CIO and CISO are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents and progress on cybersecurity infrastructure initiatives.
We have a Cyber Security Incident Response team, comprised of the outsourced Security Operations Center and Managed Detection and Response providers who provide input to our GIS, which in turn reviews and analyses such input for information security incidents. The Cyber Security Incident Response team would follow our Information Security Incident Response Procedure, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas, such as accounting and legal, as well as the Cyber Committee, as appropriate. The GIS also manages the overall response to the incident, including containment, eradication, and recovery, together with other stakeholders such as the Data Protection Officer, and personnel across legal and regulatory, business operations, facility management, health & safety, human resources, business continuity planning, communications and finance & insurance functions. For incidents that are potentially material, together with the CIO and Chief Risk Management Officer (who is also our Chief Financial Officer), the GIS determines if escalation is required to the Cyber Committee, and manages the overall notification procedures, monitors the status of the incident, and ensures effective communication across the Company’s cross functional teams. If an escalation is made to the Cyber Committee, the Cyber Committee would assess and analyze the potential materiality of the cybersecurity incident, including soliciting the views of the Cyber Security Incident Response Team or external consultants, as appropriate, and evaluate if a special meeting of the Audit Committee should be convened to facilitate the determination of the materiality of the cybersecurity incident and if the Company is obligated to make timely disclosures. The Cyber Committee would also consider if the cybersecurity incident has any privacy or data security concerns and if any regulatory filings and/ or notifications to stakeholders (which may include but are not limited to business partner, supplier, installer) are required.
Our CIO has 36 years of experience with information technology, including as an executive manager of information security functions and has been a chief information officer for more than 10 years in publicly listed companies. Our CIO holds a Bachelor of Science degree from University of San Francisco Information Systems Management. Our CISO, holds a bachelor of engineering degree with more than 23 years of IT experience across various IT Infrastructure domains, inclusive of cyber security, and has been in key IT leadership roles for over 10 years at multiple public listed companies.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CIO has oversight of cybersecurity governance, decision-making, risk management, awareness, and compliance across the Company and employs a cybersecurity program designed to protect the Company’s information systems from cybersecurity threats and to respond to incidents in accordance with the Company’s incident response plan and other policies and procedures. The Cyber Committee (a subcommittee to the Company’s Disclosure Committee), chaired by the Chief Financial Officer, brings together the CIO, CISO, Chief Legal Officer, Data Protection Officer and any other representative of the management team who the Cyber Committee determined to be necessary or advisable from time to time depending on certain facts and circumstances. The Cyber Committee meets on an ad hoc basis in response to occurrence of a cybersecurity incident.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CIO has 36 years of experience with information technology, including as an executive manager of information security functions and has been a chief information officer for more than 10 years in publicly listed companies. Our CIO holds a Bachelor of Science degree from University of San Francisco Information Systems Management. Our CISO, holds a bachelor of engineering degree with more than 23 years of IT experience across various IT Infrastructure domains, inclusive of cyber security, and has been in key IT leadership roles for over 10 years at multiple public listed companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CIO has oversight of cybersecurity governance, decision-making, risk management, awareness, and compliance across the Company and employs a cybersecurity program designed to protect the Company’s information systems from cybersecurity threats and to respond to incidents in accordance with the Company’s incident response plan and other policies and procedures. The Cyber Committee (a subcommittee to the Company’s Disclosure Committee), chaired by the Chief Financial Officer, brings together the CIO, CISO, Chief Legal Officer, Data Protection Officer and any other representative of the management team who the Cyber Committee determined to be necessary or advisable from time to time depending on certain facts and circumstances. The Cyber Committee meets on an ad hoc basis in response to occurrence of a cybersecurity incident. The Cyber Committee provides a forum for these cross-functional members of management to:
•Design and establish controls and other procedures that facilitate information which the Audit Committee may require to assess if a cybersecurity incident is material, as well as information that may be required to be publicly disclosed to be gathered, recorded and communicated to allow timely materiality and disclosure decisions by the Audit Committee; and
•design and establish controls and other procedures that facilitate information that is required to be publicly disclosed to regulatory authorities or stakeholders, to be gathered and communicated to the Audit Committee, Disclosure Committee or our management, including, as appropriate, the CEO and CFO, as the case may be, to allow timely preparations and/or decisions regarding such required disclosure.
The CISO manages our GIS team. Through ongoing communications with the team, the CIO and CISO are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents and progress on cybersecurity infrastructure initiatives.
We have a Cyber Security Incident Response team, comprised of the outsourced Security Operations Center and Managed Detection and Response providers who provide input to our GIS, which in turn reviews and analyses such input for information security incidents. The Cyber Security Incident Response team would follow our Information Security Incident Response Procedure, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas, such as accounting and legal, as well as the Cyber Committee, as appropriate. The GIS also manages the overall response to the incident, including containment, eradication, and recovery, together with other stakeholders such as the Data Protection Officer, and personnel across legal and regulatory, business operations, facility management, health & safety, human resources, business continuity planning, communications and finance & insurance functions. For incidents that are potentially material, together with the CIO and Chief Risk Management Officer (who is also our Chief Financial Officer), the GIS determines if escalation is required to the Cyber Committee, and manages the overall notification procedures, monitors the status of the incident, and ensures effective communication across the Company’s cross functional teams. If an escalation is made to the Cyber Committee, the Cyber Committee would assess and analyze the potential materiality of the cybersecurity incident, including soliciting the views of the Cyber Security Incident Response Team or external consultants, as appropriate, and evaluate if a special meeting of the Audit Committee should be convened to facilitate the determination of the materiality of the cybersecurity incident and if the Company is obligated to make timely disclosures. The Cyber Committee would also consider if the cybersecurity incident has any privacy or data security concerns and if any regulatory filings and/ or notifications to stakeholders (which may include but are not limited to business partner, supplier, installer) are required.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef