|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K.CYBERSECURITY
We have implemented and continuously maintain a comprehensive Information Security Management System (ISMS) aligned with internationally recognized frameworks, particularly ISO/IEC 27001 and the NIST Cybersecurity Framework. This system enables us to systematically analyze, identify, and manage information security risks that may impact the confidentiality, integrity, and availability of our systems and the data they contain. As a testament to our enduring commitment to robust information security practices, our organization has achieved ISO/IEC 27001 certification, affirming high standards of our governance, security controls, and continuous improvement mechanisms. Furthermore, our organization holds an “A” rating from SecurityScorecard, an independent cybersecurity risk rating platform. This accessible rating reflects the strength of our overall cybersecurity posture.
We routinely and continuously, through our risk management process, assess the effectiveness of our security controls. This assessment encompasses policies, processes, and technological controls that may mitigate the likelihood of cybersecurity threats occurring or the severity of their impact. Additionally, our information security team engages in various activities, including application/system security analysis, vulnerability analysis, information security architecture assessments, routine control maturity assessments, penetration testing, information security incident management, and auditing. These activities contribute to our centralized risk management process.
All stages of the information security risk management process are conducted internally by experienced professionals who are qualified and trained in relation to information security risk management, including systems architecture, network protocols, infrastructure and forensics. External consultants are only engaged in specific situations, such as the applications for new certifications or applying penetration tests.
In terms of risk process management, we have implemented a methodology grounded in frameworks such as COSO (Committee of Sponsoring Organizations of the Treadway Commission), ISO27005 and ISO 31000 (International Organization for Standardization - Risk Management). These frameworks provide normative guidance on effective assessment, monitoring, and mitigation practices for risks and internal controls. Ultimately, this methodology empowers us to categorize identified risks, offering insights for prioritization and appropriate treatment aligned with the potential impact on our business operations.
and managed by the Information Security and Privacy Commission, composed of our chief technology officer, our security manager, our infrastructure and governance manager, our site reliability engineering manager, our non-executive engineering officer, our non-executive product officer, our internal controls manager, our financial manager, our legal manager, our human resources manager, as well as our information security and cybersecurity leader, which plays a crucial role in overseeing and governing our cybersecurity risk management processes.
An Information Security and Privacy Commission meeting occurs monthly, and members actively engage in discussions related to information security and data privacy issues, with a particular emphasis on cybersecurity risks and their implications for our operations.
The commission's agenda encompasses a range of activities, including regular assessments of our cybersecurity policies and processes, analyses of significant changes to our products, presentations on eventual pertinent cybersecurity incidents and monitoring of key information security maturity indicators.
Additionally, we undertake certain initiatives to prevent potential cybersecurity incidents, such as implementing Security and Privacy By Design framework based practices in new products and projects. This involves validating various security and privacy aspects during the planning, architectural, development, and implementation phases of each software project.
We also evaluate the information security maturity of third-party suppliers to mitigate associated risks. Periodically, every third-party supplier is invited to complete a questionnaire aimed at assessing the level of risk inherent in their engagement. This process involves validating minimum security requirements to ensure their suitability for providing services to us. Our checklist encompasses various security aspects, such as solution development, data storage, and confidentiality. Depending on the identified risk level, a supplier may be prohibited from providing services to us. Suppliers with lower risk levels have their contracts monitored by the Information Security and Privacy Commission.
In both scenarios, we can proactively identify potential risks, allowing us to mitigate certain cybersecurity risks before the launch of a new product, the completion of a project, or engagement with a new supplier, as necessary.
In terms of organization structure, we adhere to a three lines of defense approach, according to which:
Both the cyber defense and information security teams report to a manager within our technology department responsible for security. This manager reports directly to our chief technology officer. Both such officers possess cybersecurity knowledge and skills acquired from over 20 years of work experience in the technology and security industries, leading technology and cybersecurity teams throughout their careers. For more information on our chief technology officer background and experience, please see “Item 6. Directors, Senior Management and Employees – A. Directors and Senior Management – Executive Officers.”
We have established a comprehensive protocol, integrated into our organization-wide cybersecurity training, to ensure that all employees are equipped to promptly report any suspected or confirmed cybersecurity incidents to our dedicated Cybersecurity Incident Response Team (CSIRT). Incident reports can be submitted through multiple channels — including employees, service providers, customers, and security monitoring or threat intelligence tools — enabling rapid detection and effective response to potential security threats.
Subsequently, the process progresses through phases of analysis, identification, containment, eradication, recovery, and culminates in the creation of an information security incident report. Stakeholders are promptly informed, promoting transparent communication, followed by the implementation of necessary improvements and recommendations.
To ensure that all employees are knowledgeable about our entire Information Security Management System (ISMS), we have implemented a culture of cybersecurity awareness across the organization, supported by mandatory and recurring training programs. These initiatives are designed to ensure that personnel at all levels remain fully informed of current information security protocols, emerging threats, and best practices. Our training framework includes periodic assessments to reinforce learning outcomes and drive behavioral adherence to security policies.
For additional information about our cybersecurity risks, see “Item 3. Key Information—D. Risk Factors—Certain Risks Relating to Our Business and Industry—Breaches of our networks or systems, or those of our cloud infrastructure providers or our service providers, could degrade our ability to conduct our business, compromise the integrity of our products, platform and data, result in significant data losses and the theft of our intellectual property, damage our reputation, expose us to liability to third parties and require us to incur significant additional costs to maintain the security of our networks and data,” which should be read in conjunction with the information above.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|and managed by the Information Security and Privacy Commission, composed of our chief technology officer, our security manager, our infrastructure and governance manager, our site reliability engineering manager, our non-executive engineering officer, our non-executive product officer, our internal controls manager, our financial manager, our legal manager, our human resources manager, as well as our information security and cybersecurity leader, which plays a crucial role in overseeing and governing our cybersecurity risk management processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Through these comprehensive efforts, we ensure that our organization remains vigilant and proactive in addressing evolving cybersecurity challenges and safeguarding sensitive data.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Both the cyber defense and information security teams report to a manager within our technology department responsible for security. This manager reports directly to our chief technology officer. Both such officers possess cybersecurity knowledge and skills acquired from over 20 years of work experience in the technology and security industries, leading technology and cybersecurity teams throughout their careers. For more information on our chief technology officer background and experience, please see “Item 6. Directors, Senior Management and Employees – A. Directors and Senior Management – Executive Officers.”
We have established a comprehensive protocol, integrated into our organization-wide cybersecurity training, to ensure that all employees are equipped to promptly report any suspected or confirmed cybersecurity incidents to our dedicated Cybersecurity Incident Response Team (CSIRT). Incident reports can be submitted through multiple channels — including employees, service providers, customers, and security monitoring or threat intelligence tools — enabling rapid detection and effective response to potential security threats.
Subsequently, the process progresses through phases of analysis, identification, containment, eradication, recovery, and culminates in the creation of an information security incident report. Stakeholders are promptly informed, promoting transparent communication, followed by the implementation of necessary improvements and recommendations.
To ensure that all employees are knowledgeable about our entire Information Security Management System (ISMS), we have implemented a culture of cybersecurity awareness across the organization, supported by mandatory and recurring training programs. These initiatives are designed to ensure that personnel at all levels remain fully informed of current information security protocols, emerging threats, and best practices. Our training framework includes periodic assessments to reinforce learning outcomes and drive behavioral adherence to security policies.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Both the cyber defense and information security teams report to a manager within our technology department responsible for security.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|We have established a comprehensive protocol, integrated into our organization-wide cybersecurity training, to ensure that all employees are equipped to promptly report any suspected or confirmed cybersecurity incidents to our dedicated Cybersecurity Incident Response Team (CSIRT). Incident reports can be submitted through multiple channels — including employees, service providers, customers, and security monitoring or threat intelligence tools — enabling rapid detection and effective response to potential security threats.
|Cybersecurity Risk Role of Management [Text Block]
|
We have established a comprehensive protocol, integrated into our organization-wide cybersecurity training, to ensure that all employees are equipped to promptly report any suspected or confirmed cybersecurity incidents to our dedicated Cybersecurity Incident Response Team (CSIRT). Incident reports can be submitted through multiple channels — including employees, service providers, customers, and security monitoring or threat intelligence tools — enabling rapid detection and effective response to potential security threats.
Subsequently, the process progresses through phases of analysis, identification, containment, eradication, recovery, and culminates in the creation of an information security incident report. Stakeholders are promptly informed, promoting transparent communication, followed by the implementation of necessary improvements and recommendations.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
We have established a comprehensive protocol, integrated into our organization-wide cybersecurity training, to ensure that all employees are equipped to promptly report any suspected or confirmed cybersecurity incidents to our dedicated Cybersecurity Incident Response Team (CSIRT). Incident reports can be submitted through multiple channels — including employees, service providers, customers, and security monitoring or threat intelligence tools — enabling rapid detection and effective response to potential security threats.
Subsequently, the process progresses through phases of analysis, identification, containment, eradication, recovery, and culminates in the creation of an information security incident report. Stakeholders are promptly informed, promoting transparent communication, followed by the implementation of necessary improvements and recommendations.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Both such officers possess cybersecurity knowledge and skills acquired from over 20 years of work experience in the technology and security industries, leading technology and cybersecurity teams throughout their careers.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Furthermore, if a security incident presents a material impact, our dedicated non-executive officer and/or chief technology officer will promptly notify our audit committee, composed of members from our board of directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef