|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company is committed to ensuring the safe operation of its business by means of a dedicated cybersecurity program designed to protect the confidentiality, integrity, and availability of its assets from cybersecurity threats. The Company’s customers, suppliers, and joint venture partners also face cybersecurity threats, and a cybersecurity incident impacting the Company or any of these entities could materially impact our operations, performance, and results of operations. New and evolving cybersecurity threats and related risks make it imperative that the Company allocates the appropriate resources to mitigate these risks, adapts to the changing cybersecurity landscape, and responds to emerging threats in a timely and effective manner.
The underlying controls of the Company’s cybersecurity program are designed to be aligned with the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) standards for cybersecurity and information technology. The controls in the Company’s cybersecurity program include but are not limited to, endpoint threat detection and response, privileged access management, logging and monitoring, multi-factor authentication, firewalls and intrusion detection and prevention, vulnerability, and patch management. Management regularly assesses the Company’s cybersecurity capabilities and has implemented policies, processes, and technology that it considers appropriate to reduce the likelihood or impact of a breach.
Third parties also play a role in the Company’s cybersecurity. The Company engages third-party contractors to assess cybersecurity controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. These assessments include testing both the design and operational effectiveness of these cybersecurity controls. The Company engages with these partners to monitor and maintain the performance and effectiveness of products and services that are deployed in the Company’s information technology environment. Management also shares and receives threat intelligence with our peers, local public companies, and cybersecurity associations.
The Company’s Director of Information Security ("CISO"), reporting to the Chief Information Officer ("CIO"), is the leader of the Company’s cybersecurity team. The CISO is responsible for assessing and managing the Company’s cybersecurity program, informs the CIO and other senior management as appropriate regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. Our CISO and CIO have decades of collective experience managing information technology and cybersecurity functions, both at the Company and in prior positions at large, Fortune 500 global businesses. Management also periodically evaluates the experience of the Company’s entire cybersecurity team to ensure adequate coverage across all eight key knowledge domains identified by the Certified Information Systems Security Professional certification.
Employees outside of the cybersecurity team also have a role in our cybersecurity defenses and they are engaged in a culture supportive of security protocols, which management believes improves the Company’s cybersecurity. All employees are required to complete cybersecurity trainings annually and have access to more frequent cybersecurity trainings through online trainings. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings. The internal business owners of hosted applications are required to document user access reviews at least annually and receive a System and Organization Controls ("SOC") 1 or SOC 2 report from the vendor. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, management will take additional steps to assess the vendor’s cybersecurity preparedness.
The Audit Committee of the Board of Directors oversees the Company’s cybersecurity program and the steps taken by management to monitor and mitigate cybersecurity risks. The CIO regularly addresses the Audit Committee, typically on a quarterly basis, regarding our cybersecurity and data privacy progress to the NIST CSF standards along with briefing the Committee on any cybersecurity incidents that were determined to have a moderate or higher impact on the business, even if immaterial to the Company as a whole. In the event of an incident, management intends to follow the Company’s incident response plan, which outlines the steps to be followed from the detection of an incident to mitigation, recovery, and notification, including notifying functional areas, as well as senior leadership and the Audit Committee, as appropriate. Determination of when to notify senior leadership and the Audit Committee is made by the CIO in consultation with other members of senior leadership as needed. Depending on the nature and severity of the incident, disclosure can be handled either through scheduled quarterly reporting to the Audit Committee or as an immediate disclosure to the Chair of the Audit Committee.
Assessing, identifying, and managing cybersecurity related risks are integrated into the Company-wide ERM process. On an annual basis, management assesses the top risks facing the enterprise through the Company’s ERM process. Cybersecurity related risks are included in this annual function and to the extent the ERM process assigns a heightened risk to cybersecurity, risk owners are named to address the severity, likelihood, and controls in place to mitigate these risks. Upon the conclusion of the ERM process, management’s assessment is then presented to the Board of Directors.
Notwithstanding the attention the Company pays to cybersecurity risks and the processes and controls implemented, the Company may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on its business, strategy, financial condition, results of operations, cash flows, and reputation. Cybersecurity risks rapidly evolve and are complex, so the Company must continually adapt and enhance processes and controls. As the Company does this, management must make judgments about where to invest resources to protect the Company and our assets most effectively. These are inherently challenging processes, and management can provide no assurance that the processes and controls implemented will be effective.
The Company has experienced, and expects to continue to experience, cyber incidents in the normal course of business. Cybersecurity threats, including as a result of previous incidents, to date, have not had, and as of the date hereof we do not believe are reasonably likely to have, a material adverse effect on the Company’s business, strategy, financial condition, results of operations, or cash flows. However, for the reasons described above, management cannot guarantee that the Company will not be materially affected in the future. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for further discussion of cybersecurity risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|On an annual basis, management assesses the top risks facing the enterprise through the Company’s ERM process
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Audit Committee of the Board of Directors oversees the Company’s cybersecurity program and the steps taken by management to monitor and mitigate cybersecurity risks. The CIO regularly addresses the Audit Committee, typically on a quarterly basis, regarding our cybersecurity and data privacy progress to the NIST CSF standards along with briefing the Committee on any cybersecurity incidents that were determined to have a moderate or higher impact on the business, even if immaterial to the Company as a whole. In the event of an incident, management intends to follow the Company’s incident response plan, which outlines the steps to be followed from the detection of an incident to mitigation, recovery, and notification, including notifying functional areas, as well as senior leadership and the Audit Committee, as appropriate. Determination of when to notify senior leadership and the Audit Committee is made by the CIO in consultation with other members of senior leadership as needed. Depending on the nature and severity of the incident, disclosure can be handled either through scheduled quarterly reporting to the Audit Committee or as an immediate disclosure to the Chair of the Audit Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The CIO regularly addresses the Audit Committee, typically on a quarterly basis, regarding our cybersecurity and data privacy progress to the NIST CSF standards along with briefing the Committee on any cybersecurity incidents that were determined to have a moderate or higher impact on the business, even if immaterial to the Company as a whole
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In the event of an incident, management intends to follow the Company’s incident response plan, which outlines the steps to be followed from the detection of an incident to mitigation, recovery, and notification, including notifying functional areas, as well as senior leadership and the Audit Committee, as appropriate. Determination of when to notify senior leadership and the Audit Committee is made by the CIO in consultation with other members of senior leadership as needed
|Cybersecurity Risk Role of Management [Text Block]
|Depending on the nature and severity of the incident, disclosure can be handled either through scheduled quarterly reporting to the Audit Committee or as an immediate disclosure to the Chair of the Audit Committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The CISO is responsible for assessing and managing the Company’s cybersecurity program, informs the CIO and other senior management as appropriate regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO and CIO have decades of collective experience managing information technology and cybersecurity functions, both at the Company and in prior positions at large, Fortune 500 global businesses
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Upon the conclusion of the ERM process, management’s assessment is then presented to the Board of Directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef