|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
The Company’s Board and management recognize the importance of maintaining the trust and confidence of our customers, clients, business partners and employees, and that effective risk oversight is critical in running a successful business and fulfilling its fiduciary responsibilities to the company and its shareholders. Our Board is responsible for assuring that an appropriate culture of risk management exists within the Company and for setting the right “tone at the top.” The Board oversees an enterprise-wide approach to risk management, designed to support the achievement of organizational objectives, including strategic objectives, to improve long-term organizational performance and enhance shareholder value.
A fundamental part of risk management is not only understanding the risks a company faces and what steps management is taking to manage those risks, but also understanding what level of risk is appropriate for the Company. The involvement of the full Board in setting the Company’s business strategy is a key part of its assessment of management’s tolerance for risk and also a determination of what constitutes an appropriate level of risk for the Company.
Refer to Part I, Item 1A. “Risk Factors” of this 2024 Annual Report on Form 10-K for further information about the Company's overall ERM process.
Risk Management and Strategy
Cybersecurity is a critical component of the Company’s ERM program. The Company has established an information security framework to help safeguard the confidentiality, integrity, and availability of information assets and ensure regulatory, operational, and contractual requirements are fulfilled. The Company’s cybersecurity program is focused on the following key areas:
Governance: The Board provides oversight of the ERM process and reviews the significant identified risks. The Board’s oversight of cybersecurity risk management is supported by the Audit and Compliance Committee, which regularly interacts with the Company’s senior management, including the Director - Information Systems (i.e. the Company's chief information officer). The Company’s various Board committees also play a role in risk management, as detailed in their respective charters.
Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the materiality, public disclosure and reporting of such incidents can be made by management in a timely manner. Senior leadership also briefs the Board on information security matters at least annually.
Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, such as machine learning intelligence platforms with an array of technologies, extensive encryption, firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. The frameworks used to guide the deployment of technical safeguards include: International Organization for Standardization (ISO) 27001, Service Organization Control 2 (SOC 2), Sarbanes Oxley (SOX), and National Institute of Standards and Technology (NIST). The Company has been ISO 27001 certified since 2015 and is externally audited and certified annually by a leading IT compliance attestation firm.
Incident Response Planning: The Company has established, maintains and regularly tests incident response plans that address the Company’s overall preparedness and response to a cybersecurity incident. The plans include, among other steps, assessment processes to determine the magnitude and materiality of an incident, an analysis of the need and method to communicate to various constituencies (customers, employees, authorities, etc.), and the requirements for public and regulatory disclosure. In addition to this response planning framework, among other mitigating actions the Company maintains an insurance policy for cybersecurity liability that provides not only coverage for breaches, but also loss prevention services and claims advisors.
Third Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third party systems. Third parties are granted access to systems based on the principle of least privilege.
Education and Awareness: The Company provides mandatory annual training for personnel regarding cybersecurity threats to educate employees with effective tools and knowledge to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices. Quarterly internal phishing tests are performed, and periodic and/or thematic email communications are provided throughout the year to raise awareness. Individual training is given to personnel as needed.
Governance
The Board oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The Board receives annual cybersecurity updates from senior management, and the Audit and Compliance Committee provides a deeper level of oversight through an annual review of management’s approach to cybersecurity risk with the Director – Information Systems. The Board and the Audit and Compliance Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
The Director – Information Systems, as head of cybersecurity and in coordination with management, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response plans. Management is actively involved in the incident response and risk management process (mitigation, transference, and acceptance). Additionally, Company management meets monthly as part of the cybersecurity steering committee to direct proper activities to mitigate any risks identified.
The SVP-CFO, VP-Controller and VP-General Counsel are explicitly informed by the Director of Information Systems, internal security team and Managed Security Service Provider (MSSP) of incidents and periodically updated on the investigation progress and impact of the incident. Management also receives explicit monthly summaries on all incidents. Material incidents are summarized at an annual management review meeting.
Internal IS Management has the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC/SANS Certified Forensic Examiner, Cloud Forensics and Incident Responder (GCFR), Certified Advanced Smartphone Forensics (GASF), Certified Cloud Security Professional (CCSP), Magnet Certified Forensic Examiner, BBA Information Technology Emphasis Security, and CompTIA Security+.
While the Company has experienced, and expects to continue to experience, cyber threats, no material security breaches of third-party information have occurred. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A “Risk Factors” under the heading “General,” which should be read in conjunction with the foregoing information.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Company has established an information security framework to help safeguard the confidentiality, integrity, and availability of information assets and ensure regulatory, operational, and contractual requirements are fulfilled.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|While the Company has experienced, and expects to continue to experience, cyber threats, no material security breaches of third-party information have occurred. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The Board receives annual cybersecurity updates from senior management, and the Audit and Compliance Committee provides a deeper level of oversight through an annual review of management’s approach to cybersecurity risk with the Director – Information Systems. The Board and the Audit and Compliance Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
The Director – Information Systems, as head of cybersecurity and in coordination with management, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response plans. Management is actively involved in the incident response and risk management process (mitigation, transference, and acceptance). Additionally, Company management meets monthly as part of the cybersecurity steering committee to direct proper activities to mitigate any risks identified.
The SVP-CFO, VP-Controller and VP-General Counsel are explicitly informed by the Director of Information Systems, internal security team and Managed Security Service Provider (MSSP) of incidents and periodically updated on the investigation progress and impact of the incident. Management also receives explicit monthly summaries on all incidents. Material incidents are summarized at an annual management review meeting.
Internal IS Management has the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC/SANS Certified Forensic Examiner, Cloud Forensics and Incident Responder (GCFR), Certified Advanced Smartphone Forensics (GASF), Certified Cloud Security Professional (CCSP), Magnet Certified Forensic Examiner, BBA Information Technology Emphasis Security, and CompTIA Security+.
While the Company has experienced, and expects to continue to experience, cyber threats, no material security breaches of third-party information have occurred. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A “Risk Factors” under the heading “General,” which should be read in conjunction with the foregoing information.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board receives annual cybersecurity updates from senior management, and the Audit and Compliance Committee provides a deeper level of oversight through an annual review of management’s approach to cybersecurity risk with the Director – Information Systems.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board and the Audit and Compliance Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
|Cybersecurity Risk Role of Management [Text Block]
|
The Director – Information Systems, as head of cybersecurity and in coordination with management, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response plans. Management is actively involved in the incident response and risk management process (mitigation, transference, and acceptance). Additionally, Company management meets monthly as part of the cybersecurity steering committee to direct proper activities to mitigate any risks identified.
The SVP-CFO, VP-Controller and VP-General Counsel are explicitly informed by the Director of Information Systems, internal security team and Managed Security Service Provider (MSSP) of incidents and periodically updated on the investigation progress and impact of the incident. Management also receives explicit monthly summaries on all incidents. Material incidents are summarized at an annual management review meeting.
Internal IS Management has the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC/SANS Certified Forensic Examiner, Cloud Forensics and Incident Responder (GCFR), Certified Advanced Smartphone Forensics (GASF), Certified Cloud Security Professional (CCSP), Magnet Certified Forensic Examiner, BBA Information Technology Emphasis Security, and CompTIA Security+.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Director – Information Systems, as head of cybersecurity and in coordination with management, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response plans.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The SVP-CFO, VP-Controller and VP-General Counsel are explicitly informed by the Director of Information Systems, internal security team and Managed Security Service Provider (MSSP) of incidents and periodically updated on the investigation progress and impact of the incident.
Internal IS Management has the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC/SANS Certified Forensic Examiner, Cloud Forensics and Incident Responder (GCFR), Certified Advanced Smartphone Forensics (GASF), Certified Cloud Security Professional (CCSP), Magnet Certified Forensic Examiner, BBA Information Technology Emphasis Security, and CompTIA Security+.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Management is actively involved in the incident response and risk management process (mitigation, transference, and acceptance). Additionally, Company management meets monthly as part of the cybersecurity steering committee to direct proper activities to mitigate any risks identified.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef