|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We rely on information technology networks and systems and data processing to manage a variety of business processes and activities, including, without limitation, to process customer payments and conduct our marketing efforts. We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, or competitive in nature, and customer data.
We utilize certain third-party service providers to perform a variety of functions, such as outsourcing certain business critical functions, augmenting staff for after-hours support, help tracking chain of custody for physical PCI devices for our shops, providing applications, hosting our systems, distributing our products, property management, providing cloud-based infrastructure, data center facilities, encryption and authentication technology, supporting corporate productivity services, and other functions. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, for certain service providers, our vendor management process includes reviewing the cybersecurity practices of certain providers, contractually imposing obligations on certain providers related to the services they provide and/or the information they process, conducting
security vulnerability assessments, requiring providers to complete written questionnaires regarding their services and data handling practices, conducting periodic re-assessments during their engagement, using a third party vendor management security company to provide certain ongoing monitoring, or annually collecting certain information security-related compliance documentation and reports.
Our assessment and management of material risks from cybersecurity threats are considered in the Company’s overall risk management processes. For example, the Company maintains various policies and procedures related to information security, including, for example, an Incident Response Policy and a Cybersecurity Incident Reporting Policy and an AI working group that analyzes the potential risks in connection with the Company’s use of generative AI technologies and/or automated decision-making tools. We identify cybersecurity threats as part of our risk management processes, including (depending on the environment or systems) through internal monitoring, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environments, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats, and conducting security vulnerability assessments to identify vulnerabilities. Our information technology team is responsible for identifying, assessing, and managing the Company’s cybersecurity threats and risks under the oversight of our Chief Information Security Officer. This team works with third parties from time to time to help identify, assess, and manage cybersecurity risks, including professional services firms and other vendors.
Based on our assessment process, we implement and maintain various technical, physical, and organizational measures designed to manage and mitigate cybersecurity risks and potential material impacts. Depending on the environment or systems, we implement measures designed to prevent, detect, respond to, mitigate, and recover from identified and significant cybersecurity threats. The risk management and reduction measures we implement for certain of our environments or systems include: policies and procedures designed to address cybersecurity threats, including an incident response policy, acceptable use policy, and vulnerability management policy; internal and/or external security audit assessments of select environments to assess our exposure to cybersecurity threats, compliance with risk mitigation procedures, and the effectiveness of relevant controls; documented risk assessments; encryption of certain data; network security controls in certain systems; physical and electronic access controls in certain environments; asset management, tracking and disposal; systems monitoring of certain systems; employee security training; penetration testing of certain environments; maintaining cyber insurance; and a dedicated cybersecurity leader.
Our business, results of operations, financial condition, or reputation could be materially affected as a result of certain risks from cybersecurity threats, including for example, due to: the cost of and modification of business activities and implementation of security measures; system failure, data loss, fraud or theft; disruptions, including in operations; delays in remediation of high risk or critical vulnerabilities; costs of notices and other disclosures that may be required by applicable data privacy and security obligations; or our inability to recover such costs under insurance policies or contractual rights. See "Risks Related to Our Business" in Item 1A, Risk Factors for more information and a description of the risks from cybersecurity threats that materially affect the Company.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, or competitive in nature, and customer data.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Audit and Risk Committee of the board of directors is responsible for oversight of the Company’s processes and policies for enterprise risk identification, management, and assessment, including certain risks around data privacy, technology, and information security.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit and Risk Committee of the board of directors is responsible for oversight of the Company’s processes and policies for enterprise risk identification, management, and assessment, including certain risks around data privacy, technology, and information security.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including reporting certain incidents to a cross-functional group responsible for making ongoing assessments of reported incidents. This group is led by our Chief Legal Officer and Chief Information Security Officer, and includes members of our standing Disclosure Committee. The Chief Legal Officer is responsible for informing the Audit and Risk Committee regarding certain significant cybersecurity threats and risks, and meets with the Audit and Risk Committee periodically or at special meetings to review and discuss issues. Additionally, our Chief Legal Officer oversees an annual enterprise risk assessment that addresses certain applicable cybersecurity risks, the results of which are presented to the Audit and Risk Committee. We also engage a third party consulting firm to assist with our annual enterprise risk assessment. Our Chief Legal Officer works with the Board, senior management, others at various levels of the organization, and our outside advisors to help identify, assess, and validate the Company’s top risks, taking into account past risk mitigation activities and future plans. Under our Cybersecurity Incident Reporting Policy, the Chief Legal Officer is also responsible for communicating to the Audit and Risk Committee the activities of the Company related to the assessments and reporting of potentially significant cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
The Audit and Risk Committee of the board of directors is responsible for oversight of the Company’s processes and policies for enterprise risk identification, management, and assessment, including certain risks around data privacy, technology, and information security. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Information Security Officer, who has over 20 years of experience designing, building, and executing teams and programs in the cybersecurity field, in both leadership and hands-on technical positions across numerous industries including retail, software and technology, medical device manufacturing, and cyber advisory and audit services.
Our Chief Information Security Officer is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Chief Information Security Officer and his team are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including reporting certain incidents to a cross-functional group responsible for making ongoing assessments of reported incidents. This group is led by our Chief Legal Officer and Chief Information Security Officer, and includes members of our standing Disclosure Committee. The Chief Legal Officer is responsible for informing the Audit and Risk Committee regarding certain significant cybersecurity threats and risks, and meets with the Audit and Risk Committee periodically or at special meetings to review and discuss issues. Additionally, our Chief Legal Officer oversees an annual enterprise risk assessment that addresses certain applicable cybersecurity risks, the results of which are presented to the Audit and Risk Committee. We also engage a third party consulting firm to assist with our annual enterprise risk assessment. Our Chief Legal Officer works with the Board, senior management, others at various levels of the organization, and our outside advisors to help identify, assess, and validate the Company’s top risks, taking into account past risk mitigation activities and future plans. Under our Cybersecurity Incident Reporting Policy, the Chief Legal Officer is also responsible for communicating to the Audit and Risk Committee the activities of the Company related to the assessments and reporting of potentially significant cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Information Security Officer, who has over 20 years of experience designing, building, and executing teams and programs in the cybersecurity field, in both leadership and hands-on technical positions across numerous industries including retail, software and technology, medical device manufacturing, and cyber advisory and audit services.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|who has over 20 years of experience designing, building, and executing teams and programs in the cybersecurity field, in both leadership and hands-on technical positions across numerous industries including retail, software and technology, medical device manufacturing, and cyber advisory and audit services.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including reporting certain incidents to a cross-functional group responsible for making ongoing assessments of reported incidents. This group is led by our Chief Legal Officer and Chief Information Security Officer, and includes members of our standing Disclosure Committee. The Chief Legal Officer is responsible for informing the Audit and Risk Committee regarding certain significant cybersecurity threats and risks, and meets with the Audit and Risk Committee periodically or at special meetings to review and discuss issues. Additionally, our Chief Legal Officer oversees an annual enterprise risk assessment that addresses certain applicable cybersecurity risks, the results of which are presented to the Audit and Risk Committee. We also engage a third party consulting firm to assist with our annual enterprise risk assessment. Our Chief Legal Officer works with the Board, senior management, others at various levels of the organization, and our outside advisors to help identify, assess, and validate the Company’s top risks, taking into account past risk mitigation activities and future plans. Under our Cybersecurity Incident Reporting Policy, the Chief Legal Officer is also responsible for communicating to the Audit and Risk Committee the activities of the Company related to the assessments and reporting of potentially significant cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef