|
Cybersecurity Risk Management Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity Disclosures
Cybersecurity is the responsibility of our Chief Information Security Officer (“CISO”) who oversees an information security team responsible for maintaining the confidentiality, integrity, and accessibility of data within CCC while continuously monitoring for and responding to cybersecurity threats, with oversight by our EVP, Chief Product and Technology Officer who is responsible for all of our IT systems. Our CISO has 18 years of experience managing risks from security threats and developing and implementing security policies and procedures, as well as relevant degrees and certifications, including a bachelor of science in information systems and cybersecurity and being a Certified Information Security Manager and a Certified Information Systems Security Professional. Our EVP, Chief Product and Technology Officer has over three decades of experience in the technology industry and holds a bachelor of science in computer science.
Our Board has tasked the Audit Committee with oversight of enterprise risk management, including cybersecurity risk management. Our CISO or EVP, Chief Product and Technology Officer briefs the Audit Committee on cybersecurity risks at each of the quarterly meetings of the Audit Committee. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. The Audit Committee and/or the EVP, Chief Product and Technology Officer also regularly briefs the entire Board on cybersecurity matters.
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats, effective management of security risks and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology Cybersecurity Framework and contractual, industry and regulatory best practices and requirements.
Our written Cybersecurity Incident Response Program coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to prepare for, assess severity of, escalate information about, contain, eradicate, and recover from the incident, as well as to conduct post-incident activities, including reporting and conducting root cause analysis and remediation activities. Our incident response policies and the cybersecurity posture are subject to annual testing to evaluate our adherence to policies and compliance requirements. Policies and practices are reviewed periodically to improve processes and practice. We carry cybersecurity insurance to provide a level of financial protection should a covered incident occur.
Our cybersecurity and privacy program includes mandatory annual training for all employees and contractors reinforced by targeted phishing tests. The annual training includes training on how to identify potential cybersecurity and privacy risks and protect our resources and
While we believe our cybersecurity and privacy program to be appropriately designed in light of the risks we have identified, we have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business strategy, results of operations or financial condition. See “Risk Factors—Our solutions or our third-party cloud providers have experienced in the past, and could experience in the future, data security breaches, which could adversely impact our reputation, business, and ongoing operations.”
information. Additionally, we provide additional specialized security training for employees in roles relating to product development or information technology.
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board has tasked the Audit Committee with oversight of enterprise risk management, including cybersecurity risk management. Our CISO or EVP, Chief Product and Technology Officer briefs the Audit Committee on cybersecurity risks at each of the quarterly meetings of the Audit Committee. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. The Audit Committee and/or the EVP, Chief Product and Technology Officer also regularly briefs the entire Board on cybersecurity matters.
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats, effective management of security risks and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology Cybersecurity Framework and contractual, industry and regulatory best practices and requirements.
Our written Cybersecurity Incident Response Program coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to prepare for, assess severity of, escalate information about, contain, eradicate, and recover from the incident, as well as to conduct post-incident activities, including reporting and conducting root cause analysis and remediation activities. Our incident response policies and the cybersecurity posture are subject to annual testing to evaluate our adherence to policies and compliance requirements. Policies and practices are reviewed periodically to improve processes and practice. We carry cybersecurity insurance to provide a level of financial protection should a covered incident occur.
Our cybersecurity and privacy program includes mandatory annual training for all employees and contractors reinforced by targeted phishing tests. The annual training includes training on how to identify potential cybersecurity and privacy risks and protect our resources and
information. Additionally, we provide additional specialized security training for employees in roles relating to product development or information technology.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Board has tasked the Audit Committee with oversight of enterprise risk management, including cybersecurity risk management. Our CISO or EVP, Chief Product and Technology Officer briefs the Audit Committee on cybersecurity risks at each of the quarterly meetings of the Audit Committee. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. The Audit Committee and/or the EVP, Chief Product and Technology Officer also regularly briefs the entire Board on cybersecurity matters.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our CISO or EVP, Chief Product and Technology Officer briefs the Audit Committee on cybersecurity risks at each of the quarterly meetings of the Audit Committee. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. The Audit Committee and/or the EVP, Chief Product and Technology Officer also regularly briefs the entire Board on cybersecurity matters.
|Cybersecurity Risk Role of Management [Text Block]
|
Cybersecurity is the responsibility of our Chief Information Security Officer (“CISO”) who oversees an information security team responsible for maintaining the confidentiality, integrity, and accessibility of data within CCC while continuously monitoring for and responding to cybersecurity threats, with oversight by our EVP, Chief Product and Technology Officer who is responsible for all of our IT systems. Our CISO has 18 years of experience managing risks from security threats and developing and implementing security policies and procedures, as well as relevant degrees and certifications, including a bachelor of science in information systems and cybersecurity and being a Certified Information Security Manager and a Certified Information Systems Security Professional. Our EVP, Chief Product and Technology Officer has over three decades of experience in the technology industry and holds a bachelor of science in computer science.
Our Board has tasked the Audit Committee with oversight of enterprise risk management, including cybersecurity risk management. Our CISO or EVP, Chief Product and Technology Officer briefs the Audit Committee on cybersecurity risks at each of the quarterly meetings of the Audit Committee. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. The Audit Committee and/or the EVP, Chief Product and Technology Officer also regularly briefs the entire Board on cybersecurity matters.
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats, effective management of security risks and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology Cybersecurity Framework and contractual, industry and regulatory best practices and requirements.
Our written Cybersecurity Incident Response Program coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to prepare for, assess severity of, escalate information about, contain, eradicate, and recover from the incident, as well as to conduct post-incident activities, including reporting and conducting root cause analysis and remediation activities. Our incident response policies and the cybersecurity posture are subject to annual testing to evaluate our adherence to policies and compliance requirements. Policies and practices are reviewed periodically to improve processes and practice. We carry cybersecurity insurance to provide a level of financial protection should a covered incident occur.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Cybersecurity is the responsibility of our Chief Information Security Officer (“CISO”) who oversees an information security team responsible for maintaining the confidentiality, integrity, and accessibility of data within CCC while continuously monitoring for and responding to cybersecurity threats, with oversight by our EVP, Chief Product and Technology Officer who is responsible for all of our IT systems.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has 18 years of experience managing risks from security threats and developing and implementing security policies and procedures, as well as relevant degrees and certifications, including a bachelor of science in information systems and cybersecurity and being a Certified Information Security Manager and a Certified Information Systems Security Professional. Our EVP, Chief Product and Technology Officer has over three decades of experience in the technology industry and holds a bachelor of science in computer science.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our written Cybersecurity Incident Response Program coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to prepare for, assess severity of, escalate information about, contain, eradicate, and recover from the incident, as well as to conduct post-incident activities, including reporting and conducting root cause analysis and remediation activities.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef