|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY.
Cybersecurity risk management is a component of our overall risk management systems and processes and we recognize the importance of evaluating, detecting, and mitigating significant risks related to cybersecurity threats, including operational risks, theft of intellectual property, fraud, injury to employees or customers, and breach of applicable laws.
Our information security program aims to manage these cybersecurity risks and threats that we can reasonably anticipate using different methods, such as third-party assessments, internal IT audits, governance oversight, and risk and compliance reviews. We use various security tools designed to help protect our information systems from cyberattacks and to address any vulnerabilities or incidents in a timely manner, and we rely in part on third-party services to identify, prioritize, assess, reduce, and remediate cybersecurity threats and incidents.
Our information security program also evaluates potential risks associated with certain third-parties with whom we do business, especially our service providers that deal with sensitive employee, business, or customer data. This includes risk evaluation before choosing such vendors, periodic assessment thereafter and if a third-party has a reported cybersecurity incident, we perform an assessment to find and reduce risks related to such third-party incident that may affect us.
Our systems regularly face attacks that aim to interrupt and delay our operations or obtain information from our systems. Any major disruption or nefarious access, to our systems or a third-party’s systems, could lead to disclosure or destruction of data, including employee, customer and corporate information, which may expose us to business, regulatory, litigation and reputation risk and could negatively affect our business and results of operations. As of the date of this Annual Report on Form 10-K, we have not encountered incidents from cybersecurity threats that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations or financial position. Refer to “Item 1A. Risk factors” in this Annual Report on Form 10-K, including “Significant disruptions of information technology systems, breaches of data security, or compromised data could materially adversely affect our business” for additional discussion about cybersecurity-related risks.
We perform various tasks designed to protect the Company from cybersecurity incidents, such as: conducting proactive cybersecurity reviews of systems and applications; performing penetration testing using external third-party tools and techniques; conducting employee training; and monitoring emerging laws and regulations related to data protection and information security. We evaluate risks from cyberattacks and technology threats and check our information systems for possible weaknesses. We use a risk quantification model created by the National Institute of Standards and Technology to find, assess and rank cybersecurity and technology risks and create related security controls and protections. Using third-party organizations and ongoing internal assessments, we regularly review and test our information security program to enhance our security measures and planning. We also engage an external auditor to perform an annual payment card industry data security standard review of our security controls protecting payment information, as well as quarterly third-party penetration testing of our cardholder environment and related systems.
We follow incident response and breach management processes that principally consist of four interrelated steps to identify and assess material risks from cybersecurity threats: (1) preparing for a cybersecurity incident; (2) detecting and analyzing a cybersecurity incident; (3) containing, eliminating and recovering from the cybersecurity incident; and (4) analyzing the cybersecurity incident after it is resolved. We assess, rank and prioritize cybersecurity incidents based on their severity and impact on our operations and business. Our information security team, with assistance from our legal team, oversees cybersecurity incident response and breach management processes and commencing with the formation of the Board’s Cybersecurity Special Committee, reports to such committee.
GPM’s Senior Vice President of Information Technology (the “SVP of IT”), who has more than 30 years of technology experience, leads our information security team. We also use additional employees with relevant educational and industry experience to support our information security program.
Until November 2023, our Board had oversight responsibility for cybersecurity threats, and the SVP of IT provided cybersecurity-related information to the Board on a periodic basis. In November 2023, the Board formed a Cybersecurity Special Committee which had oversight over our management of cybersecurity threats and until November 2024, was charged with periodically reporting on cybersecurity matters to the Board. The Cybersecurity Special Committee consisted of four independent directors. In January 2025, the Board changed the Cybersecurity Special Committee to be a subcommittee of the Audit Committee (the “Cybersecurity Subcommittee”). The Board’s oversight, including through the Cybersecurity Subcommittee, includes receiving periodic reports from the SVP of IT and other information technology team members on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. In addition, the Cybersecurity Subcommittee is tasked with oversight of our annual cybersecurity assessment of key cybersecurity risks.
In November 2023, the Board adopted cybersecurity processes, which strengthened and formalized company-wide procedures related to identifying, managing and assessing cybersecurity threats. In the event of a cybersecurity incident which is potentially material, the SVP of IT must report such incident to the Company’s CEO, CFO, General Counsel and the chair of the Cybersecurity Subcommittee, and these executives and board member determine whether, based on materiality or potential materiality, to report the cybersecurity incident to the Cybersecurity Subcommittee, which committee makes a determination if such cybersecurity incident requires a public filing.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Until November 2023, our Board had oversight responsibility for cybersecurity threats, and the SVP of IT provided cybersecurity-related information to the Board on a periodic basis. In November 2023, the Board formed a Cybersecurity Special Committee which had oversight over our management of cybersecurity threats and until November 2024, was charged with periodically reporting on cybersecurity matters to the Board. The Cybersecurity Special Committee consisted of four independent directors. In January 2025, the Board changed the Cybersecurity Special Committee to be a subcommittee of the Audit Committee (the “Cybersecurity Subcommittee”). The Board’s oversight, including through the Cybersecurity Subcommittee, includes receiving periodic reports from the SVP of IT and other information technology team members on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. In addition, the Cybersecurity Subcommittee is tasked with oversight of our annual cybersecurity assessment of key cybersecurity risks.
In November 2023, the Board adopted cybersecurity processes, which strengthened and formalized company-wide procedures related to identifying, managing and assessing cybersecurity threats. In the event of a cybersecurity incident which is potentially material, the SVP of IT must report such incident to the Company’s CEO, CFO, General Counsel and the chair of the Cybersecurity Subcommittee, and these executives and board member determine whether, based on materiality or potential materiality, to report the cybersecurity incident to the Cybersecurity Subcommittee, which committee makes a determination if such cybersecurity incident requires a public filing.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In November 2023, the Board formed a Cybersecurity Special Committee which had oversight over our management of cybersecurity threats and until November 2024, was charged with periodically reporting on cybersecurity matters to the Board. The Cybersecurity Special Committee consisted of four independent directors. In January 2025, the Board changed the Cybersecurity Special Committee to be a subcommittee of the Audit Committee (the “Cybersecurity Subcommittee”). The Board’s oversight, including through the Cybersecurity Subcommittee, includes receiving periodic reports from the SVP of IT and other information technology team members on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In addition, the Cybersecurity Subcommittee is tasked with oversight of our annual cybersecurity assessment of key cybersecurity risks.
|Cybersecurity Risk Role of Management [Text Block]
|
In November 2023, the Board adopted cybersecurity processes, which strengthened and formalized company-wide procedures related to identifying, managing and assessing cybersecurity threats. In the event of a cybersecurity incident which is potentially material, the SVP of IT must report such incident to the Company’s CEO, CFO, General Counsel and the chair of the Cybersecurity Subcommittee, and these executives and board member determine whether, based on materiality or potential materiality, to report the cybersecurity incident to the Cybersecurity Subcommittee, which committee makes a determination if such cybersecurity incident requires a public filing.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|In January 2025, the Board changed the Cybersecurity Special Committee to be a subcommittee of the Audit Committee (the “Cybersecurity Subcommittee”). The Board’s oversight, including through the Cybersecurity Subcommittee, includes receiving periodic reports from the SVP of IT and other information technology team members on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. In addition, the Cybersecurity Subcommittee is tasked with oversight of our annual cybersecurity assessment of key cybersecurity risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|GPM’s Senior Vice President of Information Technology (the “SVP of IT”), who has more than 30 years of technology experience, leads our information security team.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Board’s oversight, including through the Cybersecurity Subcommittee, includes receiving periodic reports from the SVP of IT and other information technology team members on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef