XML 55 R39.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

The framework for our overall process for managing risk encompasses the management of risks posed by cybersecurity threats. Management’s role, responsibilities and processes for identifying, assessing, monitoring, reporting and managing risks, which includes cybersecurity risks, is discussed further in Item 1. “Business — Risk Management.” As a general matter, we take a proactive approach to assessing and monitoring cybersecurity-specific risks that is oriented around monitoring emerging external threats, ensuring controls are in place to identify and manage risk within our technology environment and creating a culture of vigilance across the organization.

We test for and resolve vulnerabilities within our systems and applications by using network and infrastructure vulnerability testing and adversary emulation, also known as red teaming and hire a third party to do the same at least once a year. We maintain a vulnerability disclosure program to enhance discovery and remediation of external-facing vulnerabilities. We also undergo a third party maturity assessment of our information security program every two years and a third party enterprise penetration test annually. We leverage external resources to help define information security and technology standards for our environment.

Our cybersecurity controls are monitored and refined based on learnings from regular red team engagements and analysis by third party threat hunters. All cyber defense operations are supported through a dedicated cybersecurity threat intelligence function. We collaborate with information security peers across the industry to augment threat intelligence. Our threat intelligence program helps create awareness and understanding of potential cybersecurity threats and adversaries.

We proactively assess potential risks presented by new services or systems integrated with our network or data and ensure appropriate controls are applied under such circumstances. We have proactive security controls built into our software development life cycle that help engineers identify and resolve security issues at every stage of software development. Our identity verification processes, which include multi-factor authentication and other identity verification technologies, provide further protection for clients and customers. We perform due diligence and monitor third party relationships to assess the suitability of their cybersecurity controls and protocols based on risk profile for the business operations or services for which they are engaged.

Our awareness and training program is designed to create a risk-aware culture to ensure employees understand cybersecurity threats and are accountable for completing required training. We have trained our employees to recognize and resist phishing attempts with our simulated phishing program. At least quarterly, our employees are presented with simulated phishing scenarios that deliver hands-on experience and on-the-spot education opportunities. All engineers and employees holding equivalent roles who are involved in software development also receive mandated secure software development training.

We have an enterprise incident management plan that provides a framework for preparing for, managing and responding to cybersecurity incidents that may arise. The plan ensures stakeholders across the organization are identified who have the appropriate experience, training and expertise in incident management and that the organization is well positioned to address incidents. For example, we carry out cybersecurity incident response exercises to develop widespread familiarity and experience in responding to cybersecurity incidents.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

The framework for our overall process for managing risk encompasses the management of risks posed by cybersecurity threats. Management’s role, responsibilities and processes for identifying, assessing, monitoring, reporting and managing risks, which includes cybersecurity risks, is discussed further in Item 1. “Business — Risk Management.” As a general matter, we take a proactive approach to assessing and monitoring cybersecurity-specific risks that is oriented around monitoring emerging external threats, ensuring controls are in place to identify and manage risk within our technology environment and creating a culture of vigilance across the organization.

We test for and resolve vulnerabilities within our systems and applications by using network and infrastructure vulnerability testing and adversary emulation, also known as red teaming and hire a third party to do the same at least once a year. We maintain a vulnerability disclosure program to enhance discovery and remediation of external-facing vulnerabilities. We also undergo a third party maturity assessment of our information security program every two years and a third party enterprise penetration test annually. We leverage external resources to help define information security and technology standards for our environment.

Our cybersecurity controls are monitored and refined based on learnings from regular red team engagements and analysis by third party threat hunters. All cyber defense operations are supported through a dedicated cybersecurity threat intelligence function. We collaborate with information security peers across the industry to augment threat intelligence. Our threat intelligence program helps create awareness and understanding of potential cybersecurity threats and adversaries.

We proactively assess potential risks presented by new services or systems integrated with our network or data and ensure appropriate controls are applied under such circumstances. We have proactive security controls built into our software development life cycle that help engineers identify and resolve security issues at every stage of software development. Our identity verification processes, which include multi-factor authentication and other identity verification technologies, provide further protection for clients and customers. We perform due diligence and monitor third party relationships to assess the suitability of their cybersecurity controls and protocols based on risk profile for the business operations or services for which they are engaged.

Our awareness and training program is designed to create a risk-aware culture to ensure employees understand cybersecurity threats and are accountable for completing required training. We have trained our employees to recognize and resist phishing attempts with our simulated phishing program. At least quarterly, our employees are presented with simulated phishing scenarios that deliver hands-on experience and on-the-spot education opportunities. All engineers and employees holding equivalent roles who are involved in software development also receive mandated secure software development training.

We have an enterprise incident management plan that provides a framework for preparing for, managing and responding to cybersecurity incidents that may arise. The plan ensures stakeholders across the organization are identified who have the appropriate experience, training and expertise in incident management and that the organization is well positioned to address incidents. For example, we carry out cybersecurity incident response exercises to develop widespread familiarity and experience in responding to cybersecurity incidents.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

The Board oversees management’s execution and performance of its risk management responsibilities, which includes cybersecurity threats. The Board receives at least one cybersecurity report every quarter from our Chief Information Officer, our Chief Information Security Officer, our Chief Risk Officer or other professionals. The Board also reviews and approves the business resiliency and information security programs intended to guard against cybersecurity and related risks. Lastly, the Board receives input on cybersecurity issues from external entities such as our independent auditor, regulators and consultants. Each of these steps further the Board’s efforts to ensure we have established and are proactively maintaining an enterprise-wide cybersecurity risk program with appropriate policies, practices and controls designed to ensure resiliency in the face of emerging threats.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Board
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board receives at least one cybersecurity report every quarter from our Chief Information Officer, our Chief Information Security Officer, our Chief Risk Officer or other professionals. The Board also reviews and approves the business resiliency and information security programs intended to guard against cybersecurity and related risks. Lastly, the Board receives input on cybersecurity issues from external entities such as our independent auditor, regulators and consultants.
Cybersecurity Risk Role of Management [Text Block]

Our internal risk committees meet regularly to facilitate the management of issues and review the risk profile of their responsibilities. Each business area and functional area has its own committee responsible for oversight of the material risks within the area. We also have internal committees that provide oversight around certain types of risks across the organization. This matrix approach helps maintain comprehensive risk coverage and preserve an integrated view of risks. The Enterprise Risk Management Committee, comprised of members from the Executive Management Group (“EMG”), exercises enterprise-wide oversight for the most significant risk profiles.

Business areas and functional areas have primary responsibility for identifying, assessing, monitoring, reporting and managing their own risks. Our enterprise risk management staff (independent of the business areas) work closely with the dedicated risk professionals aligned to the business areas and functional areas to provide objective oversight, framework enablement and aggregated risk analysis. This results in a model where risk management can be closer to actual risks while also facilitating effective oversight and consolidation at the enterprise level.

Internal Audit provides independent, risk-based objective assurance and advice designed to add value and improve our operations. It helps us accomplish our objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control and governance processes; and by promoting continuous improvement. The Chief Internal Auditor reports functionally to the Board Audit Committee and administratively to our Chief Risk Officer.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Chief Information Officer, Security Officer, Chief Risk Officer
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

We test for and resolve vulnerabilities within our systems and applications by using network and infrastructure vulnerability testing and adversary emulation, also known as red teaming and hire a third party to do the same at least once a year. We maintain a vulnerability disclosure program to enhance discovery and remediation of external-facing vulnerabilities. We also undergo a third party maturity assessment of our information security program every two years and a third party enterprise penetration test annually. We leverage external resources to help define information security and technology standards for our environment.

Our cybersecurity controls are monitored and refined based on learnings from regular red team engagements and analysis by third party threat hunters. All cyber defense operations are supported through a dedicated cybersecurity threat intelligence function. We collaborate with information security peers across the industry to augment threat intelligence. Our threat intelligence program helps create awareness and understanding of potential cybersecurity threats and adversaries.

We proactively assess potential risks presented by new services or systems integrated with our network or data and ensure appropriate controls are applied under such circumstances. We have proactive security controls built into our software development life cycle that help engineers identify and resolve security issues at every stage of software development. Our identity verification processes, which include multi-factor authentication and other identity verification technologies, provide further protection for clients and customers. We perform due diligence and monitor third party relationships to assess the suitability of their cybersecurity controls and protocols based on risk profile for the business operations or services for which they are engaged.

Our awareness and training program is designed to create a risk-aware culture to ensure employees understand cybersecurity threats and are accountable for completing required training. We have trained our employees to recognize and resist phishing attempts with our simulated phishing program. At least quarterly, our employees are presented with simulated phishing scenarios that deliver hands-on experience and on-the-spot education opportunities. All engineers and employees holding equivalent roles who are involved in software development also receive mandated secure software development training.

We have an enterprise incident management plan that provides a framework for preparing for, managing and responding to cybersecurity incidents that may arise. The plan ensures stakeholders across the organization are identified who have the appropriate experience, training and expertise in incident management and that the organization is well positioned to address incidents. For example, we carry out cybersecurity incident response exercises to develop widespread familiarity and experience in responding to cybersecurity incidents.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true