|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have established processes for assessing, identifying, and managing material risks from cybersecurity threats and have integrated these cybersecurity processes into our overall risk management system. Specifically, we have adopted a cybersecurity framework that, where appropriate, aligns with the NIST's Cybersecurity Framework, and we have maintained systems that, where appropriate, are PCI compliant under current standards.
We regularly review our Incident Response Plans to ensure readiness if and when an incident does occur, including through live testing via planned and surprise tabletop exercises. In the event of a cybersecurity incident, if a system does become non-operational, we maintain disaster recovery capabilities to return to normal operation in a timely manner.
Our cybersecurity processes to assess and identify cybersecurity risks includes periodic risk assessments, deployment of security monitoring tools for continuous monitoring of our information systems, periodic testing for vulnerabilities in our systems, periodic testing of employees’ cybersecurity awareness, receiving cybersecurity alerts, among other procedures. Our Information Security (“IS”) department, which reports to the Vice President, Information Security, evaluates cybersecurity risks and works to design and ensure implementation of appropriate controls and safeguards in alignment with our business objectives and operational needs. Management periodically reviews cybersecurity risks as part of the overall risks to the company as part of the enterprise risk management program. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
We engage various third parties to assess, test, or assist with the implementation of our risk management strategies, policies, and procedures to enhance our detection and management of cybersecurity risks, including but not limited to: consultants who assist with assessing risks, assist with our PCI compliance assessments, assess our systems alignment with the NIST Cybersecurity Framework, and test and/or scan for vulnerabilities.
We rely on software, hardware, and network systems, including cloud-based technology, that are either developed by us or licensed from or maintained by third parties to maintain operations. In the ordinary course of our business, we collect and utilize proprietary and customer information and data. We utilize systems designed to protect customer information and prevent fraudulent transactions and other security breaches. We rely on third-party software products to secure our credit card transactions.Furthermore, we maintain a process to evaluate and manage risks associated with third-party service providers. We conduct cybersecurity assessments of our key vendors before engagement, maintain continued monitoring during the engagement, and maintain the ability to discontinue our engagement with a key vendor if their cybersecurity posture fails to meet pre-established standards.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have established processes for assessing, identifying, and managing material risks from cybersecurity threats and have integrated these cybersecurity processes into our overall risk management system. Specifically, we have adopted a cybersecurity framework that, where appropriate, aligns with the NIST's Cybersecurity Framework, and we have maintained systems that, where appropriate, are PCI compliant under current standards.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board of Directors has responsibility for oversight and approval of our cybersecurity risk management processes, and the Board has established an oversight mechanism for cybersecurity risks.
Senior executives provide the Board of Directors with quarterly updates concerning cybersecurity risks and the Company’s cybersecurity strategies and objectives. In addition, members of management briefed on specific issues attend Board meetings to provide additional insight into the specific issues being discussed, including risk exposure.
The Board works with our senior executives in reviewing the cybersecurity risks and strategy, provides guidance on the Company’s cybersecurity goals and objectives, and monitors the information it receives from management regarding the assessment and management of cybersecurity risk. If a significant cybersecurity incident occurs, it will be reported promptly to the Board near the time of discovery.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors has responsibility for oversight and approval of our cybersecurity risk management processes, and the Board has established an oversight mechanism for cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Senior executives provide the Board of Directors with quarterly updates concerning cybersecurity risks and the Company’s cybersecurity strategies and objectives. In addition, members of management briefed on specific issues attend Board meetings to provide additional insight into the specific issues being discussed, including risk exposure.
The Board works with our senior executives in reviewing the cybersecurity risks and strategy, provides guidance on the Company’s cybersecurity goals and objectives, and monitors the information it receives from management regarding the assessment and management of cybersecurity risk. If a significant cybersecurity incident occurs, it will be reported promptly to the Board near the time of discovery.
The IS department is charged with monitoring risks, implementing controls, developing information security policies and procedures, and assessing cyber events. On a day-to-day basis, IS informs the Vice President, Information Security concerning cybersecurity risks and events, including any mitigation and remediation efforts. Our Vice President, Information Security joined the Company in September 2022, and is responsible for approving IS policies and procedures, implementing controls, monitoring and detection programs, and employee training on cybersecurity risks, and reports cybersecurity risks and strategies directly to executive leadership. He has over a decade of security experience, received his Master of Science in Computer Information and Information Systems Security/Information Assurance from Norwich University, and holds various certifications including Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP).
Cybersecurity incidents are escalated to the cybersecurity incident response team ("CIRT") who is responsible for overseeing our incident response strategy, including remediation. Significant cybersecurity incidents are escalated to the Company’s Incident Response Materiality Assessment Committee (“IRMAC”) that assesses and evaluates whether the incident is material
using criteria based on our enterprise risks. This committee is comprised of a cross-functional team that consists, in part, of employees at the management level and members of the executive team. As noted above, if a significant cybersecurity incident occurs, it will be reported promptly to the Board on an ad hoc and as-needed basis. Otherwise, management reports cybersecurity risks and developments to the Board quarterly.
|Cybersecurity Risk Role of Management [Text Block]
|
Senior executives provide the Board of Directors with quarterly updates concerning cybersecurity risks and the Company’s cybersecurity strategies and objectives. In addition, members of management briefed on specific issues attend Board meetings to provide additional insight into the specific issues being discussed, including risk exposure.
The Board works with our senior executives in reviewing the cybersecurity risks and strategy, provides guidance on the Company’s cybersecurity goals and objectives, and monitors the information it receives from management regarding the assessment and management of cybersecurity risk. If a significant cybersecurity incident occurs, it will be reported promptly to the Board near the time of discovery.
The IS department is charged with monitoring risks, implementing controls, developing information security policies and procedures, and assessing cyber events. On a day-to-day basis, IS informs the Vice President, Information Security concerning cybersecurity risks and events, including any mitigation and remediation efforts. Our Vice President, Information Security joined the Company in September 2022, and is responsible for approving IS policies and procedures, implementing controls, monitoring and detection programs, and employee training on cybersecurity risks, and reports cybersecurity risks and strategies directly to executive leadership. He has over a decade of security experience, received his Master of Science in Computer Information and Information Systems Security/Information Assurance from Norwich University, and holds various certifications including Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP).
Cybersecurity incidents are escalated to the cybersecurity incident response team ("CIRT") who is responsible for overseeing our incident response strategy, including remediation. Significant cybersecurity incidents are escalated to the Company’s Incident Response Materiality Assessment Committee (“IRMAC”) that assesses and evaluates whether the incident is material
using criteria based on our enterprise risks. This committee is comprised of a cross-functional team that consists, in part, of employees at the management level and members of the executive team. As noted above, if a significant cybersecurity incident occurs, it will be reported promptly to the Board on an ad hoc and as-needed basis. Otherwise, management reports cybersecurity risks and developments to the Board quarterly.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The IS department is charged with monitoring risks, implementing controls, developing information security policies and procedures, and assessing cyber events. On a day-to-day basis, IS informs the Vice President, Information Security concerning cybersecurity risks and events, including any mitigation and remediation efforts. Our Vice President, Information Security joined the Company in September 2022, and is responsible for approving IS policies and procedures, implementing controls, monitoring and detection programs, and employee training on cybersecurity risks, and reports cybersecurity risks and strategies directly to executive leadership. He has over a decade of security experience, received his Master of Science in Computer Information and Information Systems Security/Information Assurance from Norwich University, and holds various certifications including Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP).
Cybersecurity incidents are escalated to the cybersecurity incident response team ("CIRT") who is responsible for overseeing our incident response strategy, including remediation. Significant cybersecurity incidents are escalated to the Company’s Incident Response Materiality Assessment Committee (“IRMAC”) that assesses and evaluates whether the incident is material
using criteria based on our enterprise risks. This committee is comprised of a cross-functional team that consists, in part, of employees at the management level and members of the executive team. As noted above, if a significant cybersecurity incident occurs, it will be reported promptly to the Board on an ad hoc and as-needed basis. Otherwise, management reports cybersecurity risks and developments to the Board quarterly.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Vice President, Information Security joined the Company in September 2022, and is responsible for approving IS policies and procedures, implementing controls, monitoring and detection programs, and employee training on cybersecurity risks, and reports cybersecurity risks and strategies directly to executive leadership. He has over a decade of security experience, received his Master of Science in Computer Information and Information Systems Security/Information Assurance from Norwich University, and holds various certifications including Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The IS department is charged with monitoring risks, implementing controls, developing information security policies and procedures, and assessing cyber events. On a day-to-day basis, IS informs the Vice President, Information Security concerning cybersecurity risks and events, including any mitigation and remediation efforts. Our Vice President, Information Security joined the Company in September 2022, and is responsible for approving IS policies and procedures, implementing controls, monitoring and detection programs, and employee training on cybersecurity risks, and reports cybersecurity risks and strategies directly to executive leadership. He has over a decade of security experience, received his Master of Science in Computer Information and Information Systems Security/Information Assurance from Norwich University, and holds various certifications including Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP).
Cybersecurity incidents are escalated to the cybersecurity incident response team ("CIRT") who is responsible for overseeing our incident response strategy, including remediation. Significant cybersecurity incidents are escalated to the Company’s Incident Response Materiality Assessment Committee (“IRMAC”) that assesses and evaluates whether the incident is material
using criteria based on our enterprise risks. This committee is comprised of a cross-functional team that consists, in part, of employees at the management level and members of the executive team. As noted above, if a significant cybersecurity incident occurs, it will be reported promptly to the Board on an ad hoc and as-needed basis. Otherwise, management reports cybersecurity risks and developments to the Board quarterly.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef