|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity.
Our information technology (IT) systems process, store, and transmit sensitive information, and we are heavily reliant on IT to operate our business. As such, IT security is viewed as a critical aspect of our business and one which we must continually evaluate and optimize in order to ensure ongoing effectiveness across the business in meeting the challenge of evolving cyber threats.
We have incorporated a number of technical, administrative and personnel controls in order to holistically address cybersecurity threats across the business.
Cybersecurity Policies and Standards
We have a comprehensive collection of documented policies and standards that are leveraged to establish and affirm expectations for security controls, mitigate known cybersecurity risks and provide consistent levels of protection across the Company. Our policies and standards are effective in meeting numerous compliance requirements while simultaneously reducing duplication of controls.
Incident Response
Our incident response plan provides consistent guidance for preparing for cybersecurity incidents and events, establishes clear ownership of roles and responsibilities during a cyber incident, and has inter-dependent processes for detecting and responding to cyber incidents to include leveraging guidance from the legal team. We have retained a trusted and experienced third-party investigator/negotiator, and also maintain cybersecurity insurance to help mitigate the risk of a catastrophic cyber event.
Technical Controls
We have implemented a technical security architecture consisting of a multitude of controls to identify, protect, detect, and respond to cybersecurity events. Continually evaluating common and best practices for deploying these controls, as well as determining when new or alternative controls may be more appropriate or effective, aids in our ability to counter actions from evolving threat actors. We also leverage various sources of cyber intelligence to ensure that technical controls maintain optimal configuration and deployment models to increase control effectiveness.
Third Party Security Monitoring
Leveraging an industry recognized expert in cybersecurity monitoring, we have incorporated cybersecurity monitoring to increase visibility, awareness and responsiveness to cyber threat actors. Our monitoring partner is able to quickly analyze and alert us to suspicious activity, as well as take part in any active cyber investigation when necessary. The monitoring expertise provided allows us to focus on other aspects of cybersecurity while simultaneously ensuring that we are prepared to detect and respond appropriately to security incidents.
Testing and Validation
We have incorporated multiple avenues of control and process testing and validation across the company. Our internal audit team regularly tests controls against established policies and standards. We leverage a trusted partner for performing regular penetration tests, to include phishing simulation exercises. Our IT and security team regularly conduct control validation exercises for each of the business units. We conduct regular incident response tabletop exercises to test and validate awareness of roles and responsibilities of incident responders across the organization and to educate individuals as to real world security incident scenarios.
Security Awareness
All employees are required to undertake security awareness training on a number of topics to include phishing awareness, importance of cybersecurity and proper cyber hygiene, insider threat awareness and roles and responsibilities. Our IT and security teams regularly update training modules being leveraged in order to provide timely and relevant awareness, as well as to aid in better individual engagement with the training.
Management of Third-Party Risks
We manage third-party risks from vendors and service providers by requiring that providers comply with our cybersecurity requirements and employ appropriate security controls in accordance with local, state and Federal laws. We evaluate applicable security controls of vendors and providers prior to contracting and at least annually thereafter. We evaluate the impact of any control deficiencies or exceptions identified during the review process and consider the effectiveness of the service provider’s remediation plans and their commitment to addressing identified issues when determining continued engagement with the service provider.
Board Oversight and Management’s Role
Our cybersecurity program is led by our Chief Information Security Officer (CISO) at the direction of the CFO in coordination with our Director of IT. Our CISO has over 30 years of experience in cybersecurity and cyber risk management. His role includes assessing enterprise cybersecurity risks, developing policies and standards for the cybersecurity program, developing strategies for mitigating cybersecurity risks and informing senior leadership on cybersecurity related issues and activities affecting the organization. The CISO works with the IT and security team to implement cybersecurity controls across the organization.
Our Board of Directors is ultimately responsible for cybersecurity risk and has delegated its oversight to the Audit Committee. The Audit Committee considers cybersecurity risks in connection with its financial and compliance risk oversight role. The Audit Committee receives updates on cybersecurity risks and key initiatives for mitigating those risks from the CISO and CFO.
For more information about the potential impact of cybersecurity risks, please refer to Item 1A. Risk Factors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Leveraging an industry recognized expert in cybersecurity monitoring, we have incorporated cybersecurity monitoring to increase visibility, awareness and responsiveness to cyber threat actors. Our monitoring partner is able to quickly analyze and alert us to suspicious activity, as well as take part in any active cyber investigation when necessary. The monitoring expertise provided allows us to focus on other aspects of cybersecurity while simultaneously ensuring that we are prepared to detect and respond appropriately to security incidents.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board Oversight and Management’s Role
Our cybersecurity program is led by our Chief Information Security Officer (CISO) at the direction of the CFO in coordination with our Director of IT. Our CISO has over 30 years of experience in cybersecurity and cyber risk management. His role includes assessing enterprise cybersecurity risks, developing policies and standards for the cybersecurity program, developing strategies for mitigating cybersecurity risks and informing senior leadership on cybersecurity related issues and activities affecting the organization. The CISO works with the IT and security team to implement cybersecurity controls across the organization.
Our Board of Directors is ultimately responsible for cybersecurity risk and has delegated its oversight to the Audit Committee. The Audit Committee considers cybersecurity risks in connection with its financial and compliance risk oversight role. The Audit Committee receives updates on cybersecurity risks and key initiatives for mitigating those risks from the CISO and CFO.
|Cybersecurity Risk Role of Management [Text Block]
|Our IT and security teams regularly update training modules being leveraged in order to provide timely and relevant awareness, as well as to aid in better individual engagement with the training.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our cybersecurity program is led by our Chief Information Security Officer (CISO) at the direction of the CFO in coordination with our Director of IT. Our CISO has over 30 years of experience in cybersecurity and cyber risk management. His role includes assessing enterprise cybersecurity risks, developing policies and standards for the cybersecurity program, developing strategies for mitigating cybersecurity risks and informing senior leadership on cybersecurity related issues and activities affecting the organization. The CISO works with the IT and security team to implement cybersecurity controls across the organization.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over 30 years of experience in cybersecurity and cyber risk management.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
We manage third-party risks from vendors and service providers by requiring that providers comply with our cybersecurity requirements and employ appropriate security controls in accordance with local, state and Federal laws. We evaluate applicable security controls of vendors and providers prior to contracting and at least annually thereafter. We evaluate the impact of any control deficiencies or exceptions identified during the review process and consider the effectiveness of the service provider’s remediation plans and their commitment to addressing identified issues when determining continued engagement with the service provider.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef