|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. An analysis of the impact, likelihood, and management preparedness of cybersecurity threats to our strategic priorities is integrated into our enterprise risk management program and enterprise risk assessment process. This is intended to provide cross-functional visibility, as well as executive leadership oversight, to address and mitigate associated risks. Our internal IT group audits our information security programs, and the results are reported to our executive management and the Risk Committee of our Board of Directors by the Director of Information Technology. We also engage third-party firms to identify, assess, and manage cybersecurity risks in alignment with cybersecurity standards. We further employ systems and processes designed to oversee, identify, and reduce the potential impact of a cybersecurity incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. We also carry cybersecurity insurance to protect against potential losses arising from a cybersecurity incident.
Our policies and procedures also address the oversight, identification, and mitigation of cybersecurity risks associated with our use of third-party service providers. Our policy stipulates that each third-party service provider go through a
mandatory IT Security Governance review and obtain formal approval by our IT Security Governance group before it can be used.
We have an Incident Response Plan (“IRP”) that defines and documents procedures for assessing, identifying, and managing a cybersecurity incident. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process aligns with the NIST framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all personnel (including third-party partners) that perform functions or services require access to secure Company information, and to all devices and network services that are owned or managed by the Company. We also have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Board of Directors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. An analysis of the impact, likelihood, and management preparedness of cybersecurity threats to our strategic priorities is integrated into our enterprise risk management program and enterprise risk assessment process. This is intended to provide cross-functional visibility, as well as executive leadership oversight, to address and mitigate associated risks. Our internal IT group audits our information security programs, and the results are reported to our executive management and the Risk Committee of our Board of Directors by the Director of Information Technology. We also engage third-party firms to identify, assess, and manage cybersecurity risks in alignment with cybersecurity standards. We further employ systems and processes designed to oversee, identify, and reduce the potential impact of a cybersecurity incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. We also carry cybersecurity insurance to protect against potential losses arising from a cybersecurity incident.
Our policies and procedures also address the oversight, identification, and mitigation of cybersecurity risks associated with our use of third-party service providers. Our policy stipulates that each third-party service provider go through a
mandatory IT Security Governance review and obtain formal approval by our IT Security Governance group before it can be used.
We have an Incident Response Plan (“IRP”) that defines and documents procedures for assessing, identifying, and managing a cybersecurity incident. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process aligns with the NIST framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all personnel (including third-party partners) that perform functions or services require access to secure Company information, and to all devices and network services that are owned or managed by the Company. We also have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Board of Directors.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Risk Committee. Aside from more immediate reporting of certain incidents to our Board of Directors as described above, our Director of Information Technology provides our Risk Committee an update on cybersecurity at least every other quarter and more often as necessary. This update includes metrics on the effectiveness of technical and human security controls, cybersecurity training program compliance, internal and third-party cybersecurity incidents, and cybersecurity risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Risk Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|We also have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Board of Directors.Aside from more immediate reporting of certain incidents to our Board of Directors as described above, our Director of Information Technology provides our Risk Committee an update on cybersecurity at least every other quarter and more often as necessary. This update includes metrics on the effectiveness of technical and human security controls, cybersecurity training program compliance, internal and third-party cybersecurity incidents, and cybersecurity risks.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Director of Information Technology, who has extensive cybersecurity knowledge and skills gained from over twenty years of work experience at the Company and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business and reports directly to the Executive Vice President — Chief Financial Officer. The Director of Information Technology receives reports on cybersecurity threats from a number of experienced information security officers responsible for various parts of the business on an ongoing basis and in conjunction with management, regularly reviews risk management measures implements by the Company to identify and mitigate data protection and cybersecurity risks. Our Director of Information Technology works with Legal to oversee compliance with legal, regulatory, and contractual security requirements.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Director of Information Technology
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Director of Information Technology, who has extensive cybersecurity knowledge and skills gained from over twenty years of work experience at the Company and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business and reports directly to the Executive Vice President — Chief Financial Officer.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Director of Information Technology receives reports on cybersecurity threats from a number of experienced information security officers responsible for various parts of the business on an ongoing basis and in conjunction with management, regularly reviews risk management measures implements by the Company to identify and mitigate data protection and cybersecurity risks.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef