XML 23 R10.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity

Risk Management and Strategy

Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats

We primarily assess, identify and manage material risks from cybersecurity threats through our enterprise information security program, which is maintained by our Chief Information Security Officer (“CISO”) and overseen by our Executive Vice President and Chief Information Officer (“CIO”).

Our enterprise information security program, which is designed to ensure that our information systems are adequately protected, is based on frameworks established by the National Institute of Standards and Technology and other applicable industry standards. We consider our enterprise information security program to be a key component of our overall risk management system, with program elements evaluated annually and briefings provided to management each quarter.

As part of our enterprise information security program, we regularly assess and deploy technical safeguards designed to detect cybersecurity threats and protect our information systems from these threats. In addition, we maintain incident response and recovery plans, the effectiveness of which is tested and evaluated on a regular basis. We also provide privacy and security training, including quarterly phishing education campaigns, to enhance employee awareness of how to detect and respond to cybersecurity threats.

We regularly engage assessors, consultants, auditors and other third parties to support our enterprise information security program. These engagements encompass a variety of activities, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness.

The information gleaned from these assessments, audits and reviews is used to enhance our enterprise information security program, including cybersecurity policies, standards, processes and practices. In addition, significant findings from these assessments are reported to management and the Audit Committee of our Board of Directors (the “Board”).

We also have processes in place to oversee and identify risks from cybersecurity threats associated with the use of third-party service providers. Third-party service providers are subject to security risk assessments at the time of on-boarding, contract

renewal, and upon detection of an increase in risk profile. We have similar processes in place to oversee and identify cybersecurity-related risks posed by our suppliers.

Risks from Cybersecurity Threats

We and our third-party administrators, vendors and partners are subject to ongoing cybersecurity threats. While we cannot guarantee that these threats will not have an adverse impact on us, these threats did not materially affect us during the year ended December 31, 2024 and we do not believe such threats are reasonably likely to materially affect us in the future, including with respect to our business strategy, results of operations, or financial condition. For more information on risks related to cybersecurity, refer to “Risk Factors—Risks Related to Cybersecurity, Data Privacy and Intellectual Property Protection.”

Governance

Board of Directors’ Oversight of Risks from Cybersecurity Threats

The Audit Committee is primarily responsible for oversight of risks from cybersecurity threats. As set forth in the Amended & Restated Audit Committee Charter, the Audit Committee oversees the steps management takes to monitor and control our data privacy and cybersecurity risk exposure. The Board delegated this responsibility to the Audit Committee in part because it includes members with significant experience and/or expertise in cybersecurity and other technology matters.

The Audit Committee is informed of risks from cybersecurity threats through regular reports from our CIO and CISO. Our CIO and CISO report to the Audit Committee at least quarterly. The Audit Committee actively engages with our CIO and CISO regarding these risks. Depending on the materiality of a risk, the Audit Committee, CIO or CISO may report on such risk to the full Board.

In addition, from time to time, the Board may constitute a special committee to focus on a particular cybersecurity matter or risk.

Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats

Management is integral to assessing and managing our material risks from cybersecurity threats. While all members of management are involved in the review of these risks, our CIO oversees and is responsible for our cybersecurity program. Our CIO is a seasoned technology leader and change agent who has served as the top technology executive for multi-billion-dollar global organizations spanning diverse industries. With over 25 years of experience, our CIO has led business and information technology transformations, implemented global digital strategies, and optimized and integrated governance, risk, and compliance frameworks, processes and technologies in complex regulatory and industry environments. We believe our CIO’s knowledge, skills and experience provide significant value to our Company.

Our CIO and CISO provide regular reports to management regarding risks from cybersecurity threats and the prevention, detection, mitigation and remediation of cybersecurity incidents. Within our information technology organization, our CISO and other key members of our information security team provide regular reports to our CIO.

As discussed above, our CIO and CISO also provide regular reports regarding risks from cybersecurity threats to our Audit Committee and, depending on the materiality of a risk, the full Board. In addition, from time to time, members of management may provide reports to a special committee of the Board for cybersecurity.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Board of Directors’ Oversight of Risks from Cybersecurity Threats

The Audit Committee is primarily responsible for oversight of risks from cybersecurity threats. As set forth in the Amended & Restated Audit Committee Charter, the Audit Committee oversees the steps management takes to monitor and control our data privacy and cybersecurity risk exposure. The Board delegated this responsibility to the Audit Committee in part because it includes members with significant experience and/or expertise in cybersecurity and other technology matters.

The Audit Committee is informed of risks from cybersecurity threats through regular reports from our CIO and CISO. Our CIO and CISO report to the Audit Committee at least quarterly. The Audit Committee actively engages with our CIO and CISO regarding these risks. Depending on the materiality of a risk, the Audit Committee, CIO or CISO may report on such risk to the full Board.

In addition, from time to time, the Board may constitute a special committee to focus on a particular cybersecurity matter or risk.

Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats

Management is integral to assessing and managing our material risks from cybersecurity threats. While all members of management are involved in the review of these risks, our CIO oversees and is responsible for our cybersecurity program. Our CIO is a seasoned technology leader and change agent who has served as the top technology executive for multi-billion-dollar global organizations spanning diverse industries. With over 25 years of experience, our CIO has led business and information technology transformations, implemented global digital strategies, and optimized and integrated governance, risk, and compliance frameworks, processes and technologies in complex regulatory and industry environments. We believe our CIO’s knowledge, skills and experience provide significant value to our Company.

Our CIO and CISO provide regular reports to management regarding risks from cybersecurity threats and the prevention, detection, mitigation and remediation of cybersecurity incidents. Within our information technology organization, our CISO and other key members of our information security team provide regular reports to our CIO.

As discussed above, our CIO and CISO also provide regular reports regarding risks from cybersecurity threats to our Audit Committee and, depending on the materiality of a risk, the full Board. In addition, from time to time, members of management may provide reports to a special committee of the Board for cybersecurity.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

In addition, from time to time, the Board may constitute a special committee to focus on a particular cybersecurity matter or risk.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee is informed of risks from cybersecurity threats through regular reports from our CIO and CISO. Our CIO and CISO report to the Audit Committee at least quarterly. The Audit Committee actively engages with our CIO and CISO regarding these risks. Depending on the materiality of a risk, the Audit Committee, CIO or CISO may report on such risk to the full Board.
Cybersecurity Risk Role of Management [Text Block]

Management is integral to assessing and managing our material risks from cybersecurity threats. While all members of management are involved in the review of these risks, our CIO oversees and is responsible for our cybersecurity program. Our CIO is a seasoned technology leader and change agent who has served as the top technology executive for multi-billion-dollar global organizations spanning diverse industries. With over 25 years of experience, our CIO has led business and information technology transformations, implemented global digital strategies, and optimized and integrated governance, risk, and compliance frameworks, processes and technologies in complex regulatory and industry environments. We believe our CIO’s knowledge, skills and experience provide significant value to our Company.

Our CIO and CISO provide regular reports to management regarding risks from cybersecurity threats and the prevention, detection, mitigation and remediation of cybersecurity incidents. Within our information technology organization, our CISO and other key members of our information security team provide regular reports to our CIO.

As discussed above, our CIO and CISO also provide regular reports regarding risks from cybersecurity threats to our Audit Committee and, depending on the materiality of a risk, the full Board. In addition, from time to time, members of management may provide reports to a special committee of the Board for cybersecurity.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our CIO is a seasoned technology leader and change agent who has served as the top technology executive for multi-billion-dollar global organizations spanning diverse industries.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] With over 25 years of experience, our CIO has led business and information technology transformations, implemented global digital strategies, and optimized and integrated governance, risk, and compliance frameworks, processes and technologies in complex regulatory and industry environments. We believe our CIO’s knowledge, skills and experience provide significant value to our Company.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Our CIO and CISO provide regular reports to management regarding risks from cybersecurity threats and the prevention, detection, mitigation and remediation of cybersecurity incidents. Within our information technology organization, our CISO and other key members of our information security team provide regular reports to our CIO.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true