XML 18 R9.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy, and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 1C. CYBERSECURITY

Governance Related to Cybersecurity Risks

Our Board of Directors (“Board”) holds overall oversight responsibility for the Company’s strategy and risk management, including in relation to cybersecurity risks. Our Board exercises its oversight function through the Audit Committee, which oversees the management of risk exposure across various areas, including data security risks, in accordance with its charter. The Audit Committee receives quarterly reports from our Chief Information Officer (“CIO”) on the status of the Company’s cybersecurity program, including measures implemented to monitor and address cybersecurity risks and threats, as appropriate.

Our enterprise risk management committee (“ERMC”) is composed of senior management, including the CIO and other senior executives. The ERMC monitors and oversees risk areas that potentially could pose a high impact to the business, and cybersecurity currently is one of the ERMC’s priority focus areas. The ERMC reports on our top identified risks and steps to address those risks to the full Board on a semi-annual basis. Our CIO has over twenty years of information technology experience.

Our IT Infrastructure & Security Operations teams manage the day-to-day administration of our cybersecurity program. We also work with a managed security service provider to monitor for vulnerabilities and threats. The service provider has the authority to take actions to remediate critical and high vulnerabilities, and these are reported to the IT Infrastructure & Security Operations team and up to the CIO and other members of senior management, where appropriate. We engage employees in our cybersecurity efforts through a quarterly process for employees to complete mandatory security and awareness training as well as monthly simulated phishing campaigns. We also conduct specific training and tabletop exercises for key personnel involved in cybersecurity risk management.

Cybersecurity Risk Management and Strategy

We maintain a cybersecurity program, which is informed by industry standards, that includes processes for identification, assessment, and management of cybersecurity risks and which is integrated into our larger enterprise-wide risk management program . We conduct periodic risk assessments, including with support from external vendors, to assess our cyber program, identify areas of enhancement, and develop strategies for the mitigation of cyber risks. We also conduct regular security penetration testing and have established a vulnerability management process supported by security testing, for the treatment of identified security risks based on severity. Third-parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional contractual controls.

Our IT Infrastructure & Security Operations team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks through various means, including by leveraging managed security service providers and other third-party security software and technology services. In addition, we institute processes and technologies for the monitoring of security alerts from internal parties and external resources, including from information security research sources. We also have implemented processes and technologies for network monitoring and data loss prevention procedures.

We have been subject to cybersecurity incidents in the past, including the publicly disclosed July 2024 security incident. Although we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents have materially affected us, our business strategy, results of operations or financial condition, there is no guarantee that past security incidents and any future incidents will not have a material impact on our business strategy, results of operations, or financial condition in the future. See Item 1A, “Risk Factors,” to this report for more information.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

We maintain a cybersecurity program, which is informed by industry standards, that includes processes for identification, assessment, and management of cybersecurity risks and which is integrated into our larger enterprise-wide risk management program . We conduct periodic risk assessments, including with support from external vendors, to assess our cyber program, identify areas of enhancement, and develop strategies for the mitigation of cyber risks. We also conduct regular security penetration testing and have established a vulnerability management process supported by security testing, for the treatment of identified security risks based on severity. Third-parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional contractual controls.

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board of Directors (“Board”) holds overall oversight responsibility for the Company’s strategy and risk management, including in relation to cybersecurity risks. Our Board exercises its oversight function through the Audit Committee, which oversees the management of risk exposure across various areas, including data security risks, in accordance with its charter. The Audit Committee receives quarterly reports from our Chief Information Officer (“CIO”) on the status of the Company’s cybersecurity program, including measures implemented to monitor and address cybersecurity risks and threats, as appropriate.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors (“Board”) holds overall oversight responsibility for the Company’s strategy and risk management, including in relation to cybersecurity risks.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board exercises its oversight function through the Audit Committee, which oversees the management of risk exposure across various areas, including data security risks, in accordance with its charter.
Cybersecurity Risk Role of Management [Text Block]

Our enterprise risk management committee (“ERMC”) is composed of senior management, including the CIO and other senior executives. The ERMC monitors and oversees risk areas that potentially could pose a high impact to the business, and cybersecurity currently is one of the ERMC’s priority focus areas. The ERMC reports on our top identified risks and steps to address those risks to the full Board on a semi-annual basis. Our CIO has over twenty years of information technology experience.

Our IT Infrastructure & Security Operations teams manage the day-to-day administration of our cybersecurity program. We also work with a managed security service provider to monitor for vulnerabilities and threats. The service provider has the authority to take actions to remediate critical and high vulnerabilities, and these are reported to the IT Infrastructure & Security Operations team and up to the CIO and other members of senior management, where appropriate. We engage employees in our cybersecurity efforts through a quarterly process for employees to complete mandatory security and awareness training as well as monthly simulated phishing campaigns. We also conduct specific training and tabletop exercises for key personnel involved in cybersecurity risk management.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The ERMC reports on our top identified risks and steps to address those risks to the full Board on a semi-annual basis. Our CIO has over twenty years of information technology experience.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CIO has over twenty years of information technology experience.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our IT Infrastructure & Security Operations team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks through various means, including by leveraging managed security service providers and other third-party security software and technology services
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true