|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Enterprise Risk Management
The Company utilizes a structured, biannual ERM process to identify, assess, and address material risks facing the Company, including cybersecurity risks, during which business leaders across the Company are surveyed about current and emerging risk areas. After the ERM survey is completed and risk areas are identified, the results are discussed with the relevant management personnel across the organization in the key risk areas, root causes are analyzed, risk mitigation plans are developed, and key risk indicators are utilized to monitor mitigation efforts. The Chief Information Officer works closely with the Company’s management team in all facets of its ERM risk mitigation activities related to cybersecurity and information security risks.
Ongoing Mitigation Efforts
The Company has implemented a number of security measures designed to protect its systems and data, including firewalls, antivirus and malware detection tools, patches, log monitors, routine back-ups, system audits, system hardening, penetration testing and privileged access session management. In addition, the Company has continued its efforts to migrate its platforms to cloud-based computing, which is designed to further strengthen its security posture. The Company has focused on its incident response procedures and retained a leading incident response provider. The Company has also recently strengthened its disaster recovery procedures. The Company’s solutions incorporate cybersecurity features that are routinely analyzed. In addition, the Company maintains insurance that responds to cyber-attacks, which coverage limit and cost is discussed and reviewed with the Audit Committee annually.
The Company has what it believes are appropriate physical, technical, and administrative controls in place that are designed to protect customers’ data. The Company uses a three-pronged approach focused on further reducing exposure, raising greater security awareness, and further strengthening the Company’s cybersecurity defenses. This approach resulted in the Company further hardening its identity computing environments as part of its progress to a zero trust environment, heightened cybersecurity awareness efforts through increased comprehensive information security awareness training for employees on a quarterly basis, and the strengthening of the Company’s cybersecurity defenses through implementation of multifactor authentication for Privileged Access Management and Endpoint Detection and Response solutions across the Company’s computing environment.
Incident Response
In the event of a cybersecurity incident, dependent upon the nature of the incident, the Company has a Security Incident Response Team (“SIRT”) that is comprised of employees who have responsibility and authority to act during a cyber incident without delay, including, dependent upon the nature of the incident, the Company’s Chief Legal Officer, Chief Information Security Officer and Chief Information Officer. The SIRT includes individuals responsible for assessing, containing, and responding to incidents, as well as those responsible for assessing the business and legal impacts, reporting incidents as appropriate, communicating to internal and external stakeholders, and engaging with industry and government response partners to coordinate information and resource sharing when needed. During a cybersecurity incident, as warranted, the SIRT keeps the Company’s senior leadership and Board apprised of the response to the incident, any material operational or
business impacts, and any material internal or external communications regarding the incident. The SIRT will also seek the input of the Company’s senior leadership and Board, as needed, when addressing a cybersecurity incident. Upon resolution of a cybersecurity incident, generally, the Audit Committee will review the incident, the impact and the mitigation efforts and remediation actions the Company will implement. The Audit Committee then monitors the completion of the remediation actions and mitigation efforts.
Cybersecurity Leaders in Management
The Company’s IT strategy and implementation is overseen by a dedicated Chief Information Officer with over 20 years of experience in the field, including previously serving a 17-year tenure, most recently as Vice President of Global IT, with a global technology leader of fiber optic subsystems and components. He holds a Bachelor of Science in Computer Science and Engineering from Andhra University in India and an MBA from the Indian School of Business. In addition, the Company has engaged a Chief Information Security Officer (“CISO”) that has built and managed world-class information security programs and technology teams for industry leading global companies. She has deep experience securing healthcare-focused companies in both the provider and supplier space. She holds a Bachelor of Science from the University of Redlands and an MBA from Notre Dame De Namur University along with holding certified information systems security professional (“CISSP”) and certified information security manager (“CISM”) certifications.
Third Parties
The Company utilizes third-party service providers, such as cloud services, in connection with its operations, and its information security department implements a third-party risk assessment and review process in connection with those services to evaluate security posture and risk. The Company also engages third parties to assist in its cybersecurity management efforts, such as the leading incident response provider mentioned above and another provider to perform continuous monitoring and regular penetration testing of its information security systems and environment. The Company and its personnel also actively engage with a number of other key vendors, industry participants and intelligence and law enforcement communities as part of its information security and cybersecurity efforts.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Company has implemented a number of security measures designed to protect its systems and data, including firewalls, antivirus and malware detection tools, patches, log monitors, routine back-ups, system audits, system hardening, penetration testing and privileged access session management.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|As part of its risk oversight function, the Audit Committee of the Company’s Board of Directors is primarily responsible for overseeing and reviewing the Company’s information security and technology risks, including cybersecurity. In this role, the Audit Committee monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through the regular receipt of reports from management on the effectiveness of its cybersecurity programs. These reports include semi-annual cybersecurity updates from the Company’s Chief Information Officer and quarterly reports from the Company’s risk management personnel on the progress of the Company’s broader Enterprise Risk Management (“ERM”) risk mitigation activities. As part of the ERM process, the Audit Committee provides input on key risks for the Company to consider. The Board also provides quarterly input on its views regarding potential emerging risk areas for the Company. The Audit Committee then reports to the full Board on a quarterly basis regarding its oversight activities and the risk management activities of the Company. In addition, the full Board periodically participates in cybersecurity-related table-top exercises and receives incident reports from the SIRT (as defined herein) as significant matters may arise.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|As part of its risk oversight function, the Audit Committee of the Company’s Board of Directors is primarily responsible for overseeing and reviewing the Company’s information security and technology risks, including cybersecurity. In this role, the Audit Committee monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through the regular receipt of reports from management on the effectiveness of its cybersecurity programs.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
In the event of a cybersecurity incident, dependent upon the nature of the incident, the Company has a Security Incident Response Team (“SIRT”) that is comprised of employees who have responsibility and authority to act during a cyber incident without delay, including, dependent upon the nature of the incident, the Company’s Chief Legal Officer, Chief Information Security Officer and Chief Information Officer. The SIRT includes individuals responsible for assessing, containing, and responding to incidents, as well as those responsible for assessing the business and legal impacts, reporting incidents as appropriate, communicating to internal and external stakeholders, and engaging with industry and government response partners to coordinate information and resource sharing when needed. During a cybersecurity incident, as warranted, the SIRT keeps the Company’s senior leadership and Board apprised of the response to the incident, any material operational or
business impacts, and any material internal or external communications regarding the incident. The SIRT will also seek the input of the Company’s senior leadership and Board, as needed, when addressing a cybersecurity incident. Upon resolution of a cybersecurity incident, generally, the Audit Committee will review the incident, the impact and the mitigation efforts and remediation actions the Company will implement. The Audit Committee then monitors the completion of the remediation actions and mitigation efforts.
|Cybersecurity Risk Role of Management [Text Block]
|
In the event of a cybersecurity incident, dependent upon the nature of the incident, the Company has a Security Incident Response Team (“SIRT”) that is comprised of employees who have responsibility and authority to act during a cyber incident without delay, including, dependent upon the nature of the incident, the Company’s Chief Legal Officer, Chief Information Security Officer and Chief Information Officer. The SIRT includes individuals responsible for assessing, containing, and responding to incidents, as well as those responsible for assessing the business and legal impacts, reporting incidents as appropriate, communicating to internal and external stakeholders, and engaging with industry and government response partners to coordinate information and resource sharing when needed. During a cybersecurity incident, as warranted, the SIRT keeps the Company’s senior leadership and Board apprised of the response to the incident, any material operational or
business impacts, and any material internal or external communications regarding the incident. The SIRT will also seek the input of the Company’s senior leadership and Board, as needed, when addressing a cybersecurity incident. Upon resolution of a cybersecurity incident, generally, the Audit Committee will review the incident, the impact and the mitigation efforts and remediation actions the Company will implement. The Audit Committee then monitors the completion of the remediation actions and mitigation efforts.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
As part of its risk oversight function, the Audit Committee of the Company’s Board of Directors is primarily responsible for overseeing and reviewing the Company’s information security and technology risks, including cybersecurity. In this role, the Audit Committee monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through the regular receipt of reports from management on the effectiveness of its cybersecurity programs. These reports include semi-annual cybersecurity updates from the Company’s Chief Information Officer and quarterly reports from the Company’s risk management personnel on the progress of the Company’s broader Enterprise Risk Management (“ERM”) risk mitigation activities. As part of the ERM process, the Audit Committee provides input on key risks for the Company to consider. The Board also provides quarterly input on its views regarding potential emerging risk areas for the Company. The Audit Committee then reports to the full Board on a quarterly basis regarding its oversight activities and the risk management activities of the Company. In addition, the full Board periodically participates in cybersecurity-related table-top exercises and receives incident reports from the SIRT (as defined herein) as significant matters may arise.The Company’s IT strategy and implementation is overseen by a dedicated Chief Information Officer with over 20 years of experience in the field, including previously serving a 17-year tenure, most recently as Vice President of Global IT, with a global technology leader of fiber optic subsystems and components. He holds a Bachelor of Science in Computer Science and Engineering from Andhra University in India and an MBA from the Indian School of Business.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Company’s IT strategy and implementation is overseen by a dedicated Chief Information Officer with over 20 years of experience in the field, including previously serving a 17-year tenure, most recently as Vice President of Global IT, with a global technology leader of fiber optic subsystems and components. He holds a Bachelor of Science in Computer Science and Engineering from Andhra University in India and an MBA from the Indian School of Business.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
In the event of a cybersecurity incident, dependent upon the nature of the incident, the Company has a Security Incident Response Team (“SIRT”) that is comprised of employees who have responsibility and authority to act during a cyber incident without delay, including, dependent upon the nature of the incident, the Company’s Chief Legal Officer, Chief Information Security Officer and Chief Information Officer. The SIRT includes individuals responsible for assessing, containing, and responding to incidents, as well as those responsible for assessing the business and legal impacts, reporting incidents as appropriate, communicating to internal and external stakeholders, and engaging with industry and government response partners to coordinate information and resource sharing when needed. During a cybersecurity incident, as warranted, the SIRT keeps the Company’s senior leadership and Board apprised of the response to the incident, any material operational or
business impacts, and any material internal or external communications regarding the incident. The SIRT will also seek the input of the Company’s senior leadership and Board, as needed, when addressing a cybersecurity incident. Upon resolution of a cybersecurity incident, generally, the Audit Committee will review the incident, the impact and the mitigation efforts and remediation actions the Company will implement. The Audit Committee then monitors the completion of the remediation actions and mitigation efforts.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef