|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We are a trusted partner for businesses of all sizes, and we take this responsibility seriously. The secure and continuous operation of our networks and systems, as well as the protection, processing, and confidentiality of sensitive information, is essential to our business operations and strategy. We process records containing confidential data related to individuals and businesses, and as our hosted solutions expand, the volume of personal, critical business, and other sensitive data we store for our customers continues to grow. As a technology-based organization, we are susceptible to targeted cyberattacks that seek to exploit network and system vulnerabilities. A successful cyberattack could result in the unauthorized disclosure or misuse of sensitive information, operational disruptions, reputational damage, and loss of client and consumer trust. Such incidents could
also lead to litigation, termination of client contracts, government inquiries, and enforcement actions, any of which could materially and adversely affect our business, prospects, results of operations, and financial position.
To address these risks, we have established a risk-based cybersecurity program dedicated to safeguarding our data and solutions. Our privacy policies, controls, and procedures provide a comprehensive framework for data handling. We employ a defense-in-depth strategy, utilizing multiple security layers and adhering to the CIA (confidentiality, integrity, and availability) triad model. Our information security program is led by our Chief Information Security Officer (CISO) and the Information Security department, which sets policies, standards, and strategies to manage security risk. The CISO, with nearly two decades of experience in information security, oversees the resources to enhance security and reliability features in our products and services, provide employee security training, monitor operations 24/7, and conduct regular reviews and audits against independent security control frameworks. We also perform security maturity assessments and when appropriate, engage third-party consultants, legal advisors, or audit firms to evaluate and test our risk management systems and remediate potential cybersecurity incidents. These assessments inform our annual and multi-year cybersecurity strategies and product security plans.
Our operations depend on several third parties, including vendors, developers, and partners, who may have access to our confidential data about consumers, employees, contractors, suppliers, and other business partners. We conduct due diligence and ongoing monitoring of these third parties' security and business controls to mitigate risks related to data breaches or other security incidents originating from external sources.
Governance of cybersecurity risk is overseen by our Enterprise Risk Management Committee, which includes our Assurance and Risk Advisory Services group, Chief Financial Officer, and Chief Administrative Officer, and which collaborates with our executive leadership team and senior-level staff, including the Chief Compliance Officer and the CISO. The CISO provides periodic updates to the board of directors, ensuring comprehensive risk reviews are conducted and that our cyber risk assessment, practices, and policies are thoroughly discussed with management. Our Assurance and Risk Advisory Services group also delivers periodic updates to the Audit and Finance committee of the board of directors, covering financial and enterprise risks, including cybersecurity.
In the event of a cybersecurity incident, our Cybersecurity Incident Response team follows established incident management plans to coordinate with executive leadership and manage the response. The Chief Executive Officer, Chief Financial Officer, General Counsel, Chief Technology and Digital Officer, CISO, and Chief Compliance Officer are responsible for assessing the materiality of incidents, ensuring required notifications and communications, and determining whether trading restrictions on our common stock by insiders should be imposed prior to public disclosure of a material cybersecurity event. We maintain cybersecurity insurance coverage to help offset costs resulting from cyberattacks, although the coverage may not reimburse all losses.
As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition, or that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents, see Item 1A, "Operational Risks – Security breaches, computer malware, or other cyberattacks involving the confidential information we maintain could significantly damage our reputation, expose us to litigation and regulatory actions, and substantially harm our business, financial condition, and results of operations."
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We are a trusted partner for businesses of all sizes, and we take this responsibility seriously. The secure and continuous operation of our networks and systems, as well as the protection, processing, and confidentiality of sensitive information, is essential to our business operations and strategy. We process records containing confidential data related to individuals and businesses, and as our hosted solutions expand, the volume of personal, critical business, and other sensitive data we store for our customers continues to grow. As a technology-based organization, we are susceptible to targeted cyberattacks that seek to exploit network and system vulnerabilities. A successful cyberattack could result in the unauthorized disclosure or misuse of sensitive information, operational disruptions, reputational damage, and loss of client and consumer trust. Such incidents could
also lead to litigation, termination of client contracts, government inquiries, and enforcement actions, any of which could materially and adversely affect our business, prospects, results of operations, and financial position.
To address these risks, we have established a risk-based cybersecurity program dedicated to safeguarding our data and solutions. Our privacy policies, controls, and procedures provide a comprehensive framework for data handling. We employ a defense-in-depth strategy, utilizing multiple security layers and adhering to the CIA (confidentiality, integrity, and availability) triad model. Our information security program is led by our Chief Information Security Officer (CISO) and the Information Security department, which sets policies, standards, and strategies to manage security risk. The CISO, with nearly two decades of experience in information security, oversees the resources to enhance security and reliability features in our products and services, provide employee security training, monitor operations 24/7, and conduct regular reviews and audits against independent security control frameworks. We also perform security maturity assessments and when appropriate, engage third-party consultants, legal advisors, or audit firms to evaluate and test our risk management systems and remediate potential cybersecurity incidents. These assessments inform our annual and multi-year cybersecurity strategies and product security plans.
Our operations depend on several third parties, including vendors, developers, and partners, who may have access to our confidential data about consumers, employees, contractors, suppliers, and other business partners. We conduct due diligence and ongoing monitoring of these third parties' security and business controls to mitigate risks related to data breaches or other security incidents originating from external sources.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition, or that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents, see Item 1A, "Operational Risks – Security breaches, computer malware, or other cyberattacks involving the confidential information we maintain could significantly damage our reputation, expose us to litigation and regulatory actions, and substantially harm our business, financial condition, and results of operations."
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Assurance and Risk Advisory Services group also delivers periodic updates to the Audit and Finance committee of the board of directors, covering financial and enterprise risks, including cybersecurity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Governance of cybersecurity risk is overseen by our Enterprise Risk Management Committee, which includes our Assurance and Risk Advisory Services group, Chief Financial Officer, and Chief Administrative Officer, and which collaborates with our executive leadership team and senior-level staff, including the Chief Compliance Officer and the CISO. The CISO provides periodic updates to the board of directors, ensuring comprehensive risk reviews are conducted and that our cyber risk assessment, practices, and policies are thoroughly discussed with management. Our Assurance and Risk Advisory Services group also delivers periodic updates to the Audit and Finance committee of the board of directors, covering financial and enterprise risks, including cybersecurity.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our information security program is led by our Chief Information Security Officer (CISO) and the Information Security department, which sets policies, standards, and strategies to manage security risk.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO, with nearly two decades of experience in information security, oversees the resources to enhance security and reliability features in our products and services, provide employee security training, monitor operations 24/7, and conduct regular reviews and audits against independent security control frameworks.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
In the event of a cybersecurity incident, our Cybersecurity Incident Response team follows established incident management plans to coordinate with executive leadership and manage the response. The Chief Executive Officer, Chief Financial Officer, General Counsel, Chief Technology and Digital Officer, CISO, and Chief Compliance Officer are responsible for assessing the materiality of incidents, ensuring required notifications and communications, and determining whether trading restrictions on our common stock by insiders should be imposed prior to public disclosure of a material cybersecurity event. We maintain cybersecurity insurance coverage to help offset costs resulting from cyberattacks, although the coverage may not reimburse all losses.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef