XML 68 R33.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We are committed to maintaining robust cybersecurity practices to safeguard our information assets and ensure the confidentiality, integrity, and availability of our operations. We employ a comprehensive approach to assess, identify, and manage material risks arising from cybersecurity threats. The identification and oversight of material cybersecurity risks is included in continuous ERM Committee and Board meetings and reporting.

We complete regular cybersecurity assessments to identify potential vulnerabilities and threats, analyzing our infrastructure, systems, and data. Assessments are conducted both internally and by third parties and consider internal and external factors, technological changes, regulatory requirements, and emerging cyber threats. Our cybersecurity program adheres to widely recognized standards for managing cybersecurity risk, including the National Institute of Standards and Technology Cybersecurity Framework, Center for Internet Security Controls and U.K. Cyber Essentials.

We use advanced threat detection tools and technologies to identify potential cybersecurity risks. This includes continuous monitoring, intrusion detection systems, and anomaly detection mechanisms, to promptly identify any unusual activities or security breaches. Threat intelligence sharing with industry partners helps us stay informed about the latest cybersecurity threats.

We assess cybersecurity risks for their potential impact on our operations, data, and reputation. Risks are prioritized based on their severity and likelihood of occurrence before implementing appropriate controls, safeguards, and mitigation measures to address and manage these risks effectively.

We have developed a well-defined and frequently updated information security incident response plan that outlines procedures to be followed in the event of a cybersecurity incident. The plan is periodically drilled with incident response team members and includes robust processes for identification, categorization, escalation and reporting of incidents. Team members are regularly trained on key cybersecurity subjects to ensure awareness. In June 2024, a cybersecurity incident occurred involving CDK, a third-party provider of certain information systems used by us, that triggered our information security incident response plan. Although the incident disrupted our operations, we believe our response plan operated substantially as we intended and the incident did not materially impact our financial condition or results of operations. The incident, however, provided us an opportunity to test our response plan, refine our procedures and consider improvements.

While no company can or will be completely immune from cybersecurity threats, especially as they relate to vendors and government agencies that we rely on, we know of no cybersecurity incident that has or is likely to materially affect us, our business strategy, or our results of operations, or financial condition.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We are committed to maintaining robust cybersecurity practices to safeguard our information assets and ensure the confidentiality, integrity, and availability of our operations. We employ a comprehensive approach to assess, identify, and manage material risks arising from cybersecurity threats. The identification and oversight of material cybersecurity risks is included in continuous ERM Committee and Board meetings and reporting.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board oversees our cybersecurity and data protection strategy and appoints a director to lead the Board’s efforts. Our Board is briefed on our cybersecurity posture, current and future risks and potential incidents or vulnerabilities on a quarterly basis. Board members and executives participate in engagements on cybersecurity, such as simulated cyber incident response and crisis management exercises. Our Board also regularly receives and reviews third-party cybersecurity assessments, which include assessments of our cyber maturity and cyber risk.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board oversees our cybersecurity and data protection strategy and appoints a director to lead the Board’s efforts.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board oversees our cybersecurity and data protection strategy and appoints a director to lead the Board’s efforts. Our Board is briefed on our cybersecurity posture, current and future risks and potential incidents or vulnerabilities on a quarterly basis. Board members and executives participate in engagements on cybersecurity, such as simulated cyber incident response and crisis management exercises. Our Board also regularly receives and reviews third-party cybersecurity assessments, which include assessments of our cyber maturity and cyber risk.
Cybersecurity Risk Role of Management [Text Block]
Our information security team and its leadership have primary responsibility for assessing and managing cybersecurity risks, within the scope of the overall ERM Committee.

Our Senior Director of Information Security is responsible for identifying, assessing, and managing risks from cybersecurity threats. The Senior Director of Information Security manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security management team, through internal cyber risk management processes. The Senior Director of Information Security reports to the Chief Technology and Innovation Officer (CTIO) and provides frequent and up to date reporting on cyber risk to our ERM Committee, a cross functional executive-level steering group, which includes the CTIO and has a wealth of experience in enterprise risk. The ERM Committee meets on a quarterly basis or as necessary to assess and respond to enterprise risks, including cybersecurity, and reports updates to the Board.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
Our information security team and its leadership have primary responsibility for assessing and managing cybersecurity risks, within the scope of the overall ERM Committee.

Our Senior Director of Information Security is responsible for identifying, assessing, and managing risks from cybersecurity threats. The Senior Director of Information Security manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security management team, through internal cyber risk management processes. The Senior Director of Information Security reports to the Chief Technology and Innovation Officer (CTIO) and provides frequent and up to date reporting on cyber risk to our ERM Committee, a cross functional executive-level steering group, which includes the CTIO and has a wealth of experience in enterprise risk. The ERM Committee meets on a quarterly basis or as necessary to assess and respond to enterprise risks, including cybersecurity, and reports updates to the Board.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
The Senior Director of Information Security has over 10 years of experience in senior level information security roles, has over 20 years' experience in Fortune 500 enterprise IT roles, and holds Associate and Bachelor Degrees and the Certified Information Security Manager (CISM) Professional certification, amongst others. The members of our information security management team have extensive experience in technology and security roles, possessing cybersecurity certifications such as Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional (CCNP) and Global Certified Incident Handler (GCIH), amongst others."
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Our Senior Director of Information Security is responsible for identifying, assessing, and managing risks from cybersecurity threats. The Senior Director of Information Security manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security management team, through internal cyber risk management processes. The Senior Director of Information Security reports to the Chief Technology and Innovation Officer (CTIO) and provides frequent and up to date reporting on cyber risk to our ERM Committee, a cross functional executive-level steering group, which includes the CTIO and has a wealth of experience in enterprise risk. The ERM Committee meets on a quarterly basis or as necessary to assess and respond to enterprise risks, including cybersecurity, and reports updates to the Board.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true