|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our Global Security program aims to safeguard critical assets through a risk-based approach to cybersecurity. The CSO provides leadership for the program. We employ a defense-in-depth strategy and has established a Security Risk Management Program. In that regard, we built a customized IRCF that was developed with the specific intent of keeping information assets secure and preventing technology resources from unauthorized disclosure, modification, deletion, and destruction. We have modeled our IRCF on several leading industry standards including portions of the NIST Cybersecurity Framework. The IRCF serves as an organizational model for governance and reporting and is reviewed annually.
Our Global Security Organization is responsible for the day-to-day execution of our cyber risk management strategy. This strategy has been incorporated into our overall ERM program and is thus informed by, and overseen through, our ERM program. Our ERM program facilitates identifying, prioritizing, analyzing and remediating enterprise risks, in which cyber risks are included. Within the broader ERM framework, we established a specific program - the IRM program - organizing the governance of risks associated with information held by us. The IRM Steering Committee, of which our CSO is a member, manages the IRM program, discusses the management of cyber risks on a regular cadence and substantive updates from the IRM Steering Committee are provided to the ERM Steering Committee. Finally, through our ERM program, updates and discussion regarding our cybersecurity risk management are provided to and occur at the Risk Committee.
We provide on at least an annual basis cybersecurity awareness training to our employees. For example, our employees with network access participate in required training, covering topics such as spear phishing, social engineering and other cybersecurity threat awareness training.
To supplement our cyber risk management capabilities, we utilize certain third-party vendors. These vendors support our ability to proactively secure our network and systems, in addition to ongoing monitoring of our cyber environment. With respect to our management of cyber risks arising from third-party vendors, we utilize an internal risk assessment and monitoring program that includes the identification and ongoing review of third-party controls.
As part of our cyber risk management strategy, we established a process for identifying and assessing the material risk of cybersecurity incidents. In the event a cybersecurity incident is identified, the CIRT, which is made up of a cross-functional team, including technology, security, finance and legal professionals, acts in accordance with established processes. The CIRT convenes regular meetings to review and analyze relevant cybersecurity indicators and information. Utilizing an IRC, if it is determined that an incident needs to be reviewed for potential materiality, it is referred to our Chief Legal Officer who will engage the necessary or desirable cross functional professionals as needed in order to make a determination of materiality. We also seek to regularly update and upgrade our technology investments in an effort to further support our ability to identify and assess risks from cybersecurity incidents.As of December 31, 2024, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, and financial condition. We continue to invest in cyber-resilience and cyber-threat response preparedness as we anticipate ongoing risks from cybersecurity threats. Refer to the “Risk Factors” section contained in Item 1A of this Form 10-K for more information on our cybersecurity-related risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our Global Security Organization is responsible for the day-to-day execution of our cyber risk management strategy. This strategy has been incorporated into our overall ERM program and is thus informed by, and overseen through, our ERM program. Our ERM program facilitates identifying, prioritizing, analyzing and remediating enterprise risks, in which cyber risks are included. Within the broader ERM framework, we established a specific program - the IRM program - organizing the governance of risks associated with information held by us.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cyber Risk Governance
Our Cyber Risk Management Strategy described in this Item 1C. is overseen by senior executives with experience in cybersecurity and our business operations and is ultimately overseen by the Risk Committee. Our Global Security Organization is tasked with executing this strategy through the implementation of cybersecurity policies, procedures, and strategies. In the event that a cybersecurity risk is identified, as and to the extent appropriate, the Global Security Organization manages the day-to-day response to such material risk and provides regular reports to the ERM Steering Committee, or the Risk Committee, or the Board, as appropriate. The CSO is also an advisor to the Company's Disclosure Committee, which meets quarterly.
On a quarterly basis, a meeting of the Risk Committee is convened to discuss and evaluate our management of enterprise-wide risks. Each meeting of the Risk Committee is facilitated by our Executive Director for ERM and
includes programmatic updates from the CSO, among other enterprise risk topics. The Risk Committee provides updates to the full Board regarding the state of the Company’s ERM program.
Cyber risks are an enterprise risk that the ERM Program monitors and thus such risks are an ongoing area of focus of the ERM Steering Committee and, as a result, the Risk Committee. On a monthly basis, the ERM Steering Committee is convened and receives pertinent updates regarding our management of cyber risks, as necessary.
In addition to the regularly scheduled programmatic updates that are provided to the ERM Steering Committee and the Risk Committee, we also established a process to inform such committees of significant cybersecurity events and allow them to monitor corresponding remediation efforts. Specifically, the IRM Steering Committee, consisting of senior leaders from the security, privacy, data governance, technology, records management, and third-party risk management programs, reports to the ERM Steering Committee and has the responsibility to provide updates regarding the prevention, detection, mitigation, and remediation of significant cybersecurity threats.
The ERM Steering Committee is similarly tasked with providing relevant updates to the Risk Committee, via the ERM Program, regarding significant cybersecurity threats. Additionally, we have developed a process that is specific to the management and analysis of cybersecurity incidents. This process includes weekly and monthly updates from the CIRT along with escalation criteria that allows for significant cybersecurity threats to be reviewed for materiality on an ad hoc basis. These updates are also provided to the ERM Steering Committee and the Risk Committee as necessary.
Our CSO leads our Global Security Organization which is responsible for overseeing, assessing and monitoring the Company's cyber risk management strategy. Our CSO has over 20 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other companies. He holds a B.S. degree from Azusa Pacific University and an M.B.A. from the University of Southern California. Team members who support our Global Security team have relevant educational and industry experience, including holding similar positions at other large companies.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Cyber Risk Management Strategy described in this Item 1C. is overseen by senior executives with experience in cybersecurity and our business operations and is ultimately overseen by the Risk Committee. Our Global Security Organization is tasked with executing this strategy through the implementation of cybersecurity policies, procedures, and strategies. In the event that a cybersecurity risk is identified, as and to the extent appropriate, the Global Security Organization manages the day-to-day response to such material risk and provides regular reports to the ERM Steering Committee, or the Risk Committee, or the Board, as appropriate. The CSO is also an advisor to the Company's Disclosure Committee, which meets quarterly.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|On a quarterly basis, a meeting of the Risk Committee is convened to discuss and evaluate our management of enterprise-wide risks.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Cyber Risk Management Strategy described in this Item 1C. is overseen by senior executives with experience in cybersecurity and our business operations and is ultimately overseen by the Risk Committee. Our Global Security Organization is tasked with executing this strategy through the implementation of cybersecurity policies, procedures, and strategies. In the event that a cybersecurity risk is identified, as and to the extent appropriate, the Global Security Organization manages the day-to-day response to such material risk and provides regular reports to the ERM Steering Committee, or the Risk Committee, or the Board, as appropriate. The CSO is also an advisor to the Company's Disclosure Committee, which meets quarterly.
On a quarterly basis, a meeting of the Risk Committee is convened to discuss and evaluate our management of enterprise-wide risks. Each meeting of the Risk Committee is facilitated by our Executive Director for ERM and
includes programmatic updates from the CSO, among other enterprise risk topics. The Risk Committee provides updates to the full Board regarding the state of the Company’s ERM program.
Cyber risks are an enterprise risk that the ERM Program monitors and thus such risks are an ongoing area of focus of the ERM Steering Committee and, as a result, the Risk Committee. On a monthly basis, the ERM Steering Committee is convened and receives pertinent updates regarding our management of cyber risks, as necessary.
In addition to the regularly scheduled programmatic updates that are provided to the ERM Steering Committee and the Risk Committee, we also established a process to inform such committees of significant cybersecurity events and allow them to monitor corresponding remediation efforts. Specifically, the IRM Steering Committee, consisting of senior leaders from the security, privacy, data governance, technology, records management, and third-party risk management programs, reports to the ERM Steering Committee and has the responsibility to provide updates regarding the prevention, detection, mitigation, and remediation of significant cybersecurity threats.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|ERM Steering Committee, or the Risk Committee, or the Board, as appropriate. The CSO is also an advisor to the Company's Disclosure Committee, which meets quarterly
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CSO has over 20 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other companies. He holds a B.S. degree from Azusa Pacific University and an M.B.A. from the University of Southern California
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The ERM Steering Committee is similarly tasked with providing relevant updates to the Risk Committee, via the ERM Program, regarding significant cybersecurity threats.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef