XML 22 R9.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy, and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity.

As part of our Enterprise Risk Management (“ERM”) process, we identify risks and assign responsibility for managing each risk to the appropriate level of management. Cybersecurity is a risk identified in our ERM process. Management has implemented a comprehensive cybersecurity risk management strategy in line with industry standards and regulatory requirements. This strategy includes:

conducting an independent cybersecurity maturity assessment to evaluate the health of our overall cyber programs and developing a solid roadmap to continuously improve our defensive posture;
performing regular risk assessments, where we identify potential vulnerabilities and evaluate the likelihood of various cyber threats;
implementing security controls including email and browser protection, audit log monitoring, malware defenses, controlled use of administrative privileges, encryption protocols, and multi-factor authentication; and
implementing progressively challenging employee training and awareness programs, including simulated phishing campaigns, to reduce the risk of human error in the recognition and reporting of potential threats.

We continuously monitor our networks and systems and integrate threat intelligence feeds to evaluate evolving cyber threats. We conduct regular testing and simulation exercises, including engaging third-party service providers to perform penetration testing, to identify and address weaknesses in our defenses and engage third-party service providers to perform cybersecurity risk assessments, which are based on the National Institute of Standards and Technology framework. Cyber risks are considered and addressed for those third-party relationships deemed critical to our operations, as well as those with access to or custody of confidential data or customer non-public information, including PHI, and those services or products accessed in a cloud environment or involving generative artificial intelligence or other machine learning technologies.

The Audit and Risk Committee of the board of directors has responsibility of oversight for our enterprise risk assessment and risk management systems. Our Chief Information Officer (“CIO”), Senior Director of Information Security and other delegated

positions are responsible for assessing and managing our material risks from cybersecurity risks. Our CIO has 15 years of experience in cybersecurity and a degree in management information systems. We also have a Cybersecurity Infrastructure Committee that meets monthly. We have implemented an incident response strategy as an element of our overall risk management approach. Our incident response plan entails clearly-defined roles and responsibilities, established communication protocols and measures to mitigate the impact of any cybersecurity incidents. We have experienced adverse IT events in the past, but to date, we have seen no material impact on our business or operations from these attacks or events. We prioritize the detection, response, and recovery from potential breaches and carry cybersecurity insurance which includes cyber breach response services. The scope and coverage of our cybersecurity insurance is reviewed on an annual basis. Risks and potential threats are identified and measured through these monitoring, testing, and response processes procedures and significant risks, and threats are reported by the CIO to the Audit and Risk Committee.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] We continuously monitor our networks and systems and integrate threat intelligence feeds to evaluate evolving cyber threats.
Cybersecurity Risk Board of Directors Oversight [Text Block]

The Audit and Risk Committee of the board of directors has responsibility of oversight for our enterprise risk assessment and risk management systems. Our Chief Information Officer (“CIO”), Senior Director of Information Security and other delegated

positions are responsible for assessing and managing our material risks from cybersecurity risks. Our CIO has 15 years of experience in cybersecurity and a degree in management information systems. We also have a Cybersecurity Infrastructure Committee that meets monthly. We have implemented an incident response strategy as an element of our overall risk management approach. Our incident response plan entails clearly-defined roles and responsibilities, established communication protocols and measures to mitigate the impact of any cybersecurity incidents. We have experienced adverse IT events in the past, but to date, we have seen no material impact on our business or operations from these attacks or events. We prioritize the detection, response, and recovery from potential breaches and carry cybersecurity insurance which includes cyber breach response services. The scope and coverage of our cybersecurity insurance is reviewed on an annual basis. Risks and potential threats are identified and measured through these monitoring, testing, and response processes procedures and significant risks, and threats are reported by the CIO to the Audit and Risk Committee.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit and Risk Committee of the board of directors has responsibility of oversight for our enterprise risk assessment and risk management systems. Our Chief Information Officer (“CIO”), Senior Director of Information Security and other delegated

positions are responsible for assessing and managing our material risks from cybersecurity risks.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] We also have a Cybersecurity Infrastructure Committee that meets monthly. We have implemented an incident response strategy as an element of our overall risk management approach. Our incident response plan entails clearly-defined roles and responsibilities, established communication protocols and measures to mitigate the impact of any cybersecurity incidents.
Cybersecurity Risk Role of Management [Text Block] Our Chief Information Officer (“CIO”), Senior Director of Information Security and other delegated positions are responsible for assessing and managing our material risks from cybersecurity risks. Our CIO has 15 years of experience in cybersecurity and a degree in management information systems. We also have a Cybersecurity Infrastructure Committee that meets monthly. We have implemented an incident response strategy as an element of our overall risk management approach. Our incident response plan entails clearly-defined roles and responsibilities, established communication protocols and measures to mitigate the impact of any cybersecurity incidents.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Chief Information Officer (“CIO”), Senior Director of Information Security and other delegated positions are responsible for assessing and managing our material risks from cybersecurity risks. Our CIO has 15 years of experience in cybersecurity and a degree in management information systems.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The scope and coverage of our cybersecurity insurance is reviewed on an annual basis. Risks and potential threats are identified and measured through these monitoring, testing, and response processes procedures and significant risks, and threats are reported by the CIO to the Audit and Risk Committee.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true