|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company has developed and implemented an Information Security Program based on the Cybersecurity Framework (CSF) best practices and recommendations from the National Institute of Standards and Technology (NIST), applicable regulatory guidance, and other industry standards. Components of the program include a risk assessment program to identify, assess, and mitigate cybersecurity risk; a vendor management program to address third-party cybersecurity risk; and an incident response program documenting cybersecurity incident response and notification procedures. The Company's Information Security Officer (ISO) oversees the programs and reports on their statuses to management committees including the Information Security Review Committee (ISRC) and the Information Systems Steering Committee (ISSC). The ISRC approves policies, procedures, and standards for information security. It also discusses IT statistics and performance relative to information security performance standards. It reports to the ISSC. The ISSC is responsible for the Company’s strategic IT plan, including information security. It reviews the adequacy and allocation of IT resources and monitors major projects and overall IT performance. The strategic plan is presented to the Board annually. The ISO has several years of professional experience in cybersecurity and vendor management, and holds multiple relevant professional certifications. The ISO provides an update to the Board of Directors on a quarterly basis. The Information Security Program is approved by the Board annually.
The ISO maintains risk assessments for key IT systems. A third party cybersecurity risk assessment tool, as well as the FFIEC's Cybersecurity Assessment Tool (CAT) are also used annually to assess cybersecurity risk.
Third parties are assessed and categorized according to service type, compliance risk, financial risk, operational risk, and security risk. The level of due diligence and ongoing monitoring that is performed is based on inherent risk as well as specifics such as if the vendor hosts data in the cloud or has access to consumer information.
The Company uses a training system to educate new and existing employees on cybersecurity risks. In addition to this training program, simulated phishing attempts and remote social engineering attacks are performed on a regular basis to evaluate employees’ understanding of these risks.
The Company uses data loss prevention, email filtering and web filtering software to ensure malicious data does not enter the Company's network, and sensitive information does not leave the network unless properly secured. Penetration tests and vulnerability scanning are performed on a regular basis. All Company networks are secured behind firewalls. Additionally, Security Information and Event Management (SIEM) technology, an Intrusion Detection System (IDS), and an Intrusion Prevention System (IPS) are used.
Access to data on the Company's networks is granted only if needed for job functions. Data Security Analysts review changes to access to ensure they are authorized and appropriate.
An Incident Response Committee that includes representatives from key areas of the Company meets in the event of cybersecurity incidents. The Committee ensures the proper notifications are made in order to comply with all relevant laws, rules and regulations.
During the year ended December 31, 2024, there were no cybersecurity incidents that materially affected or are reasonably likely to materially affect the Company. For discussion of the risks from cybersecurity threats, including potential impact to the Company’s business strategy, results of operations, and financial condition, refer to “Item 1A – Risk Factors – The Company’s information systems may experience an interruption or breach in security” in this Report, which is incorporated by reference in this paragraph.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Company has developed and implemented an Information Security Program based on the Cybersecurity Framework (CSF) best practices and recommendations from the National Institute of Standards and Technology (NIST), applicable regulatory guidance, and other industry standards. Components of the program include a risk assessment program to identify, assess, and mitigate cybersecurity risk; a vendor management program to address third-party cybersecurity risk; and an incident response program documenting cybersecurity incident response and notification procedures. The Company's Information Security Officer (ISO) oversees the programs and reports on their statuses to management committees including the Information Security Review Committee (ISRC) and the Information Systems Steering Committee (ISSC). The ISRC approves policies, procedures, and standards for information security. It also discusses IT statistics and performance relative to information security performance standards. It reports to the ISSC. The ISSC is responsible for the Company’s strategic IT plan, including information security. It reviews the adequacy and allocation of IT resources and monitors major projects and overall IT performance. The strategic plan is presented to the Board annually. The ISO has several years of professional experience in cybersecurity and vendor management, and holds multiple relevant professional certifications. The ISO provides an update to the Board of Directors on a quarterly basis. The Information Security Program is approved by the Board annually.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company has developed and implemented an Information Security Program based on the Cybersecurity Framework (CSF) best practices and recommendations from the National Institute of Standards and Technology (NIST), applicable regulatory guidance, and other industry standards. Components of the program include a risk assessment program to identify, assess, and mitigate cybersecurity risk; a vendor management program to address third-party cybersecurity risk; and an incident response program documenting cybersecurity incident response and notification procedures. The Company's Information Security Officer (ISO) oversees the programs and reports on their statuses to management committees including the Information Security Review Committee (ISRC) and the Information Systems Steering Committee (ISSC). The ISRC approves policies, procedures, and standards for information security. It also discusses IT statistics and performance relative to information security performance standards. It reports to the ISSC. The ISSC is responsible for the Company’s strategic IT plan, including information security. It reviews the adequacy and allocation of IT resources and monitors major projects and overall IT performance. The strategic plan is presented to the Board annually. The ISO has several years of professional experience in cybersecurity and vendor management, and holds multiple relevant professional certifications. The ISO provides an update to the Board of Directors on a quarterly basis. The Information Security Program is approved by the Board annually.
The ISO maintains risk assessments for key IT systems. A third party cybersecurity risk assessment tool, as well as the FFIEC's Cybersecurity Assessment Tool (CAT) are also used annually to assess cybersecurity risk.
Third parties are assessed and categorized according to service type, compliance risk, financial risk, operational risk, and security risk. The level of due diligence and ongoing monitoring that is performed is based on inherent risk as well as specifics such as if the vendor hosts data in the cloud or has access to consumer information.
The Company uses a training system to educate new and existing employees on cybersecurity risks. In addition to this training program, simulated phishing attempts and remote social engineering attacks are performed on a regular basis to evaluate employees’ understanding of these risks.
The Company uses data loss prevention, email filtering and web filtering software to ensure malicious data does not enter the Company's network, and sensitive information does not leave the network unless properly secured. Penetration tests and vulnerability scanning are performed on a regular basis. All Company networks are secured behind firewalls. Additionally, Security Information and Event Management (SIEM) technology, an Intrusion Detection System (IDS), and an Intrusion Prevention System (IPS) are used.
Access to data on the Company's networks is granted only if needed for job functions. Data Security Analysts review changes to access to ensure they are authorized and appropriate.
An Incident Response Committee that includes representatives from key areas of the Company meets in the event of cybersecurity incidents. The Committee ensures the proper notifications are made in order to comply with all relevant laws, rules and regulations.
During the year ended December 31, 2024, there were no cybersecurity incidents that materially affected or are reasonably likely to materially affect the Company. For discussion of the risks from cybersecurity threats, including potential impact to the Company’s business strategy, results of operations, and financial condition, refer to “Item 1A – Risk Factors – The Company’s information systems may experience an interruption or breach in security” in this Report, which is incorporated by reference in this paragraph.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company has developed and implemented an Information Security Program based on the Cybersecurity Framework (CSF) best practices and recommendations from the National Institute of Standards and Technology (NIST), applicable regulatory guidance, and other industry standards. Components of the program include a risk assessment program to identify, assess, and mitigate cybersecurity risk; a vendor management program to address third-party cybersecurity risk; and an incident response program documenting cybersecurity incident response and notification procedures. The Company's Information Security Officer (ISO) oversees the programs and reports on their statuses to management committees including the Information Security Review Committee (ISRC) and the Information Systems Steering Committee (ISSC). The ISRC approves policies, procedures, and standards for information security. It also discusses IT statistics and performance relative to information security performance standards. It reports to the ISSC. The ISSC is responsible for the Company’s strategic IT plan, including information security. It reviews the adequacy and allocation of IT resources and monitors major projects and overall IT performance. The strategic plan is presented to the Board annually. The ISO has several years of professional experience in cybersecurity and vendor management, and holds multiple relevant professional certifications. The ISO provides an update to the Board of Directors on a quarterly basis. The Information Security Program is approved by the Board annually.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|An Incident Response Committee that includes representatives from key areas of the Company meets in the event of cybersecurity incidents. The Committee ensures the proper notifications are made in order to comply with all relevant laws, rules and regulations.
|Cybersecurity Risk Role of Management [Text Block]
|The Company has developed and implemented an Information Security Program based on the Cybersecurity Framework (CSF) best practices and recommendations from the National Institute of Standards and Technology (NIST), applicable regulatory guidance, and other industry standards. Components of the program include a risk assessment program to identify, assess, and mitigate cybersecurity risk; a vendor management program to address third-party cybersecurity risk; and an incident response program documenting cybersecurity incident response and notification procedures. The Company's Information Security Officer (ISO) oversees the programs and reports on their statuses to management committees including the Information Security Review Committee (ISRC) and the Information Systems Steering Committee (ISSC). The ISRC approves policies, procedures, and standards for information security. It also discusses IT statistics and performance relative to information security performance standards. It reports to the ISSC. The ISSC is responsible for the Company’s strategic IT plan, including information security. It reviews the adequacy and allocation of IT resources and monitors major projects and overall IT performance. The strategic plan is presented to the Board annually. The ISO has several years of professional experience in cybersecurity and vendor management, and holds multiple relevant professional certifications. The ISO provides an update to the Board of Directors on a quarterly basis. The Information Security Program is approved by the Board annually.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company has developed and implemented an Information Security Program based on the Cybersecurity Framework (CSF) best practices and recommendations from the National Institute of Standards and Technology (NIST), applicable regulatory guidance, and other industry standards. Components of the program include a risk assessment program to identify, assess, and mitigate cybersecurity risk; a vendor management program to address third-party cybersecurity risk; and an incident response program documenting cybersecurity incident response and notification procedures. The Company's Information Security Officer (ISO) oversees the programs and reports on their statuses to management committees including the Information Security Review Committee (ISRC) and the Information Systems Steering Committee (ISSC). The ISRC approves policies, procedures, and standards for information security. It also discusses IT statistics and performance relative to information security performance standards. It reports to the ISSC. The ISSC is responsible for the Company’s strategic IT plan, including information security. It reviews the adequacy and allocation of IT resources and monitors major projects and overall IT performance. The strategic plan is presented to the Board annually. The ISO has several years of professional experience in cybersecurity and vendor management, and holds multiple relevant professional certifications. The ISO provides an update to the Board of Directors on a quarterly basis. The Information Security Program is approved by the Board annually.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef