|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk management and strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature, including information regarding our product architecture, software, algorithms, and applications (“Information Systems and Data”).
Our information security function is supported by members of our legal team and a third party service provider, which helps identify, assess and manage the Company’s cybersecurity threats and risks, including through the use of the Company’s risk register. This team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various methods including, for example: manual and automated tools; subscribing to and analyzing reports and services that identify cybersecurity threats; conducting scans of our threat environment; evaluating threats reported to us; conducting vulnerability assessments to identify vulnerabilities; and analyzing external threat intelligence feeds.
Depending on the environment, product, or system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: performing risk analyses, establishing an incident response policy, having vulnerability management processes, and implementing certain security certificates for certain functions of our business; encrypting certain data, using network security controls; segregating data; maintaining access and physical security controls; managing, tracking, and disposing of assets; and monitoring our systems. In addition, we may refer to and perform assessments against the Center for Internet Security’s Critical Security Controls to help inform our cybersecurity program, as well as perform assessments such as penetration tests.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program and identified in the Company’s risk register; (2) our information security function works with management, including our Chief Technology Officer (“CTO”), to prioritize our risk management processes and mitigate cybersecurity threats that could more likely lead to a material impact to our business; (3) our senior management/committee evaluates material risks from cybersecurity threats against our overall business objectives and on a quarterly basis reports to the cybersecurity subcommittee of the audit committee of the board of directors, with the cybersecurity subcommittee reporting to the audit committee of the board of directors, which oversees our cybersecurity risk as part of our overall enterprise risk.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example: professional service firms; threat intelligence service providers; cybersecurity consultants; and cybersecurity software and managed cybersecurity service providers. We use third-party service providers to perform a variety of functions throughout our business, such as application providers and public cloud providers, as well as various third-party suppliers that support our manufacturing and development processes. We use certain vendor management processes to manage cybersecurity risks associated with our use of these providers, which includes reviewing the written information security programs of certain of our vendors. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. This can extend to contingent workers as well, who are required to complete background investigations and agree to adhere to policies, including for privacy and cybersecurity.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our information security function is supported by members of our legal team and a third party service provider, which helps identify, assess and manage the Company’s cybersecurity threats and risks, including through the use of the Company’s risk register. This team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various methods including, for example: manual and automated tools; subscribing to and analyzing reports and services that identify cybersecurity threats; conducting scans of our threat environment; evaluating threats reported to us; conducting vulnerability assessments to identify vulnerabilities; and analyzing external threat intelligence feeds.
Depending on the environment, product, or system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: performing risk analyses, establishing an incident response policy, having vulnerability management processes, and implementing certain security certificates for certain functions of our business; encrypting certain data, using network security controls; segregating data; maintaining access and physical security controls; managing, tracking, and disposing of assets; and monitoring our systems. In addition, we may refer to and perform assessments against the Center for Internet Security’s Critical Security Controls to help inform our cybersecurity program, as well as perform assessments such as penetration tests.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program and identified in the Company’s risk register; (2) our information security function works with management, including our Chief Technology Officer (“CTO”), to prioritize our risk management processes and mitigate cybersecurity threats that could more likely lead to a material impact to our business; (3) our senior management/committee evaluates material risks from cybersecurity threats against our overall business objectives and on a quarterly basis reports to the cybersecurity subcommittee of the audit committee of the board of directors, with the cybersecurity subcommittee reporting to the audit committee of the board of directors, which oversees our cybersecurity risk as part of our overall enterprise risk.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee, and specifically the subcommittee for cybersecurity, is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by our legal team along with third-party service providers in coordination with the CTO. The CTO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CTO is responsible for approving budgets, helping prepare for potential cybersecurity incidents, approving technical cybersecurity processes, and reviewing security assessments and other security-related reports.
Our CTO has over 20 years of experience in engineering and information technology management at various organizations. Our CTO collaborates regularly with our third-party service provider who provides a fractional Chief Information Security Officer, who has extensive experience in cybersecurity and a certification as a CISSP.
Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances in accordance with the incident response policy, including the CTO, CFO, CEO, and others. Our information security function, together with our CTO, works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response and vulnerability management processes include reporting to the cybersecurity subcommittee of the board of directors’ audit committee for certain cybersecurity incidents in accordance with the incident response plan. The cybersecurity subcommittee receives periodic reports from the CTO, which reflect input from the third-party service provider, concerning the Company’s risk profile, including significant cybersecurity threats and risk and the processes the Company has implemented to address them. The cybersecurity subcommittee also has access to various reports, summaries and presentations related to cybersecurity threats, risk and mitigation.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The board of directors’ audit committee
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk assessment and management processes are implemented and maintained by our legal team along with third-party service providers in coordination with the CTO. The CTO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CTO is responsible for approving budgets, helping prepare for potential cybersecurity incidents, approving technical cybersecurity processes, and reviewing security assessments and other security-related reports.
Our CTO has over 20 years of experience in engineering and information technology management at various organizations. Our CTO collaborates regularly with our third-party service provider who provides a fractional Chief Information Security Officer, who has extensive experience in cybersecurity and a certification as a CISSP.
Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances in accordance with the incident response policy, including the CTO, CFO, CEO, and others. Our information security function, together with our CTO, works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response and vulnerability management processes include reporting to the cybersecurity subcommittee of the board of directors’ audit committee for certain cybersecurity incidents in accordance with the incident response plan. The cybersecurity subcommittee receives periodic reports from the CTO, which reflect input from the third-party service provider, concerning the Company’s risk profile, including significant cybersecurity threats and risk and the processes the Company has implemented to address them. The cybersecurity subcommittee also has access to various reports, summaries and presentations related to cybersecurity threats, risk and mitigation.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|CTO
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CTO has over 20 years of experience in engineering and information technology management at various organizations. Our CTO collaborates regularly with our third-party service provider who provides a fractional Chief Information Security Officer, who has extensive experience in cybersecurity and a certification as a CISSP.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances in accordance with the incident response policy, including the CTO, CFO, CEO, and others. Our information security function, together with our CTO, works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response and vulnerability management processes include reporting to the cybersecurity subcommittee of the board of directors’ audit committee for certain cybersecurity incidents in accordance with the incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef