XML 44 R28.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Our processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on the standardized framework established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. The NIST Cybersecurity Framework (“NIST CSF”) helps the Company prioritize its cybersecurity activities and take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect the Company’s operations, finances, legal or regulatory compliance, or reputation. We rely on a cybersecurity team that works to identify, protect against, detect, respond to, and recover from cybersecurity threats and incidents through risk management and strategy. Our cybersecurity team has adopted procedures to promptly address material risks to the Company’s cybersecurity environment, with a triage and remediation protocol in place. Once identified, cybersecurity risks and related mitigation efforts are prioritized based on their potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk. These strategies include, among others, the application of cybersecurity policies and procedures, implementation of administrative, technical, and physical controls, and employee training, education, and awareness initiatives.
As part of our cybersecurity defense structure, our internal cybersecurity team performs the following actions, without exclusion: (i) tracking cybersecurity risks, threats and incidents to help identify and analyze them; (ii) promptly reporting significant cybersecurity risks, threats and incidents to our CIO; and (iii) utilizing third-party vendors and software for review, testing, preemption and monitoring of cybersecurity risks, threats and incidents.

In addition, our CIO closely monitors the cybersecurity team’s approach with regular reviews of security risks and vulnerabilities, security strategy and the implementation of mitigation plans and technology, and reports quarterly to our Audit Committee and Board of Directors on, among other things, threats, mitigation measures, and preventative procedures and software.

We have a robust cybersecurity training and awareness program that requires all employees to complete mandatory cybersecurity awareness, information handling, and privacy training at the time of onboarding and on an annual basis thereafter. In addition, we regularly test our employees compliance with best practices using various techniques, such as simulated phishing campaigns, to validate the efficacy of our cybersecurity training.

We have implemented solutions, processes, and procedures to help mitigate the risk of cyberattacks, such as conducting annual vulnerability testing, and periodically engaging third-party experts to assist us with tasks such as implementing our incident response plan and conducting tabletop exercises.

The Company tracks key performance indicators and cybersecurity metrics to evaluate the efficacy of its cybersecurity controls and practices. Furthermore, the Company’s cybersecurity program is periodically reviewed and adjusted in an effort to maintain the program’s agility and responsiveness as circumstances evolve, new cybersecurity threats emerge, and regulations change.

As are other businesses, from time to time, we have experienced efforts by unknown persons, including “bots”, to access or breach our information systems, which have been prevented based on measures put in place by the Company. However, there can be no assurance we will be able to protect sensitive data and/or the integrity of the Company's information systems and to defend against such efforts in the future. See Item 1A. “Risk Factors” of this Form 10-K.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Our processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on the standardized framework established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. The NIST Cybersecurity Framework (“NIST CSF”) helps the Company prioritize its cybersecurity activities and take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect the Company’s operations, finances, legal or regulatory compliance, or reputation. We rely on a cybersecurity team that works to identify, protect against, detect, respond to, and recover from cybersecurity threats and incidents through risk management and strategy. Our cybersecurity team has adopted procedures to promptly address material risks to the Company’s cybersecurity environment, with a triage and remediation protocol in place. Once identified, cybersecurity risks and related mitigation efforts are prioritized based on their potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk. These strategies include, among others, the application of cybersecurity policies and procedures, implementation of administrative, technical, and physical controls, and employee training, education, and awareness initiatives.
As part of our cybersecurity defense structure, our internal cybersecurity team performs the following actions, without exclusion: (i) tracking cybersecurity risks, threats and incidents to help identify and analyze them; (ii) promptly reporting significant cybersecurity risks, threats and incidents to our CIO; and (iii) utilizing third-party vendors and software for review, testing, preemption and monitoring of cybersecurity risks, threats and incidents.

In addition, our CIO closely monitors the cybersecurity team’s approach with regular reviews of security risks and vulnerabilities, security strategy and the implementation of mitigation plans and technology, and reports quarterly to our Audit Committee and Board of Directors on, among other things, threats, mitigation measures, and preventative procedures and software.

We have a robust cybersecurity training and awareness program that requires all employees to complete mandatory cybersecurity awareness, information handling, and privacy training at the time of onboarding and on an annual basis thereafter. In addition, we regularly test our employees compliance with best practices using various techniques, such as simulated phishing campaigns, to validate the efficacy of our cybersecurity training.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] As the head of our cybersecurity team, our CIO reports quarterly on cybersecurity to our Audit Committee, which has primary responsibility for cybersecurity oversight, and also to our full Board and regularly reports to the Chief Executive Officer on such cybersecurity matters. Cybersecurity risk is assessed and tracked as a significant risk faced by the Company and is closely managed along key risk indicators covering security maturity, risk exposure, and security operations. Performance against these indicators is regularly measured and discussed, among other things, in our Board reporting.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] As the head of our cybersecurity team, our CIO reports quarterly on cybersecurity to our Audit Committee, which has primary responsibility for cybersecurity oversight, and also to our full Board and regularly reports to the Chief Executive Officer on such cybersecurity matters.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] As the head of our cybersecurity team, our CIO reports quarterly on cybersecurity to our Audit Committee, which has primary responsibility for cybersecurity oversight, and also to our full Board and regularly reports to the Chief Executive Officer on such cybersecurity matters. Cybersecurity risk is assessed and tracked as a significant risk faced by the Company and is closely managed along key risk indicators covering security maturity, risk exposure, and security operations. Performance against these indicators is regularly measured and discussed, among other things, in our Board reporting.
Cybersecurity Risk Role of Management [Text Block]
We have established a comprehensive incident response and recovery plan to identify, protect, respond to and recover from cybersecurity threats and incidents. The plan includes processes for the activation of the crisis management team (comprised of the Company’s Chief Executive Officer, Chief Financial Officer and General Counsel), incident handling, and prompt and fulsome reporting to the Board upon discovery of a breach that could reasonably be material upon further investigation. Our procedures require reporting up the chain of command, even while materiality assessments are still being determined. In addition, we have pre-negotiated contracts with external third-party incident response providers to guide and assist the internal crisis management team as needed.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The plan includes processes for the activation of the crisis management team (comprised of the Company’s Chief Executive Officer, Chief Financial Officer and General Counsel), incident handling, and prompt and fulsome reporting to the Board upon discovery of a breach that could reasonably be material upon further investigation.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The members of our cybersecurity team have risk management backgrounds, certifications, and/or cyber experience in prior professional roles and at the Company. The team maintains expertise on cyber risk management through certified security professionals on staff, external training and affiliations with relevant organizations.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Additionally, we regularly engage with third party assessors, consultants, and advisors as needed for reviews and testing of our cybersecurity risk management systems.
We have established a comprehensive incident response and recovery plan to identify, protect, respond to and recover from cybersecurity threats and incidents. The plan includes processes for the activation of the crisis management team (comprised of the Company’s Chief Executive Officer, Chief Financial Officer and General Counsel), incident handling, and prompt and fulsome reporting to the Board upon discovery of a breach that could reasonably be material upon further investigation. Our procedures require reporting up the chain of command, even while materiality assessments are still being determined. In addition, we have pre-negotiated contracts with external third-party incident response providers to guide and assist the internal crisis management team as needed.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true