Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management & Strategy

Our business requires the use of information technology (IT) and operational technology (OT) resources, including those to carry out our day-to-day operational activities both onshore and offshore, to maintain our business records and to proactively monitor internal and external cybersecurity threats. To respond to cybersecurity risks and threats, we have developed a cybersecurity risk management program designed to identify, assess, manage and respond to cybersecurity incidents while also preserving the confidentiality, integrity and continued availability of our information and assets. The underlying controls of our cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the International Organization for Standardization (ISO) 27001 Information Security Management System Requirements.

We have a Security Operations Center operating in multiple regions that provides daily monitoring of our global cybersecurity environment and coordinates real-time investigation and remediation of alerts. Identifying and assessing cybersecurity risks related to our business, operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT audits, IT/OT security, governance, risk and compliance reviews. To deter, detect and respond to cybersecurity incidents, we conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and consultants, and conduct tabletop exercises to simulate responses to cybersecurity incidents. We also conduct and require our workforce to complete ongoing cybersecurity awareness education and training. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies.

We have implemented incident response and breach management processes, including (i) preparation for a cybersecurity incident, (ii) detection and analysis of a security incident; (iii) containment, remediation and recovery from an incident; and (iv) post-incident analysis. Such cybersecurity incident responses are overseen by leaders from our IT, compliance and legal teams as further described under “Cybersecurity Governance” below, and elevated to other senior leaders, third party providers and the Audit Committee of the Board as appropriate and in accordance with our response plan and procedures.

We engage third party security experts for assessments, penetration tests and program enhancements, including vulnerability assessments, security framework maturity assessments and identification of areas for continued focus and improvement. We use the findings of these exercises to improve our practices, procedures, and technologies. We engage third party security experts to support our cybersecurity threat and incident response management and maintain cybersecurity risk insurance coverage.

Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our employee, business or customer data.

We have not experienced a material cybersecurity incident and although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material risks from cybersecurity threats that have materially affected the Company. For more information on our cybersecurity risks, see “Risk Factors – Risks Relating to Information Technology and Cybersecurity – Cybersecurity attacks on any of our facilities, or those of third parties, may result in potential liability or reputational damage or otherwise adversely affect our business.”

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

We have implemented incident response and breach management processes, including (i) preparation for a cybersecurity incident, (ii) detection and analysis of a security incident; (iii) containment, remediation and recovery from an incident; and (iv) post-incident analysis. Such cybersecurity incident responses are overseen by leaders from our IT, compliance and legal teams as further described under “Cybersecurity Governance” below, and elevated to other senior leaders, third party providers and the Audit Committee of the Board as appropriate and in accordance with our response plan and procedures.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

We have not experienced a material cybersecurity incident and although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material risks from cybersecurity threats that have materially affected the Company. For more information on our cybersecurity risks, see “Risk Factors – Risks Relating to Information Technology and Cybersecurity – Cybersecurity attacks on any of our facilities, or those of third parties, may result in potential liability or reputational damage or otherwise adversely affect our business.”

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Governance

The Audit Committee of our Board oversees our cybersecurity risk management program and meets on a quarterly basis with our Chief Information Officer (CIO) to review our cybersecurity programs and risks, including (as applicable) assessments and program maturity; evolving cyber risks; status on addressing and/or mitigating cyber risks; any recent cybersecurity or data privacy incidents at the Company and across the industry; and status on any key cybersecurity initiatives. These cybersecurity risks and programs are further reviewed and considered by the Board in connection with the company’s overarching enterprise risk program.

Our cybersecurity team is led by our Director of IT Infrastructure, who has over 20 years of experience and obtained various professional security certifications and advanced training in the field of cybersecurity and technology and reports to our CIO. Our CISO is responsible for managing and supervising our cyber risk management program and informing the CIO and senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents.

The CISO and CIO are informed about and monitor these cybersecurity programs and incidents through their oversight of, and participation in, the cybersecurity risk management and strategy processes described above, including management of and notices from our Security Operations Centers and the supervision of our incident response plan and processes.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee of our Board oversees our cybersecurity risk management program and meets on a quarterly basis with our Chief Information Officer (CIO) to review our cybersecurity programs and risks, including (as applicable) assessments and program maturity; evolving cyber risks; status on addressing and/or mitigating cyber risks; any recent cybersecurity or data privacy incidents at the Company and across the industry; and status on any key cybersecurity initiatives. These cybersecurity risks and programs are further reviewed and considered by the Board in connection with the company’s overarching enterprise risk program.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The CISO and CIO are informed about and monitor these cybersecurity programs and incidents through their oversight of, and participation in, the cybersecurity risk management and strategy processes described above, including management of and notices from our Security Operations Centers and the supervision of our incident response plan and processes.

Cybersecurity Risk Role of Management [Text Block]

Our cybersecurity team is led by our Director of IT Infrastructure, who has over 20 years of experience and obtained various professional security certifications and advanced training in the field of cybersecurity and technology and reports to our CIO. Our CISO is responsible for managing and supervising our cyber risk management program and informing the CIO and senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true