|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
We understand the critical importance of cybersecurity and proactively manage vulnerabilities to ensure the confidentiality, integrity, and availability of our information assets. While we have not experienced any material risks from cybersecurity incidents to date, we recognize the
evolving threat landscape and maintain a vigorous security posture. Materiality of individual cybersecurity incidents is determined by a comprehensive assessment framework considering, but not limited to, the following factors:
•
Impact on Business Operations: Potential disruptions to critical systems, services, or financial transactions.
•
Data Sensitivity: The nature and sensitivity of the data involved, with incidents concerning personally identifiable information or highly confidential data deemed more material.
•
Regulatory Compliance: Potential violations of cybersecurity laws, regulations, or industry standards.
•
Reputational Risk: Harm to the Company's reputation, customer trust, and brand value.
•
Legal Obligations: Legal requirements for reporting incidents and potential consequences of non-compliance.
Identification, Assessment of, and Response to Cybersecurity Threats
We employ a multi-layered approach to identify, assess, and report potential cybersecurity threats:
•
Threat intelligence tracking: We actively monitor relevant-threat intelligence feeds and other sources to stay informed about emerging threats and vulnerabilities.
•
Managed Detection and Response (“MDR”) partnership: We have partnered with a recognized third-party MDR provider to enhance our threat detection and response capabilities. This service provides continuous monitoring via a 24/7 Security Operations Center that includes next-gen solutions for analysis, and proactive response to potential threats, ensuring timely identification and facilitating mitigation of cybersecurity incidents.
•
Metrics and Measurements: We capture telemetry from our IT infrastructure to measure the effectiveness of our security controls and identify areas for improvement.
Risk Management and Strategy
Although we develop and maintain systems and controls designed to prevent cybersecurity breaches from occurring, and we have a process to identify and minimize threats, the possibility of a breach occurring cannot be eliminated entirely. As with most companies, as a result of our moves toward cloud-based technologies and increasing engagements in more electronic transactions with service customers and vendors, the related security risks will change and/or increase requiring us to adapt and employ additional resources to protect our technology and information systems.
We partner with third party specialists in the role of Virtual Information Security Officer (VISO), with biweekly meetings to review current state, develop security strategies, access risk management, and develop policies and procedures over our information security program. Our cybersecurity risk management program utilizes the National Institute of Standards and Technology (“NIST”) 800-37 framework as a foundation, to align with our entity size, risk profile, and industry best practices. We believe that leveraging the NIST framework as a foundation ensures a balanced approach for minimizing vulnerabilities while maintaining operational efficiency. We maintain a comprehensive incident response plan with clearly defined roles and responsibilities. In the event of an incident, the plan prescribes notification procedures, containment measures, eradication steps, and recovery processes. Based on Cybersecurity Infrastructure Security Agency (CISA) modeling, we conduct annual Tabletop exercises with the help of third party specialists. Our Tabletop exercises include cybersecurity-based scenarios that incorporate various cyber threat categories including ransomware, insider threats, phishing, and physical disasters. Additionally, as in prior years, in 2025 we will perform vulnerability assessments and penetration testing through third party providers for an objective assessment. In 2024, we initiated a data governance program aimed at securing enterprise data through internal processes, defined roles, metrics, & compliance standards. In the 1st quarter of 2025, we expect to complete the implementation of a robust Privileged Access Management (PAM) solution, an identity security solution that helps protect against cyberthreats through monitoring, detecting, and preventing unauthorized privileged access to critical resources.
The Risk Management, Strategy and Incident Response described above applies to our North American and Asian operations. Our German operations have similar risk management and strategy, which in 2025 they plan to further develop and strengthen.
Third-Party Service Providers
We consider security related factors when choosing and working with third-party providers and have established processes to oversee and manage risks associated with third-party service providers. We require providers to share their security reports (System and Organization Controls (SOC 1 and SOC 2) prior to initial engagement and ongoing on an annual basis. We believe that the review of such reports helps us minimize the risk of data breaches or other problems resulting due to our third-party relationships, especially with software-as-a-service (“SaaS”) providers. In line with internal processes, access to internal resources by third-party consultants is subject to Privileged Access Management (PAM). We apply the principles of zero trust, wherein privileges are granted to only that which is required, restricting unauthorized access.
Reporting
We have a communication process for incidents based on their severity as outlined in our incident response plan and pursuant to various regulatory and contractual obligations. When a high risk incident or potential high risk incident is detected by our Security Operation Center or otherwise, executive leadership is immediately informed. The cybersecurity audit group is notified, and the Chief Information Officer, in consultation with our Security Operation Center submits a detailed report to senior management. For moderate risk incidents, there is prompt notification, and a detailed report would be prepared and submitted. If a cybersecurity incident is deemed material, it will be reported promptly under SEC rules.
Management and Board of Director Oversight of Cybersecurity Threats
The Company's Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and Chief Information Officer that comprise our cybersecurity audit group, as well as the Board of Directors has responsibility for the oversight of cybersecurity threats and incidents and reviews the Company’s programs and policies no less than three times annually. The Company’s Chief Information Officer has specific tactical & strategic responsibilities in overseeing technology infrastructure and cybersecurity.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Management and Board of Director Oversight of Cybersecurity Threats
The Company's Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and Chief Information Officer that comprise our cybersecurity audit group, as well as the Board of Directors has responsibility for the oversight of cybersecurity threats and incidents and reviews the Company’s programs and policies no less than three times annually. The Company’s Chief Information Officer has specific tactical & strategic responsibilities in overseeing technology infrastructure and cybersecurity.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company's Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and Chief Information Officer that comprise our cybersecurity audit group, as well as the Board of Directors has responsibility for the oversight of cybersecurity threats and incidents and reviews the Company’s programs and policies no less than three times annually.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s Chief Information Officer has specific tactical & strategic responsibilities in overseeing technology infrastructure and cybersecurity.
|Cybersecurity Risk Role of Management [Text Block]
|
Risk Management and Strategy
Although we develop and maintain systems and controls designed to prevent cybersecurity breaches from occurring, and we have a process to identify and minimize threats, the possibility of a breach occurring cannot be eliminated entirely. As with most companies, as a result of our moves toward cloud-based technologies and increasing engagements in more electronic transactions with service customers and vendors, the related security risks will change and/or increase requiring us to adapt and employ additional resources to protect our technology and information systems.
We partner with third party specialists in the role of Virtual Information Security Officer (VISO), with biweekly meetings to review current state, develop security strategies, access risk management, and develop policies and procedures over our information security program. Our cybersecurity risk management program utilizes the National Institute of Standards and Technology (“NIST”) 800-37 framework as a foundation, to align with our entity size, risk profile, and industry best practices. We believe that leveraging the NIST framework as a foundation ensures a balanced approach for minimizing vulnerabilities while maintaining operational efficiency. We maintain a comprehensive incident response plan with clearly defined roles and responsibilities. In the event of an incident, the plan prescribes notification procedures, containment measures, eradication steps, and recovery processes. Based on Cybersecurity Infrastructure Security Agency (CISA) modeling, we conduct annual Tabletop exercises with the help of third party specialists. Our Tabletop exercises include cybersecurity-based scenarios that incorporate various cyber threat categories including ransomware, insider threats, phishing, and physical disasters. Additionally, as in prior years, in 2025 we will perform vulnerability assessments and penetration testing through third party providers for an objective assessment. In 2024, we initiated a data governance program aimed at securing enterprise data through internal processes, defined roles, metrics, & compliance standards. In the 1st quarter of 2025, we expect to complete the implementation of a robust Privileged Access Management (PAM) solution, an identity security solution that helps protect against cyberthreats through monitoring, detecting, and preventing unauthorized privileged access to critical resources.
The Risk Management, Strategy and Incident Response described above applies to our North American and Asian operations. Our German operations have similar risk management and strategy, which in 2025 they plan to further develop and strengthen.
Third-Party Service Providers
We consider security related factors when choosing and working with third-party providers and have established processes to oversee and manage risks associated with third-party service providers. We require providers to share their security reports (System and Organization Controls (SOC 1 and SOC 2) prior to initial engagement and ongoing on an annual basis. We believe that the review of such reports helps us minimize the risk of data breaches or other problems resulting due to our third-party relationships, especially with software-as-a-service (“SaaS”) providers. In line with internal processes, access to internal resources by third-party consultants is subject to Privileged Access Management (PAM). We apply the principles of zero trust, wherein privileges are granted to only that which is required, restricting unauthorized access.
Reporting
We have a communication process for incidents based on their severity as outlined in our incident response plan and pursuant to various regulatory and contractual obligations. When a high risk incident or potential high risk incident is detected by our Security Operation Center or otherwise, executive leadership is immediately informed. The cybersecurity audit group is notified, and the Chief Information Officer, in consultation with our Security Operation Center submits a detailed report to senior management. For moderate risk incidents, there is prompt notification, and a detailed report would be prepared and submitted. If a cybersecurity incident is deemed material, it will be reported promptly under SEC rules.
Management and Board of Director Oversight of Cybersecurity Threats
The Company's Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and Chief Information Officer that comprise our cybersecurity audit group, as well as the Board of Directors has responsibility for the oversight of cybersecurity threats and incidents and reviews the Company’s programs and policies no less than three times annually. The Company’s Chief Information Officer has specific tactical & strategic responsibilities in overseeing technology infrastructure and cybersecurity.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company's Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and Chief Information Officer that comprise our cybersecurity audit group, as well as the Board of Directors
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and Chief Information Officer
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef