|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We recognize the importance cybersecurity has to the success of our business. We also recognize the need to continually assess cybersecurity risk and evolve our response in the face of a rapidly and ever-changing environment. Accordingly, we aim to protect our business operations, including customer records and information, against known and evolving cybersecurity threats.
Risk Management and Strategy
The Company’s Internal Audit function conducts an annual Enterprise Risk Management process to identify, assess, monitor and control current and future potential risks facing the Company, which includes cybersecurity risks that are communicated by the Chief Information Security Officer (“CISO”). Significant risks identified during this process are then presented to the Audit Committee. In addition, we have a cybersecurity incident response plan in place that provides a documented framework for handling high and low severity security incidents and facilitates coordination across multiple parts of the business. We also routinely perform attack and response simulations at the technical level, and annually execute tabletop response exercises. Each year, special focus is given to maintaining and improving our alignment with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and Privacy and Payment Card Industry (“PCI”) controls in support of protecting our technology and customer data. We further engage in the periodic assessment and testing of our cybersecurity program.
We also utilize external expertise to perform annual assessments of our entire cybersecurity program, including the cybersecurity program maturity. The results of these annual assessments are reported to the Audit Committee, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments. In addition, we have a Third Party Risk Management Program designed to assess risks associated with third party providers based on the services they provide and the data they have access to.
Cybersecurity risk mitigation processes are integrated into the Company’s Code of Conduct that all employees are required to review. Additionally, all employees with network access receive cybersecurity awareness training.
The Company’s information and data systems have been subject to cybersecurity incidents in the past, including the publicly disclosed September 2023 Cybersecurity Issue. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, there is no guaranty that the Cybersecurity Issue and any further incidents will not have a material impact in the future. See “Cybersecurity litigation, claims, and investigations” in Part II, Item 8, Note 12 to the accompanying consolidated financial statements. Further, policies and procedures designed to manage cyber risks, including those described herein, may not be effective. To learn more about risks from cybersecurity threats, see “Item 1A. Risk Factors - The failure to maintain the integrity of our information and other systems or customer information can result in damage to our reputation, subject us to fines, payment of damages, lawsuits and restrictions on our use of data, and have a material adverse effect on our business, financial condition, and results of operations.” Additional risks and uncertainties not currently known or that may currently be deemed to be immaterial also may materially adversely affect the Company’s business, financial condition, or results of operations.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity risk mitigation processes are integrated into the Company’s Code of Conduct that all employees are required to review. Additionally, all employees with network access receive cybersecurity awareness training.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
To ensure thorough oversight of the Company’s cybersecurity policies and processes, the Audit Committee is responsible for overseeing our cybersecurity risk and, pursuant to its charter, establishes and oversees procedures for the Company’s plans to mitigate cybersecurity risks and respond to data breaches. The Audit Committee receives regular reports from the CISO on the Company’s cybersecurity risks and enterprise cybersecurity program. The Audit Committee also receives prompt information and periodic updates by the CISO regarding material cybersecurity incidents that meet reporting thresholds. The Audit Committee reports out to the Board as necessary to keep the Board informed of issues or risks relating to the Company’s cybersecurity.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
To ensure thorough oversight of the Company’s cybersecurity policies and processes, the Audit Committee is responsible for overseeing our cybersecurity risk and, pursuant to its charter, establishes and oversees procedures for the Company’s plans to mitigate cybersecurity risks and respond to data breaches. The Audit Committee receives regular reports from the CISO on the Company’s cybersecurity risks and enterprise cybersecurity program. The Audit Committee also receives prompt information and periodic updates by the CISO regarding material cybersecurity incidents that meet reporting thresholds. The Audit Committee reports out to the Board as necessary to keep the Board informed of issues or risks relating to the Company’s cybersecurity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Board’s Oversight of Cybersecurity Risk
To ensure thorough oversight of the Company’s cybersecurity policies and processes, the Audit Committee is responsible for overseeing our cybersecurity risk and, pursuant to its charter, establishes and oversees procedures for the Company’s plans to mitigate cybersecurity risks and respond to data breaches. The Audit Committee receives regular reports from the CISO on the Company’s cybersecurity risks and enterprise cybersecurity program. The Audit Committee also receives prompt information and periodic updates by the CISO regarding material cybersecurity incidents that meet reporting thresholds. The Audit Committee reports out to the Board as necessary to keep the Board informed of issues or risks relating to the Company’s cybersecurity.
Management’s Involvement in Cybersecurity Risk Oversight
Our CISO continues to enhance our cybersecurity program and leads our efforts to mitigate technology risks in partnership with business leaders. Our CISO conducts regular reviews of the control environment and identifies those risks within the Enterprise Risk Management process to assess, monitor and control current and future potential risks facing the Company. Our CISO has over 20 years of expertise in technology, cybersecurity, information security risk management, incident management and response and privacy and has held various roles in information security throughout his career. The CISO holds various professional certifications, including Certified Information Security Manager certification from the
Information Systems Audit and Control Association and Certified Incident Handler from the International Council of E-Commerce Consultants. The CISO holds a Bachelor of Science Degree in Cyber Security & Information Assurance.
Our CISO reports directly to our Chief Legal and Administrative Officer and Secretary. The CISO closely monitors our cybersecurity program, including our strategy and cybersecurity policies and practices, against the cybersecurity threat landscape. As described above, our cybersecurity incident response plan provides a framework for a multidisciplinary team to prevent, detect, mitigate, and remediate cybersecurity-related risks and incidents. This framework also sets forth parameters for the escalation and reporting of cybersecurity risks and incidents to broader groups at the Company, and the CISO reports information about significant cybersecurity risks and incidents to the Audit Committee on a regular basis and more frequently if warranted under the circumstances.
|Cybersecurity Risk Role of Management [Text Block]
|
Our CISO continues to enhance our cybersecurity program and leads our efforts to mitigate technology risks in partnership with business leaders. Our CISO conducts regular reviews of the control environment and identifies those risks within the Enterprise Risk Management process to assess, monitor and control current and future potential risks facing the Company. Our CISO has over 20 years of expertise in technology, cybersecurity, information security risk management, incident management and response and privacy and has held various roles in information security throughout his career. The CISO holds various professional certifications, including Certified Information Security Manager certification from the
Information Systems Audit and Control Association and Certified Incident Handler from the International Council of E-Commerce Consultants. The CISO holds a Bachelor of Science Degree in Cyber Security & Information Assurance.
Our CISO reports directly to our Chief Legal and Administrative Officer and Secretary. The CISO closely monitors our cybersecurity program, including our strategy and cybersecurity policies and practices, against the cybersecurity threat landscape. As described above, our cybersecurity incident response plan provides a framework for a multidisciplinary team to prevent, detect, mitigate, and remediate cybersecurity-related risks and incidents. This framework also sets forth parameters for the escalation and reporting of cybersecurity risks and incidents to broader groups at the Company, and the CISO reports information about significant cybersecurity risks and incidents to the Audit Committee on a regular basis and more frequently if warranted under the circumstances.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
To ensure thorough oversight of the Company’s cybersecurity policies and processes, the Audit Committee is responsible for overseeing our cybersecurity risk and, pursuant to its charter, establishes and oversees procedures for the Company’s plans to mitigate cybersecurity risks and respond to data breaches. The Audit Committee receives regular reports from the CISO on the Company’s cybersecurity risks and enterprise cybersecurity program. The Audit Committee also receives prompt information and periodic updates by the CISO regarding material cybersecurity incidents that meet reporting thresholds. The Audit Committee reports out to the Board as necessary to keep the Board informed of issues or risks relating to the Company’s cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over 20 years of expertise in technology, cybersecurity, information security risk management, incident management and response and privacy and has held various roles in information security throughout his career. The CISO holds various professional certifications, including Certified Information Security Manager certification from the Information Systems Audit and Control Association and Certified Incident Handler from the International Council of E-Commerce Consultants. The CISO holds a Bachelor of Science Degree in Cyber Security & Information Assurance.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO continues to enhance our cybersecurity program and leads our efforts to mitigate technology risks in partnership with business leaders. Our CISO conducts regular reviews of the control environment and identifies those risks within the Enterprise Risk Management process to assess, monitor and control current and future potential risks facing the Company. Our CISO has over 20 years of expertise in technology, cybersecurity, information security risk management, incident management and response and privacy and has held various roles in information security throughout his career. The CISO holds various professional certifications, including Certified Information Security Manager certification from the
Information Systems Audit and Control Association and Certified Incident Handler from the International Council of E-Commerce Consultants. The CISO holds a Bachelor of Science Degree in Cyber Security & Information Assurance.
Our CISO reports directly to our Chief Legal and Administrative Officer and Secretary. The CISO closely monitors our cybersecurity program, including our strategy and cybersecurity policies and practices, against the cybersecurity threat landscape. As described above, our cybersecurity incident response plan provides a framework for a multidisciplinary team to prevent, detect, mitigate, and remediate cybersecurity-related risks and incidents. This framework also sets forth parameters for the escalation and reporting of cybersecurity risks and incidents to broader groups at the Company, and the CISO reports information about significant cybersecurity risks and incidents to the Audit Committee on a regular basis and more frequently if warranted under the circumstances.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef