|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We execute a comprehensive approach to cybersecurity risk management, helping ensure the data customers and other stakeholders entrust to us remains safe and secure. Our board of directors (the “Board”), Compliance Committee, and Information Security Program leaders are actively involved in the oversight of our cybersecurity risk management program. As described in more detail below, we have established standards, policies, practices, and processes focused on identifying, assessing, managing, mitigating, and responding to material risks from cybersecurity threats. To date, the Company is not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategies, results of operations, financial condition, or cash flows. However, while we have devoted financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make investments to maintain the security of our data and cybersecurity infrastructure, we cannot provide absolute assurance that any potential future cybersecurity threats or incidents will not materially affect us or our business strategies, results of operations, financial condition, or cash flows. For further discussion on cybersecurity related risks, see the “Risk Factors” section of Item 1A of this annual report on Form 10-K.
RISK MANAGEMENT AND STRATEGY
We execute a holistic approach to our standards, policies, practices, and processes for identifying, assessing, managing, mitigating, and responding to material risks from cybersecurity threats, all of which are integrated into our overall risk management program. Our cybersecurity program is guided by industry-wide recognized standards, including The National Institute of Standards and Technology (NIST) Cybersecurity Framework.
We have implemented best practices and established numerous programs and controls to reduce cybersecurity risk. Our Information Security Program includes physical, administrative, and technical safeguards. Some key components of the Information Security Program include:
On an ongoing basis we conduct cybersecurity risk assessments, including compiling, reviewing, and acting on information garnered from internal stakeholders, known security vulnerabilities, and data from external sources. The results of these assessments are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee, and members of management.
We routinely assess our systems and processes for modifications in advance of evolving state privacy regulations and other applicable industry standards and regularly update our privacy and information security policies to remain current with industry-leading practices. We are continually adapting to the ever-changing cyber risk landscape and have a dedicated team of information security professionals committed to maintaining the highest levels of systems and data security. The Company conducts and has engaged external information security firms to conduct assessments, including penetration tests, to continually improve security controls and ensure security controls. We continue to expand and grow our security team and their skillsets and make regular enhancements to our Information Security Program.
In addition, we engage with our third-party business partners to enforce our internal cybersecurity practices. We rely on all third-party business partners to maintain appropriate security programs; however, we cannot ensure in all circumstances that their efforts will be successful. We assess third-party cybersecurity controls through a detailed cybersecurity assessment and review and include security and privacy addendums to our contracts, where applicable. We also require that our third parties report material cybersecurity incidents to us, allowing us the ability to assess the impact of any reported incident on our operations.
Additionally, we developed a business continuity and disaster recovery program to help minimize the impact from certain types of cybersecurity risks. The Company’s incident response plans include emergency response, systems recovery, and other plans that would be enacted in the event of certain types of cybersecurity attacks. Our business continuity and disaster recovery plans are updated regularly and tested each year or as needed.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
RISK MANAGEMENT AND STRATEGY
We execute a holistic approach to our standards, policies, practices, and processes for identifying, assessing, managing, mitigating, and responding to material risks from cybersecurity threats, all of which are integrated into our overall risk management program. Our cybersecurity program is guided by industry-wide recognized standards, including The National Institute of Standards and Technology (NIST) Cybersecurity Framework.
We have implemented best practices and established numerous programs and controls to reduce cybersecurity risk. Our Information Security Program includes physical, administrative, and technical safeguards. Some key components of the Information Security Program include:
On an ongoing basis we conduct cybersecurity risk assessments, including compiling, reviewing, and acting on information garnered from internal stakeholders, known security vulnerabilities, and data from external sources. The results of these assessments are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee, and members of management.
We routinely assess our systems and processes for modifications in advance of evolving state privacy regulations and other applicable industry standards and regularly update our privacy and information security policies to remain current with industry-leading practices. We are continually adapting to the ever-changing cyber risk landscape and have a dedicated team of information security professionals committed to maintaining the highest levels of systems and data security. The Company conducts and has engaged external information security firms to conduct assessments, including penetration tests, to continually improve security controls and ensure security controls. We continue to expand and grow our security team and their skillsets and make regular enhancements to our Information Security Program.
In addition, we engage with our third-party business partners to enforce our internal cybersecurity practices. We rely on all third-party business partners to maintain appropriate security programs; however, we cannot ensure in all circumstances that their efforts will be successful. We assess third-party cybersecurity controls through a detailed cybersecurity assessment and review and include security and privacy addendums to our contracts, where applicable. We also require that our third parties report material cybersecurity incidents to us, allowing us the ability to assess the impact of any reported incident on our operations.
Additionally, we developed a business continuity and disaster recovery program to help minimize the impact from certain types of cybersecurity risks. The Company’s incident response plans include emergency response, systems recovery, and other plans that would be enacted in the event of certain types of cybersecurity attacks. Our business continuity and disaster recovery plans are updated regularly and tested each year or as needed.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board Oversight
Our Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. The Board receives regular reports from management about the prevention, detection, assessment, mitigation, and remediation of cybersecurity risks and incidents, including analysis of material security risks or information security vulnerabilities. Our Audit Committee directly oversees our Information Security Program. The Audit Committee is composed of Board members with a broad range of expertise, including risk management, technology, and finance experience, which provides them with the necessary qualifications to effectively oversee cybersecurity risks. The Audit Committee receives on a quarterly basis, or as needed, comprehensive updates from management on cybersecurity risks, including risk assessments, cybersecurity maturity assessments, progress of risk reduction initiatives, enhancements
to cybersecurity programs and initiatives, business continuity planning, PCI compliance, any relevant internal or industry cybersecurity incidents, and compliance with regulatory requirements and industry standards, as applicable.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. The Board receives regular reports from management about the prevention, detection, assessment, mitigation, and remediation of cybersecurity risks and incidents, including analysis of material security risks or information security vulnerabilities. Our Audit Committee directly oversees our Information Security Program. The Audit Committee is composed of Board members with a broad range of expertise, including risk management, technology, and finance experience, which provides them with the necessary qualifications to effectively oversee cybersecurity risks. The Audit Committee receives on a quarterly basis, or as needed, comprehensive updates from management on cybersecurity risks, including risk assessments, cybersecurity maturity assessments, progress of risk reduction initiatives, enhancements
to cybersecurity programs and initiatives, business continuity planning, PCI compliance, any relevant internal or industry cybersecurity incidents, and compliance with regulatory requirements and industry standards, as applicable.
|Cybersecurity Risk Role of Management [Text Block]
|A cross-functional Compliance Committee comprised of O’Reilly executive and senior leadership, including our Chief Information Officer (“CIO”), has responsibility for assessing and managing material cybersecurity risks and oversees our enterprise security, privacy, and risk priorities, including ensuring alignment on security decisions across the Company. The Compliance Committee meets quarterly, or as needed, to review security performance metrics, identify security risks, assess the status of approved security enhancements, and discuss future changes necessary to execute best practice, among other items. The Compliance Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies to senior management. We have an established escalation process to help ensure senior management and the Board are timely informed of any potential cybersecurity issues or incidents. Our comprehensive monitoring, analysis, response, and communication protocols are designed to ensure the highest level of management is informed of cybersecurity risks and that the Board has comprehensive oversight and information necessary to provide guidance on critical cybersecurity issues.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|cross-functional Compliance Committee
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CIO has served in various roles in information technology for more than 30 years, including serving as a chief information officer for a technology company, and has a degree in information management systems.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|A cross-functional Compliance Committee comprised of O’Reilly executive and senior leadership, including our Chief Information Officer (“CIO”), has responsibility for assessing and managing material cybersecurity risks and oversees our enterprise security, privacy, and risk priorities, including ensuring alignment on security decisions across the Company. The Compliance Committee meets quarterly, or as needed, to review security performance metrics, identify security risks, assess the status of approved security enhancements, and discuss future changes necessary to execute best practice, among other items. The Compliance Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies to senior management. We have an established escalation process to help ensure senior management and the Board are timely informed of any potential cybersecurity issues or incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef