|
Cybersecurity Risk Management, Strategy, and Governance
$ in Thousands
|12 Months Ended
|
Dec. 31, 2024
USD ($)
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. Cybersecurity.
We maintain a risk-based cybersecurity program, including various protections designed to safeguard against cyber attacks and manage material information and cybersecurity risks to address the confidentiality, integrity, and availability of our critical systems and information. This program includes:
•
the implementation of access controls, firewalls and virus detection software;
•
the establishment (and periodic testing) of our disaster recovery plan, including protecting against business interruption by backing up our major systems;
•
periodic scans of our environment for vulnerabilities and engagement of third parties to perform penetration testing and assess effectiveness of our information security practices; and
•
the maintenance of insurance that currently includes cybersecurity coverage.
In the normal course of business, we also collect and store certain sensitive Company information, including proprietary and confidential business information, trade secrets, intellectual property, customer information including bank account information and invoice and payment information, sensitive third-party information and employee information, and certain personal information. To protect this information and our systems, our existing cybersecurity protections include monitoring and detection programs and technical security measures. Additionally, we have processes in place that are designed to assess and manage cybersecurity risks associated with our use of higher-risk third-party service providers.
Governance—Board Oversight and Management’s Role in Assessing and Managing Cybersecurity Risks
Our board of directors and Chief Executive Officer have ultimate accountability for risk. This includes oversight of our risk management program, which includes risks from cybersecurity threats. Our board of directors and Chief Executive Officer,
including through the risk management committee of our board of directors, provide oversight to ensure the appropriate measures are in place so that management can identify, assess, prioritize, and respond to risk, including cybersecurity risks. We believe our board of directors, the risk management committee of our board of directors, and our Chief Executive Officer collectively have the requisite experience, knowledge, inquisitiveness, and visibility into the design and operation of our information security practices to fulfill this responsibility effectively.
Processes for Assessing, Identifying, and Managing Cybersecurity Risks
At an operating level, our cybersecurity program is led by our Chief Information Officer ("CIO") and our Chief Information Security Officer ("CISO"). Our CIO has over 20 years of information technology experience that spans architecture and design, governance, disaster recovery, department development, and risk identification and remediation. In addition, our CISO has over 25 years of cybersecurity experience with a skill set that includes incident and remediation management, company-wide training, and the creation and implementation of cybersecurity compliance programs that address administrative, physical, and technical safeguards.
Our cybersecurity program incorporates industry-standard frameworks, policies and practices designed to protect the privacy and security of our sensitive information. Our cybersecurity leadership regularly reports to the board of directors and its risk management committees on information security and cybersecurity matters, including risk assessments, incident responses, and strategic initiatives aimed at mitigating potential threats. For example, the risk management committee in conjunction with management and our enterprise risk management team reviews and discusses cybersecurity metrics on a regular basis that include phishing incidents and training, vulnerability management, and security incident trends.
We have implemented policies, standards, and technical controls based on the National Institute of Standards and Technology ("NIST") framework with the aim of protecting our networks and applications, to safeguard the confidentiality of sensitive information entrusted to us. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Material Impacts from Cybersecurity Threats and Incidents
Despite the implementation of our cybersecurity program, our security measures cannot guarantee that a significant cyber-attack will not occur. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our information technology systems.
In early April 2023, we detected a cybersecurity incident as part of our routine security monitoring protocols. In response to the incident, we undertook an investigation with the support of leading cybersecurity experts, reached out to law enforcement, accelerated planned security enhancements, and have taken and will continue to take actions to implement additional safeguards.
The investigation determined that the incident primarily affected systems that were used for back-office activities. Data was exfiltrated from these systems and posted on the dark web. The data consisted of confidential information from our files, including personally identifiable information, primarily information of our employees, former employees, and their dependents, and the bank account information of some customers and other sensitive Company information. We cooperated with inquiries about the incident from three state consumer and financial service regulators, provided notices to impacted customers and individuals, and complied with regulatory requirements of various states that address notice and credit monitoring. We delivered all required notices during the fourth quarter of 2023 and consider our investigation to be complete.
During the fiscal year ended December 31, 2024, we incurred $302 in response costs related to the incident, including professional services and legal fees, before insurance recoveries. We do not expect to experience material expenses and costs associated with our response to this cybersecurity incident during 2025. No liability for losses has been recorded related to the incident as of December 31, 2024.
We maintain cyber insurance coverage and have tendered claims for certain expenses incurred in connection with this event. During the year ended December 31, 2024, we recovered $2.1 million from our insurer. Insurance recoveries are recorded as a reduction of general and administrative expense. Refer to Note 13 of the Notes to Consolidated Financial Statements included elsewhere in this Annual Report on Form 10-K for additional information concerning the incident.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our board of directors and Chief Executive Officer have ultimate accountability for risk. This includes oversight of our risk management program, which includes risks from cybersecurity threats. Our board of directors and Chief Executive Officer,including through the risk management committee of our board of directors, provide oversight to ensure the appropriate measures are in place so that management can identify, assess, prioritize, and respond to risk, including cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
Material Impacts from Cybersecurity Threats and Incidents
Despite the implementation of our cybersecurity program, our security measures cannot guarantee that a significant cyber-attack will not occur. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our information technology systems.
In early April 2023, we detected a cybersecurity incident as part of our routine security monitoring protocols. In response to the incident, we undertook an investigation with the support of leading cybersecurity experts, reached out to law enforcement, accelerated planned security enhancements, and have taken and will continue to take actions to implement additional safeguards.
The investigation determined that the incident primarily affected systems that were used for back-office activities. Data was exfiltrated from these systems and posted on the dark web. The data consisted of confidential information from our files, including personally identifiable information, primarily information of our employees, former employees, and their dependents, and the bank account information of some customers and other sensitive Company information. We cooperated with inquiries about the incident from three state consumer and financial service regulators, provided notices to impacted customers and individuals, and complied with regulatory requirements of various states that address notice and credit monitoring. We delivered all required notices during the fourth quarter of 2023 and consider our investigation to be complete.
During the fiscal year ended December 31, 2024, we incurred $302 in response costs related to the incident, including professional services and legal fees, before insurance recoveries. We do not expect to experience material expenses and costs associated with our response to this cybersecurity incident during 2025. No liability for losses has been recorded related to the incident as of December 31, 2024.
We maintain cyber insurance coverage and have tendered claims for certain expenses incurred in connection with this event. During the year ended December 31, 2024, we recovered $2.1 million from our insurer. Insurance recoveries are recorded as a reduction of general and administrative expense. Refer to Note 13 of the Notes to Consolidated Financial Statements included elsewhere in this Annual Report on Form 10-K for additional information concerning the incident.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance—Board Oversight and Management’s Role in Assessing and Managing Cybersecurity Risks
Our board of directors and Chief Executive Officer have ultimate accountability for risk. This includes oversight of our risk management program, which includes risks from cybersecurity threats. Our board of directors and Chief Executive Officer,
including through the risk management committee of our board of directors, provide oversight to ensure the appropriate measures are in place so that management can identify, assess, prioritize, and respond to risk, including cybersecurity risks. We believe our board of directors, the risk management committee of our board of directors, and our Chief Executive Officer collectively have the requisite experience, knowledge, inquisitiveness, and visibility into the design and operation of our information security practices to fulfill this responsibility effectively.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors and Chief Executive Officer have ultimate accountability for risk. This includes oversight of our risk management program, which includes risks from cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our cybersecurity leadership regularly reports to the board of directors and its risk management committees on information security and cybersecurity matters, including risk assessments, incident responses, and strategic initiatives aimed at mitigating potential threats. For example, the risk management committee in conjunction with management and our enterprise risk management team reviews and discusses cybersecurity metrics on a regular basis that include phishing incidents and training, vulnerability management, and security incident trends.
|Cybersecurity Risk Role of Management [Text Block]
|
Governance—Board Oversight and Management’s Role in Assessing and Managing Cybersecurity Risks
Our board of directors and Chief Executive Officer have ultimate accountability for risk. This includes oversight of our risk management program, which includes risks from cybersecurity threats. Our board of directors and Chief Executive Officer,
including through the risk management committee of our board of directors, provide oversight to ensure the appropriate measures are in place so that management can identify, assess, prioritize, and respond to risk, including cybersecurity risks. We believe our board of directors, the risk management committee of our board of directors, and our Chief Executive Officer collectively have the requisite experience, knowledge, inquisitiveness, and visibility into the design and operation of our information security practices to fulfill this responsibility effectively.
Processes for Assessing, Identifying, and Managing Cybersecurity Risks
At an operating level, our cybersecurity program is led by our Chief Information Officer ("CIO") and our Chief Information Security Officer ("CISO"). Our CIO has over 20 years of information technology experience that spans architecture and design, governance, disaster recovery, department development, and risk identification and remediation. In addition, our CISO has over 25 years of cybersecurity experience with a skill set that includes incident and remediation management, company-wide training, and the creation and implementation of cybersecurity compliance programs that address administrative, physical, and technical safeguards.
Our cybersecurity program incorporates industry-standard frameworks, policies and practices designed to protect the privacy and security of our sensitive information. Our cybersecurity leadership regularly reports to the board of directors and its risk management committees on information security and cybersecurity matters, including risk assessments, incident responses, and strategic initiatives aimed at mitigating potential threats. For example, the risk management committee in conjunction with management and our enterprise risk management team reviews and discusses cybersecurity metrics on a regular basis that include phishing incidents and training, vulnerability management, and security incident trends.
We have implemented policies, standards, and technical controls based on the National Institute of Standards and Technology ("NIST") framework with the aim of protecting our networks and applications, to safeguard the confidentiality of sensitive information entrusted to us. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our board of directors and Chief Executive Officer,
including through the risk management committee of our board of directors, provide oversight to ensure the appropriate measures are in place so that management can identify, assess, prioritize, and respond to risk, including cybersecurity risks. We believe our board of directors, the risk management committee of our board of directors, and our Chief Executive Officer collectively have the requisite experience, knowledge, inquisitiveness, and visibility into the design and operation of our information security practices to fulfill this responsibility effectively.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CIO has over 20 years of information technology experience that spans architecture and design, governance, disaster recovery, department development, and risk identification and remediation. In addition, our CISO has over 25 years of cybersecurity experience with a skill set that includes incident and remediation management, company-wide training, and the creation and implementation of cybersecurity compliance programs that address administrative, physical, and technical safeguards
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our cybersecurity leadership regularly reports to the board of directors and its risk management committees on information security and cybersecurity matters, including risk assessments, incident responses, and strategic initiatives aimed at mitigating potential threats. For example, the risk management committee in conjunction with management and our enterprise risk management team reviews and discusses cybersecurity metrics on a regular basis that include phishing incidents and training, vulnerability management, and security incident trends.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|Cybersecurity expenses
|$ 302
|Insurance recoveries reduction of general and administrative expense
|$ 2,100
|X
- Definition
+ References
Cybersecurity expenses.
+ Details
No definition available.
|X
- Definition
+ References
Insurance recoveries reduction of general and administrative expense.
+ Details
No definition available.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef