|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We face a variety of risks related to cybersecurity, such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We employ a range of tools and services, including regular network and endpoint monitoring utilizing leading market monitoring tools, audits and vulnerability assessments including penetration testing to inform our risk identification and assessment. Our Audit Committee of the Board of Directors provides oversight of our cybersecurity risk management and strategy processes, which is led by our Chief Financial Officer.
We also identify our cybersecurity threat risks by comparing our processes to standards set by NIST as well as by engaging experts to attempt to penetrate our information systems. To provide for the availability of critical data and systems, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:
•monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws;
•through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care;
•employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence;
•provide regular, mandatory training for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices;
•conduct regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats;
•leverage the NIST incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; and
•carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident.
Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation.
As part of the above processes, we regularly engage with consultants, auditors and other third parties in assisting in review our cybersecurity program to help identify areas for continued focus, improvement and compliance.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “If we experience a significant disruption in our information technology systems, including our Platinum Analysis Software services, or cybersecurity incidents, our business could be adversely affected”, which disclosures are incorporated by reference herein.
Despite our efforts to create security barriers to such threats, it is virtually impossible for us to completely mitigate these risks. In August 2020, we discovered ransomware on a server and engaged third-party forensics experts and outside counsel for incident response. We did not pay ransom to the attacker because the documents that were encrypted by the attacker were sufficiently backed up and the investigation further confirmed that no employee data or other personal information was accessed. We implemented a number of security enhancements as the incident unfolded and continue to implement short- and long-term security enhancements to further secure our network.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We also identify our cybersecurity threat risks by comparing our processes to standards set by NIST as well as by engaging experts to attempt to penetrate our information systems. To provide for the availability of critical data and systems, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:
•monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws;
•through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care;
•employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence;
•provide regular, mandatory training for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices;
•conduct regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats;
•leverage the NIST incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; and
•carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident.
Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation.
As part of the above processes, we regularly engage with consultants, auditors and other third parties in assisting in review our cybersecurity program to help identify areas for continued focus, improvement and compliance.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board of Directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our Board of Directors has authorized our Audit Committee to oversee risks from cybersecurity threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our Board of Directors has authorized our Audit Committee to oversee risks from cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
We plan for our Chief Financial Officer to provide our Audit Committee with quarterly general risk assessment updates, which shall cover cyber risk topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Our Audit Committee is also involved in the reporting function of our incident response plan which includes communication of any cybersecurity incident that meets our reporting thresholds, as well as ongoing updates regarding any such incident, until such incident has been resolved.
|Cybersecurity Risk Role of Management [Text Block]
|
We plan for our Chief Financial Officer to provide our Audit Committee with quarterly general risk assessment updates, which shall cover cyber risk topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Our Audit Committee is also involved in the reporting function of our incident response plan which includes communication of any cybersecurity incident that meets our reporting thresholds, as well as ongoing updates regarding any such incident, until such incident has been resolved.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Financial Officer in conjunction with our General Counsel and our Head of Information Technology and report to our Audit Committee. In addition, we maintain an Information Technology Steering Committee, which is comprised of several senior members of the Company. Our Chief Financial Officer has over 10 years of experience in leading Information Technology departments at various companies. Our General Counsel has over 10 years of experience related to general legal matters, including in the capacity of understanding and guiding companies on Information Technology matters and the related risks. Our Head of Information Technology has over 30 years of relevant experience, including managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. These management team members are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|We plan for our Chief Financial Officer to provide our Audit Committee with quarterly general risk assessment updates, which shall cover cyber risk topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Chief Financial Officer has over 10 years of experience in leading Information Technology departments at various companies. Our General Counsel has over 10 years of experience related to general legal matters, including in the capacity of understanding and guiding companies on Information Technology matters and the related risks. Our Head of Information Technology has over 30 years of relevant experience, including managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. These management team members are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|These management team members are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef