XML 42 R26.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We have established processes and procedures for ensuring the confidentiality, integrity, and availability of data. These processes are in place to assess, identify, and manage material risks from cybersecurity threats. Annual risk assessments are performed and incorporated as part of our Enterprise Risk Management (ERM) organizational process, which is overseen by our Board of Directors (the Board) and the Audit Committee, along with Executive Leadership. Our information security management system (ISMS) program is aligned to ISO 27001, which is an international standard to manage information security. ISO 27001 is published by the International Organization for Standardization (ISO), the world's largest developer of voluntary standards, and the International Electrotechnical Commission.
Our IT security department, led by our Senior Vice President (SVP) IT Infrastructure & Security, is tasked with monitoring cybersecurity and operational risks related to information security and system disruption. The team employs measures designed to protect against, detect, and respond to cybersecurity threats, and has implemented processes and procedures aligned with our ISMS to support and promote resilient programs. This includes:
Enterprise security framework and cybersecurity standards;
Cybersecurity awareness and training plans;
Security assessments and monitoring;
Restricted physical access to critical areas, servers, and network equipment;
Incident response, crisis management, business continuity, and disaster recovery plans; and
Third-party IT vendor risk management process to identify, assess, and manage risks presented by our IT vendors and business partners.
Our IT security department maintains a playbook to respond to potential cybersecurity threats. We conduct tabletop exercises for tactical response readiness, perform regular security scans of our environment both from an external and internal perspective, as well as work with a qualified third-party vendor to perform penetration tests of our environment. Any identified risks are included in our overall risk management program, and internal and external auditors validate our IT controls on a regular basis.
We conduct organization-wide cybersecurity training and compliance exercises in connection with our information security program. This training consists of educational material and compliance testing administered to all of our employees, which is tracked and recorded throughout the year. Results and progress are shared with Executive Leadership, the Audit Committee, and the Board. Employee phishing tests are conducted on a regular basis. Employees who do not follow protocol are redirected for additional training.
We have implemented an IT vendor risk management policy that provides guidance in managing risks associated with IT vendors and business partners. We have also established a third-party risk management program and conduct pre-onboarding security assessments and annual re-assessments of our service providers to collect, track, and manage third-party security controls based upon the risk presented to the business. Any issues identified during assessment are tracked through to remediation.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Annual risk assessments are performed and incorporated as part of our Enterprise Risk Management (ERM) organizational process, which is overseen by our Board of Directors (the Board) and the Audit Committee, along with Executive Leadership. Our information security management system (ISMS) program is aligned to ISO 27001, which is an international standard to manage information security. ISO 27001 is published by the International Organization for Standardization (ISO), the world's largest developer of voluntary standards, and the International Electrotechnical Commission.
Our IT security department, led by our Senior Vice President (SVP) IT Infrastructure & Security, is tasked with monitoring cybersecurity and operational risks related to information security and system disruption. The team employs measures designed to protect against, detect, and respond to cybersecurity threats, and has implemented processes and procedures aligned with our ISMS to support and promote resilient programs. This includes:
Enterprise security framework and cybersecurity standards;
Cybersecurity awareness and training plans;
Security assessments and monitoring;
Restricted physical access to critical areas, servers, and network equipment;
Incident response, crisis management, business continuity, and disaster recovery plans; and
Third-party IT vendor risk management process to identify, assess, and manage risks presented by our IT vendors and business partners.
Our IT security department maintains a playbook to respond to potential cybersecurity threats. We conduct tabletop exercises for tactical response readiness, perform regular security scans of our environment both from an external and internal perspective, as well as work with a qualified third-party vendor to perform penetration tests of our environment. Any identified risks are included in our overall risk management program, and internal and external auditors validate our IT controls on a regular basis.
We conduct organization-wide cybersecurity training and compliance exercises in connection with our information security program. This training consists of educational material and compliance testing administered to all of our employees, which is tracked and recorded throughout the year. Results and progress are shared with Executive Leadership, the Audit Committee, and the Board. Employee phishing tests are conducted on a regular basis. Employees who do not follow protocol are redirected for additional training.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board and Audit Committee are actively engaged in the oversight of our risk management, including cybersecurity risk. The Audit Committee receives quarterly reports on information security from our SVP IT Infrastructure & Security. Additionally, Executive Leadership is briefed on information security at least quarterly by members of our IT security, compliance, governance, and audit teams. The Audit Committee of the Board is responsible for overseeing our risk exposure to information security, cybersecurity, and data protection, as well as the steps management has taken to monitor and control such exposures.
Our IT security department, which assesses and manages our risks from cybersecurity threats, is led by our SVP IT Infrastructure & Security, who reports to our Senior EVP IT. Additional oversight for assessing and managing cybersecurity risk include Executive sponsors, IT, Human Resources, IT Governance Risk and Compliance, Internal Audit, and Legal, as well as members of our Information Security Risk Council, IT Risk Committee, and ERM teams.
We have in place an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents. The Information Security Risk Council, Executive Leadership, the Audit Committee, and the Board are notified of any material cybersecurity incidents through an established escalation process. Additionally, we maintain a qualified third-party vendor relationship which is available to the team for on-demand incident response and investigation, as needed.
The IT security department team members have degrees applicable to cybersecurity, including Bachelors in Information Systems, Computer Science, Management Information Systems and/or Masters in Cybersecurity, and hold professional certifications, including Certified Information Systems Security Professional, Offensive Security Certified Professional, Global Information Assurance Certification (GIAC) Defensible Security Architecture, GIAC Forensic Examiner, GIAC Incident Handling, and GIAC Open Source Intelligence. Our SVP IT Infrastructure & Security holds a Cybersecurity and Privacy Law Certificate from Mitchell Hamline School of Law, and has 29 years of experience in systems, network, and database administration. Additionally, our Senior IT security department manager is an Offensive Security Certified Professional, and holds GIAC Security Leadership (GSLC), with over 25 years of experience in network performance, availability, and protection.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board and Audit Committee are actively engaged in the oversight of our risk management, including cybersecurity risk. The Audit Committee receives quarterly reports on information security from our SVP IT Infrastructure & Security. Additionally, Executive Leadership is briefed on information security at least quarterly by members of our IT security, compliance, governance, and audit teams. The Audit Committee of the Board is responsible for overseeing our risk exposure to information security, cybersecurity, and data protection, as well as the steps management has taken to monitor and control such exposures.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
We have in place an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents. The Information Security Risk Council, Executive Leadership, the Audit Committee, and the Board are notified of any material cybersecurity incidents through an established escalation process. Additionally, we maintain a qualified third-party vendor relationship which is available to the team for on-demand incident response and investigation, as needed.
Cybersecurity Risk Role of Management [Text Block]
Our IT security department, which assesses and manages our risks from cybersecurity threats, is led by our SVP IT Infrastructure & Security, who reports to our Senior EVP IT. Additional oversight for assessing and managing cybersecurity risk include Executive sponsors, IT, Human Resources, IT Governance Risk and Compliance, Internal Audit, and Legal, as well as members of our Information Security Risk Council, IT Risk Committee, and ERM teams.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Audit Committee receives quarterly reports on information security from our SVP IT Infrastructure & Security. Additionally, Executive Leadership is briefed on information security at least quarterly by members of our IT security, compliance, governance, and audit teams. The Audit Committee of the Board is responsible for overseeing our risk exposure to information security, cybersecurity, and data protection, as well as the steps management has taken to monitor and control such exposures.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
The IT security department team members have degrees applicable to cybersecurity, including Bachelors in Information Systems, Computer Science, Management Information Systems and/or Masters in Cybersecurity, and hold professional certifications, including Certified Information Systems Security Professional, Offensive Security Certified Professional, Global Information Assurance Certification (GIAC) Defensible Security Architecture, GIAC Forensic Examiner, GIAC Incident Handling, and GIAC Open Source Intelligence. Our SVP IT Infrastructure & Security holds a Cybersecurity and Privacy Law Certificate from Mitchell Hamline School of Law, and has 29 years of experience in systems, network, and database administration. Additionally, our Senior IT security department manager is an Offensive Security Certified Professional, and holds GIAC Security Leadership (GSLC), with over 25 years of experience in network performance, availability, and protection.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
We have in place an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents. The Information Security Risk Council, Executive Leadership, the Audit Committee, and the Board are notified of any material cybersecurity incidents through an established escalation process. Additionally, we maintain a qualified third-party vendor relationship which is available to the team for on-demand incident response and investigation, as needed.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true