|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
The Group
hasadopted a comprehensive risk management system to manage various risks that it faces, including financial risks, operational risks, compliance risks, public opinion risks, risks associated with stability of information technology systems, cybersecurity risks and supplier management risks. Cybersecurity risk management is a core component of the Group’s overall risk management framework. The Group has established an array of risk management procedures to identify, assess and manage such risks, including risk identification, risk assessment, risk control and risk monitoring. The Group has also implemented procedural design, evaluation mechanism as well as risk grading and liability assessment mechanism to enhance its risk management. Set forth below are measures that the Group undertakes to manage cybersecurity risks.
Cybersecurity Safeguard Committee
The Group has formed a Cybersecurity Safeguard Committee,
which is led by its management and comprised of personnel from its legal department, internal audit, security risk control department and various business departments, to carry out cybersecurity risk management. The security risk control department is an independent department under the Group’s customer experience division dedicated to managing cybersecurity risks. The security risk control department is composed of different working groups specialized in network security, terminal security, data security, privacy compliance, security development and security operation.
Internal Policies and Procedures
The Group has established a three-tiered cybersecurity governance structure, encompassing decision-making, supervision, and implementation, and adopted four-level cybersecurity governance policies, with reference to international and industry cybersecurity standards, such as ISO27001 and ISO27701, as well as the requirements of classified cybersecurity protection and other regulatory requirements. The four-level cybersecurity governance policies include:
The Group has also adopted a series of policies and measures on how to prevent, identify, assess and remediate risks from cybersecurity threats:
Technical Measures
The Group has implemented various technical measures, such as real-time traffic log monitoring, host-based vulnerability scanning, transmission encryption and authentication, FW and IPS, in order to timely identify and address cybersecurity threats and protect the security, availability, processing integrity, confidentiality and privacy of its information technology systems and data stored in its systems. For more details on the Group’s data protection measures, see “Item 4. Information on the Company— B. Business Overview—Personal Data and Privacy.”
Engagement of Third-Party Service Providers
The
Group has engaged independent auditors and consulting firms to conduct independent audits and assessments on and provide consultancy services for its compliance with the internal control requirements under the Sarbanes-Oxley Act of 2002, and IT general controls (ITGC) is an important part of it. ITGC audits and consultancy cover cybersecurity, including information technology governance, information security (network and data security), access controls, system change management and operation maintenance management.
In addition, to comply with the requirements under the Cybersecurity Law and Data Security Law and enhance the security of the Group’s information technology systems, it has engaged third-party agencies to perform classifications, filings, assessments and rectifications for hierarchical cybersecurity protection on a periodic basis. The Group obtained the
Two
-StarRecognition of Personal Information Protection Impact Assessment from the China Academy of Information and Communications Technology and Certificate for Classified
Cybersecurity Protection.
The Group has adopted third-party security assessment procedures and data outflow control procedures to manage risks from cybersecurity threats associated with its use of any third-party service provider. The Group performs security assessments on third parties that provide information technology systems to it or have access to its data by assessing their basic data security capabilities, information security compliance and application security vulnerabilities. All data outbound transfers to third parties require internal approval, and upon approval, data shall be transmitted externally via email or other traceable means and highly sensitive data shall be transmitted in a virtual machine environment.
The Group enters into a Data Security Confidentiality Agreement with third-party suppliers before engaging them to stipulate the cybersecurity responsibilities of such third parties and remediation measures to be taken in the event of cybersecurity incidents. When data are transmitted through API interfaces, the Group monitors the sensitivity and volume of data involved in API calls and the authority of interfaces through API interface monitoring applications.
For third-party developers, the Group has adopted External Consultant Engagement and Daily Management Standards to set out the engagement process of third-party developers and related information security matters.
Risks from Cybersecurity Threats
As the Group generates and processes a large amount of data through the FTA platform and rely on its information technology systems for its business operations, it faces risks associated with cybersecurity threats. For more details, see “Item 4. Information on the Company—D. Risk Factors—Risks Relating to Our Business and Industry—The Group’s business is subject to complex and evolving PRC laws and regulations relating to cybersecurity and data security”; “—The Group’s business generates, collects, stores and processes a large amount of data, which include sensitive personal information and may include data that may be deemed core data or material data. The improper processing of such data by the Group, its employees or business partners could materially and adversely affect the Group’s reputation, business, results of operations and financial condition”; and “—Any significant disruption in the Group’s mobile apps and information technology systems, including events beyond the Group’s control, could prevent the Group from offering its solutions and services or reduce their attractiveness.”
Cybersecurity Governance
Management
The Group’s management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents primarily through (i) Cybersecurity Safeguard Committee, (ii) security risk control, legal and internal audit departments, and (iii) review and approval of cybersecurity-related policies and procedures.
Cybersecurity Safeguard Committee
The Group’s Cybersecurity Safeguard Committee, led by its management, is in charge of cybersecurity risk management, including assessing and managing material risks from cybersecurity threats, as well as prevention (through implementation of policies and cybersecurity awareness training), detection, mitigation and remediation of cybersecurity incidents. The committee reports its cybersecurity work to the management through periodic meetings. The committee is
co-ledby the head of the Group’s customer experience division, Mr. Qi Zhang, and its Chief Public Affairs and Risk Officer, Mr. Kai Shen.
Mr. Zhang has a Master’s degree in cybersecurity and extensive experience in cybersecurity and risk management. Prior to joining the Group, Mr. Zhang worked in a high-tech company and a large Internet company and was in charge of establishment and management of information system and cybersecurity management. Currently, Mr. Zhang is in charge of the Group’s customer experience division and is responsible for security and risk prevention and management. His work consists of establishing the Group’s cybersecurity risk management framework, building up the Group’s cybersecurity governance and technical capabilities, including perimeter security protection, data security and privacy compliance, and formulating cybersecurity policies and procedures tailored to the Group’s business characteristics with a focus on prevention, risk control and continuous improvement.
Mr. Shen is experienced in compliance and internal audit. Prior to joining the Group, Mr. Shen served as a senior legal director at Alibaba Group, responsible for legal affairs and internal audit. Mr. Shen currently leads the Group’s legal and internal audit departments to interpret and review cybersecurity-related laws, regulations and policies, and perform internal audits on the implementation of cybersecurity-related policies and procedures.
Cybersecurity, Legal and Internal Audit Departments
The Group’s security risk control, legal and internal audit
departments also perform different functions with respect to cybersecurity management. The legal department is responsible for interpreting cybersecurity-related laws and regulations and reviewing cybersecurity-related internal policies. The internal audit department is responsible for internal audits on the implementation of cybersecurity-related policies and procedures. The internal audit department and the legal department jointly report to the Group’s Chief Risk Officer and General Counsel. The security risk control department is responsible for formulating and implementing cybersecurity-related policies and procedures, and reports to the head of the Group’s customer experience division and leaders of the Cybersecurity Safeguard Committee.
Policy Review and Approval
All cybersecurity-related internal policies shall be reviewed and approved by the management personnel in charge of the proposing department as well as the Chief Executive Officer or the President prior to adoption.
Based on information obtained through such channels, the Group’s management makes assessments of cybersecurity risks and incidents and reports the nature, origin and potential impact of cybersecurity risks and incidents to the board of directors based on an assessment of materiality so that the board can learn about material cybersecurity risks and incidents on a timely basis and make decisions accordingly. In addition, to keep the board regularly informed about cybersecurity matters, the management makes periodic reports to the board on cybersecurity risk management and governance at board meetings, have live discussions with the board and address their questions.
Board of Directors
Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents. The board reviews reports from management on material cybersecurity risks and incidents and discusses remediation plans with the management. At board meetings, the board also hears period reports from the management on cybersecurity risk management and governance and have
follow-updiscussions with the management. The management regularly reports to the board on material cybersecurity management progress, cybersecurity risks and response plans and progress. The management is also responsible for promptly reporting material cybersecurity incidents to the board as they arise.
In addition,
our audit committee is responsible for risk assessment and risk management, including risks relating to cybersecurity threats or incidents. The responsibilities of our audit committee include discussing policies with respect to risk assessment and risk management periodically with the management, internal auditors, and independent auditors, and our plans or processes to monitor, control and minimize such risks
and
exposures.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Group
hasadopted a comprehensive risk management system to manage various risks that it faces, including financial risks, operational risks, compliance risks, public opinion risks, risks associated with stability of information technology systems, cybersecurity risks and supplier management risks. Cybersecurity risk management is a core component of the Group’s overall risk management framework. The Group has established an array of risk management procedures to identify, assess and manage such risks, including risk identification, risk assessment, risk control and risk monitoring. The Group has also implemented procedural design, evaluation mechanism as well as risk grading and liability assessment mechanism to enhance its risk management. Set forth below are measures that the Group undertakes to manage cybersecurity risks.
Cybersecurity Safeguard Committee
The Group has formed a Cybersecurity Safeguard Committee,
which is led by its management and comprised of personnel from its legal department, internal audit, security risk control department and various business departments, to carry out cybersecurity risk management. The security risk control department is an independent department under the Group’s customer experience division dedicated to managing cybersecurity risks. The security risk control department is composed of different working groups specialized in network security, terminal security, data security, privacy compliance, security development and security operation.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|As the Group generates and processes a large amount of data through the FTA platform and rely on its information technology systems for its business operations, it faces risks associated with cybersecurity threats. For more details, see “Item 4. Information on the Company—D. Risk Factors—Risks Relating to Our Business and Industry—The Group’s business is subject to complex and evolving PRC laws and regulations relating to cybersecurity and data security”; “—The Group’s business generates, collects, stores and processes a large amount of data, which include sensitive personal information and may include data that may be deemed core data or material data. The improper processing of such data by the Group, its employees or business partners could materially and adversely affect the Group’s reputation, business, results of operations and financial condition”; and “—Any significant disruption in the Group’s mobile apps and information technology systems, including events beyond the Group’s control, could prevent the Group from offering its solutions and services or reduce their attractiveness.”
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents. The board reviews reports from management on material cybersecurity risks and incidents and discusses remediation plans with the management. At board meetings, the board also hears period reports from the management on cybersecurity risk management and governance and have
follow-updiscussions with the management. The management regularly reports to the board on material cybersecurity management progress, cybersecurity risks and response plans and progress. The management is also responsible for promptly reporting material cybersecurity incidents to the board as they arise.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|audit committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
our audit committee is responsible for risk assessment and risk management, including risks relating to cybersecurity threats or incidents. The responsibilities of our audit committee include discussing policies with respect to risk assessment and risk management periodically with the management, internal auditors, and independent auditors, and our plans or processes to monitor, control and minimize such risks
and
exposures.
|Cybersecurity Risk Role of Management [Text Block]
|The Group has established a three-tiered cybersecurity governance structure, encompassing decision-making, supervision, and implementation, and adopted four-level cybersecurity governance policies, with reference to international and industry cybersecurity standards, such as ISO27001 and ISO27701, as well as the requirements of classified cybersecurity protection and other regulatory requirements. The four-level cybersecurity governance policies include:
The Group has also adopted a series of policies and measures on how to prevent, identify, assess and remediate risks from cybersecurity threats:
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Group has formed a Cybersecurity Safeguard Committee,
which is led by its management and comprised of personnel from its legal department, internal audit, security risk control department and various business departments, to carry out cybersecurity risk management. The security risk control department is an independent department under the Group’s customer experience division dedicated to managing cybersecurity risks. The security risk control department is composed of different working groups specialized in network security, terminal security, data security, privacy compliance, security development and security operation.
The Group’s Cybersecurity Safeguard Committee, led by its management, is in charge of cybersecurity risk management, including assessing and managing material risks from cybersecurity threats, as well as prevention (through implementation of policies and cybersecurity awareness training), detection, mitigation and remediation of cybersecurity incidents. The committee reports its cybersecurity work to the management through periodic meetings. The committee is
co-ledby the head of the Group’s customer experience division, Mr. Qi Zhang, and its Chief Public Affairs and Risk Officer, Mr. Kai Shen.
Mr. Zhang has a Master’s degree in cybersecurity and extensive experience in cybersecurity and risk management. Prior to joining the Group, Mr. Zhang worked in a high-tech company and a large Internet company and was in charge of establishment and management of information system and cybersecurity management. Currently, Mr. Zhang is in charge of the Group’s customer experience division and is responsible for security and risk prevention and management. His work consists of establishing the Group’s cybersecurity risk management framework, building up the Group’s cybersecurity governance and technical capabilities, including perimeter security protection, data security and privacy compliance, and formulating cybersecurity policies and procedures tailored to the Group’s business characteristics with a focus on prevention, risk control and continuous improvement.
Mr. Shen is experienced in compliance and internal audit. Prior to joining the Group, Mr. Shen served as a senior legal director at Alibaba Group, responsible for legal affairs and internal audit. Mr. Shen currently leads the Group’s legal and internal audit departments to interpret and review cybersecurity-related laws, regulations and policies, and perform internal audits on the implementation of cybersecurity-related policies and procedures.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Group’s security risk control, legal and internal audit
departments also perform different functions with respect to cybersecurity management. The legal department is responsible for interpreting cybersecurity-related laws and regulations and reviewing cybersecurity-related internal policies. The internal audit department is responsible for internal audits on the implementation of cybersecurity-related policies and procedures. The internal audit department and the legal department jointly report to the Group’s Chief Risk Officer and General Counsel. The security risk control department is responsible for formulating and implementing cybersecurity-related policies and procedures, and reports to the head of the Group’s customer experience division and leaders of the Cybersecurity Safeguard Committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef