|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
As a government contractor, GEO routinely processes, stores, and transmits large amounts of “Personally Identifiable Information”. As such, we understand the criticalness of having a robust cybersecurity program that protects company assets as well as our clients’ data. Our customers, suppliers, service providers, subcontractors, and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance, and results of operations.
The Board, through its Cybersecurity and Environmental Oversight Committee, oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Information Security Officer (CISO), quarterly or as needed briefs the Board of Directors on our cybersecurity and information security posture, and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us.
Our corporate information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Our current CISO has extensive information technology and program management experience and has served many years in our corporate information security organization. In addition, our CISO has a certificate in Cybersecurity Oversight from the Carnegie Mellon University Software Engineering Institute. The corporate information security organization oversees, manages, and continually enhances a robust enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. Employees outside of our corporate information security organization also have a role in our cybersecurity defenses and they are immersed in a corporate culture that supports information security, which we believe improves our cybersecurity.
The corporate information security organization has implemented a governance structure and processes to assess, identify, manage, and report cybersecurity risks. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the Center for Internet Security controls. In addition, GEO has robust policies and procedures related to cybersecurity and general IT practices that include but are not limited to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process and are approved by appropriate members of management.
Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process. These initiatives are supported by a Managed Security Service Provider ("MSSP") that provides continuous intelligence and threat assessments, including such risks from cybersecurity threats associated with our use of any third-party service provider. Also, as part of the program, GEO engages third party cybersecurity organizations to perform bi-annual assessments of the environment. Identified cybersecurity related risks are included in the risk universe that the ERM function evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process’s annual risk assessment is presented to the Board.
Notwithstanding the extensive approach we take to prevent cybersecurity breaches, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse financial impact to our business. While GEO maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks. There have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect GEO, including its business strategy, results of operations, or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board, through its Cybersecurity and Environmental Oversight Committee, oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Information Security Officer (CISO), quarterly or as needed briefs the Board of Directors on our cybersecurity and information security posture, and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The corporate information security organization has implemented a governance structure and processes to assess, identify, manage, and report cybersecurity risks. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the Center for Internet Security controls. In addition, GEO has robust policies and procedures related to cybersecurity and general IT practices that include but are not limited to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process and are approved by appropriate members of management.
|Cybersecurity Risk Role of Management [Text Block]
|Notwithstanding the extensive approach we take to prevent cybersecurity breaches, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse financial impact to our business. While GEO maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks. There have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect GEO, including its business strategy, results of operations, or financial condition
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our corporate information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Our current CISO has extensive information technology and program management experience and has served many years in our corporate information security organization. In addition, our CISO has a certificate in Cybersecurity Oversight from the Carnegie Mellon University Software Engineering Institute. The corporate information security organization oversees, manages, and continually enhances a robust enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. Employees outside of our corporate information security organization also have a role in our cybersecurity defenses and they are immersed in a corporate culture that supports information security, which we believe improves our cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our current CISO has extensive information technology and program management experience and has served many years in our corporate information security organization. In addition, our CISO has a certificate in Cybersecurity Oversight from the Carnegie Mellon University Software Engineering Institute.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Senior leadership, including our Chief Information Security Officer (CISO), quarterly or as needed briefs the Board of Directors on our cybersecurity and information security posture, and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef