|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our cybersecurity policies and processes are overseen by the Audit Committee of our Board. Our cybersecurity program is focused on (i) protecting confidential business, client, investor and employee information that we store or process; (ii) maintaining the security and availability of our systems and data; (iii) supporting compliance with applicable laws and regulations; (iv) documenting cybersecurity incidents and our responses; and (v) notification of cybersecurity incidents to, and communications with, appropriate internal and external parties.
We have implemented an information security governance policy governing cybersecurity risk, which is designed to facilitate the protection of sensitive or confidential business, client, investor and employee information that we store or process and the maintenance of critical services and systems. Our cybersecurity program is managed by our Chief Technology Officer and Head of Technology Infrastructure (together, “IT Management”), who report to our Chief Operating Officer. IT Management and its team are responsible for implementing proactive and reactive measures, including our monitoring and alert response processes, vulnerability management, changes made to our critical systems, including software and network changes, and various other technological and administrative safeguards. Our cybersecurity processes and systems are designed to protect against unauthorized access of information, including by cyber-attacks. Our policy and processes include, as appropriate, encryption, data loss prevention technology, authentication technology, entitlement management, access control, anti-virus and anti-malware software, and transmission of data over private networks. Our processes and systems aim to prevent or mitigate two main types of cybersecurity risk: first, cybersecurity risks associated with our physical and digital devices and infrastructure, and second, cybersecurity risks associated with third parties, such as people and organizations who have access to our devices, infrastructure or confidential or sensitive information. The cybersecurity-control principles that form the basis of our cybersecurity program are informed by the National Institute of Standards and Technology Cybersecurity Framework.
Our cybersecurity program includes review and assessment by third parties of the cybersecurity processes and systems. These third parties assess and report on our compliance with applicable laws and regulations and our internal incident response preparedness, including benchmarking to best practices and industry frameworks and help identify areas for continued focus and improvement. Annual penetration testing of our network, including critical systems and systems that store confidential or sensitive information, is conducted with third party consultants and vulnerabilities are reviewed and addressed by IT Management. When we engage vendors and other third-party partners who will have access to sensitive data or client systems and facilities, our infrastructure technology team assesses their cybersecurity programs and processes.
We also provide our employees with cybersecurity awareness training at onboarding and annually, as well as interim security reminders and alerts. We conduct regular phishing tests and provide additional training as appropriate. We have a process designed to assess the cybersecurity risks associated with the engagement of third-party vendors. This assessment is conducted on the basis of, among other factors, the types of services provided and the extent and type of data accessed or processed by a third-party vendor.
Impact of Cybersecurity Risks
In 2024, we did not experience a material cybersecurity incident, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, we describe whether and how future incidents could have a material impact on our business strategy, results of operations or financial condition in “Item 1A. Risk Factors—Risks Related to Our Operations—Cybersecurity risks and cyber data security incidents could adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information and confidential information in our possession and damage to our business relationships.” and “Item 1A. Risk Factors—Risks Related to Our Legal and Regulatory Environment—Increased data protection regulation may result in increased complexities and risk in connection with the operation of our business and our products.” Additionally, although we have insurance coverage for cybersecurity events, there can be no assurance that we will be able to maintain our insurance coverage or it will be enough to cover the cost associated with one or more cybersecurity events. See “Item 1A. Risk Factors—Risks Related to Our Legal and Regulatory Environment—We may not be able to maintain sufficient insurance to cover us for potential litigation or other risks.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity policies and processes are overseen by the Audit Committee of our Board. Our cybersecurity program is focused on (i) protecting confidential business, client, investor and employee information that we store or process; (ii) maintaining the security and availability of our systems and data; (iii) supporting compliance with applicable laws and regulations; (iv) documenting cybersecurity incidents and our responses; and (v) notification of cybersecurity incidents to, and communications with, appropriate internal and external parties.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
We have developed an incident response framework to identify, assess, manage and report cybersecurity events, which is managed and implemented by our Cyber Risk Operating Committee (the “C-ROC”), a cross-functional management committee that includes our General Counsel, Chief Operating Officer, Chief Compliance Officer and IT Management. The incident response framework determines when the C-ROC should provide notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notifications to different recipient groups, including senior members of management, our Audit Committee or our Board. The C-ROC is responsible for gathering information with respect to a cybersecurity incident, assessing its severity and potential responses, as well as communicating with senior management and the Audit Committee or full Board, as appropriate. This framework contemplates conducting simulated cybersecurity incident response exercises with members of senior management on an interim basis in coordination with external cyber counsel.
Our cybersecurity program, which is overseen by the C-ROC, is managed by IT Management as part of its responsibility for enterprise-wide cybersecurity strategy, policies, implementing our monitoring and alert response processes, vulnerability management, changes made to our critical systems, including software and network changes and various other technological and administrative safeguards. The team is led by our Chief Technology Officer, who has over 25 years of experience advising
on technology strategy, including digital transformation, cybersecurity, business analytics and infrastructure, and our Head of Technology Infrastructure, who has over 20 years of experience in the information technology field with a focus on IT risk governance and management, information security, incident response capabilities and assessing effectiveness of controls. The C-ROC meets regularly and forms cross-enterprise teams, as needed, to manage and implement key policies and initiatives of our cybersecurity program.
Our Board has delegated the primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity risk, to the Audit Committee. Our Chief Technology Officer periodically reports to the Audit Committee as well as the full Board, as appropriate, on cybersecurity matters. Such reporting includes updates on our cybersecurity program, the external threat environment and our programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on our preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board has delegated the primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity risk, to the Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Chief Technology Officer periodically reports to the Audit Committee as well as the full Board, as appropriate, on cybersecurity matters. Such reporting includes updates on our cybersecurity program, the external threat environment and our programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on our preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents
|Cybersecurity Risk Role of Management [Text Block]
|is managed and implemented by our Cyber Risk Operating Committee (the “C-ROC”), a cross-functional management committee that includes our General Counsel, Chief Operating Officer, Chief Compliance Officer and IT Management. The incident response framework determines when the C-ROC should provide notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notifications to different recipient groups, including senior members of management, our Audit Committee or our Board. The C-ROC is responsible for gathering information with respect to a cybersecurity incident, assessing its severity and potential responses, as well as communicating with senior management and the Audit Committee or full Board, as appropriate. This framework contemplates conducting simulated cybersecurity incident response exercises with members of senior management on an interim basis in coordination with external cyber counsel.Our cybersecurity program, which is overseen by the C-ROC, is managed by IT Management as part of its responsibility for enterprise-wide cybersecurity strategy, policies, implementing our monitoring and alert response processes, vulnerability management, changes made to our critical systems, including software and network changes and various other technological and administrative safeguards.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The team is led by our Chief Technology Officer, who has over 25 years of experience advising on technology strategy, including digital transformation, cybersecurity, business analytics and infrastructure, and our Head of Technology Infrastructure, who has over 20 years of experience in the information technology field with a focus on IT risk governance and management, information security, incident response capabilities and assessing effectiveness of controls.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The team is led by our Chief Technology Officer, who has over 25 years of experience advising on technology strategy, including digital transformation, cybersecurity, business analytics and infrastructure, and our Head of Technology Infrastructure, who has over 20 years of experience in the information technology field with a focus on IT risk governance and management, information security, incident response capabilities and assessing effectiveness of controls.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Chief Technology Officer periodically reports to the Audit Committee as well as the full Board, as appropriate, on cybersecurity matters. Such reporting includes updates on our cybersecurity program, the external threat environment and our programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on our preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef