|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
Risk Management and Strategy
The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents.
The Company’s cybersecurity program and policies articulate the expectations and requirements with respect to acceptable use, risk management, data privacy, education and awareness, security incident management and reporting, identity and access management, vendor due diligence, security (with respect to physical assets, products, networks, and systems), security monitoring and vulnerability identification. The cybersecurity program and policies are operated by a dedicated cybersecurity team in conjunction with the Company’s enterprise risk management program.
The Company’s cyber risk management program is designed to identify, track, escalate, remediate, and report cybersecurity risks across the Company. These risk areas include internal, product, vendor, supply chain, and external services leveraged across the Company. The Company has a vendor management program that evaluates and oversees cybersecurity risks related to third party vendors providing services to the Company. Any identified risks are assessed, prioritized, and addressed via process, technology, and personnel improvements to help ensure ongoing mitigation and tracking.
The Company’s cybersecurity strategy is guided by risk priorities and identified areas for improvement, which are informed by regulatory requirements and industry standards, such as the Federal Trade Commission’s Safeguards Rule and the National Institute for Standards and Technology (NIST) Cybersecurity Framework, and evolving business needs. This strategy is shared with the executive leadership at least annually. The Company maintains an incident response plan, coupled with a continuous monitoring program. This plan and program include incident alerting, comprehensive incident criticality assessments, and escalation processes to support teams, senior leadership, and the Board.
The Company’s cybersecurity team manages all facets of the security monitoring and incident program,
coordinating with Company engineers and other staff, along with third parties as needed, across our operating companies. All company employees are provided cybersecurity awareness training, which includes topics on the Company’s policies and procedures for reporting potential incidents. The Company’s cybersecurity team evaluates emerging risks, regulations, and compliance matters and updates the policies and procedures accordingly on an ongoing basis.
To date, other than the 2020 Incidents, the Company has not experienced a cybersecurity threat or incident that has materially affected or that we believe is reasonably likely to materially affect the Company including its business strategy, results of operations or financial condition. Refer to the risk factor captioned “Cyberattacks and other security breaches or disruptions suffered by us or third parties upon which we rely could have a materially adverse effect on our business, harm our reputation and expose us to public scrutiny and liability.” in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company.
Governance
The Board oversees the Company’s risk management process, including cybersecurity risks, directly and through its committees. Pursuant to the Audit Committee Charter, the Audit Committee of the Board provides compliance oversight to the Company’s risk assessment and risk management policies, including for cybersecurity, and the steps management has taken to monitor and mitigate cybersecurity exposures and risks.
The Company’s Director of Security and Information Technology (DSIT), in coordination with the Company’s Vice President of Technology, is responsible for leading the assessment and management of cybersecurity risks. The current DSIT has over 18 years of experience in information security. The DSIT reports to the Board and
management on cybersecurity risk assessment, policies, incident prevention, detection, mitigation, and remediation of cybersecurity incidents on a quarterly basis or as needed.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company’s cybersecurity program and policies articulate the expectations and requirements with respect to acceptable use, risk management, data privacy, education and awareness, security incident management and reporting, identity and access management, vendor due diligence, security (with respect to physical assets, products, networks, and systems), security monitoring and vulnerability identification. The cybersecurity program and policies are operated by a dedicated cybersecurity team in conjunction with the Company’s enterprise risk management program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board oversees the Company’s risk management process, including cybersecurity risks, directly and through its committees. Pursuant to the Audit Committee Charter, the Audit Committee of the Board provides compliance oversight to the Company’s risk assessment and risk management policies, including for cybersecurity, and the steps management has taken to monitor and mitigate cybersecurity exposures and risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Pursuant to the Audit Committee Charter, the Audit Committee of the Board provides compliance oversight to the Company’s risk assessment and risk management policies, including for cybersecurity, and the steps management has taken to monitor and mitigate cybersecurity exposures and risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The DSIT reports to the Board and
management on cybersecurity risk assessment, policies, incident prevention, detection, mitigation, and remediation of cybersecurity incidents on a quarterly basis or as needed.
|Cybersecurity Risk Role of Management [Text Block]
|
The Company’s Director of Security and Information Technology (DSIT), in coordination with the Company’s Vice President of Technology, is responsible for leading the assessment and management of cybersecurity risks. The current DSIT has over 18 years of experience in information security. The DSIT reports to the Board and
management on cybersecurity risk assessment, policies, incident prevention, detection, mitigation, and remediation of cybersecurity incidents on a quarterly basis or as needed.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company’s Director of Security and Information Technology (DSIT), in coordination with the Company’s Vice President of Technology, is responsible for leading the assessment and management of cybersecurity risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The current DSIT has over 18 years of experience in information security.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The DSIT reports to the Board and
management on cybersecurity risk assessment, policies, incident prevention, detection, mitigation, and remediation of cybersecurity incidents on a quarterly basis or as needed.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef