|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”).
Our cybersecurity posture is overseen by our operational information security team which helps identify, assess and manage our cybersecurity threats and risks, including through the use of a risk register. This team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods, including, for example, manual and automated tools in certain environments and systems; subscribing to reports and services that identify certain cybersecurity threats; analyzing reports of certain cybersecurity threats; evaluating our risk profile and certain threats reported to us; and conducting internal audits and threat assessments for certain environments and systems.
Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response policy; a vulnerability management policy; disaster recovery and business continuity plans; encryption of certain data; network security controls for certain environments and systems; data segregation of certain data; access controls for certain environments and systems; physical security; asset management; monitoring of certain systems; and employee cybersecurity training.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, cybersecurity risk is addressed as a component of our enterprise risk management program and identified in the risk register. In addition, our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports certain threats to the Risk Committee, which evaluates our overall enterprise risk.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, professional services firms, cybersecurity software providers, penetration testing firms, and dark web monitoring services.
We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, and supply chain resources. We have a vendor management program to manage cybersecurity risks associated with our use of certain of these providers. The program includes risk assessments for certain providers, review of security questionnaires and written security programs for certain providers, conducting audits of certain providers, and conducting security assessment calls with certain provider’s security personnel, and we define cybersecurity requirements through our contracting processes with certain providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see risk factors under Item 3.D. Risk Factors, including “Our information technology and infrastructure and those of third parties
upon which we rely, and our data, may be vulnerable to attacks by unauthorized third parties or breached due to employee error, malfeasance or other disruptions. Any such breach could compromise our networks and the information or data stored there could be accessed, publicly disclosed, lost, deleted, encrypted or stolen, which could result in legal claims or proceedings (including class action), liability under laws that protect the privacy of personal data, regulatory penalties, disruption of our operations and the services we provide to customers, damage to our reputation, and a loss of confidence in our products and offerings, which could adversely affect our business.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”).
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board addresses our cybersecurity risk management as part of its general oversight function. The Risk Committee is responsible for overseeing our cybersecurity risk management processes, including oversight of mitigation of risks from our cybersecurity threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Committee is responsible for overseeing our cybersecurity risk management processes, including oversight of mitigation of risks from our cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Risk Committee receives periodic reports from the Head of Group Risk, concerning our potential significant cybersecurity threats and risk and the processes we have implemented to address them. The Risk Committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk assessment process is implemented and maintained by our Cyber Incident Forum comprising members of management, including our Chief Financial Officer (“CFO”), a designated Chief Technology Officer (“CTO”), our General Counsel and our Group Data Protection Officer, with operational support from, amongst others, our Head of Information Technology and Head of Information Security, who together have a combined total of forty-five years’ experience within the information technology and security industries.
Our Chief People Officer is responsible for ensuring the hiring of appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, helping prepare the us for cybersecurity incidents, approving our cybersecurity processes, reviewing security assessments and other security-related reports relating to us, and reporting on relevant cybersecurity threats and risks to our Head of Group Risk. Our CFO is responsible for approving our cybersecurity-related budgets.
Our incident response and vulnerability management policies are designed to escalate certain cybersecurity incidents to the SGHC Cyber Incident Forum, comprised of our CFO, CTO, our General Counsel and our Group Data Protection Officer, which oversees the mitigation and remediation of cybersecurity incidents of which they are notified. In addition, our cyber incident reporting policies include reporting to the Risk Committee for certain cybersecurity incidents. Each operating subsidiary has processes in place to report significant cybersecurity events to us.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity risk assessment process is implemented and maintained by our Cyber Incident Forum comprising members of management, including our Chief Financial Officer (“CFO”), a designated Chief Technology Officer (“CTO”), our General Counsel and our Group Data Protection Officer, with operational support from, amongst others, our Head of Information Technology and Head of Information Security
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|who together have a combined total of forty-five years’ experience within the information technology and security industries.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our Chief People Officer is responsible for ensuring the hiring of appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, helping prepare the us for cybersecurity incidents, approving our cybersecurity processes, reviewing security assessments and other security-related reports relating to us, and reporting on relevant cybersecurity threats and risks to our Head of Group Risk. Our CFO is responsible for approving our cybersecurity-related budgets.
Our incident response and vulnerability management policies are designed to escalate certain cybersecurity incidents to the SGHC Cyber Incident Forum, comprised of our CFO, CTO, our General Counsel and our Group Data Protection Officer, which oversees the mitigation and remediation of cybersecurity incidents of which they are notified. In addition, our cyber incident reporting policies include reporting to the Risk Committee for certain cybersecurity incidents. Each operating subsidiary has processes in place to report significant cybersecurity events to us.
The Risk Committee receives periodic reports from the Head of Group Risk, concerning our potential significant cybersecurity threats and risk and the processes we have implemented to address them. The Risk Committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef