XML 67 R27.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We have developed, implemented and maintain a formal “risk based" Information Security Management System, or ISMS, that is designed to protect the confidentiality, integrity, and availability of the information contained within our systems. ISMS complies with a number of internationally recognized standards for information security, including the ISO 27001:2022 Standard for Information Security, AICPA System and Organization Controls 2 (SOC 2) for the criteria of Security and Availability; the Payment Card Industry Data Security Standard 4.0, or PCI DSS 4.0, the global standard for the payment card industry. In accordance with these international standards, and included in the ISMS, is our cybersecurity incident response process and plan.
In the event of a potential cybersecurity incident, our Chief Information Security Officer, or CISO, is notified of the incident and assembles an Incident Response Team, which is comprised of individuals who have the necessary technical, operational, and regulatory knowledge to assist the CISO. Typically, senior members of our engineering, operations, security, compliance/data protection office, and legal functions comprise the Incident Response Team. The Incident Response Team will conduct an assessment to determine the nature and scope of the incident and manages the incident in accordance with our incident response procedures until the incident is contained and resolved. The Incident Response Team will document findings and make them available to the Incident Classification Team, which is comprised of our CISO, Executive Vice President of Production Engineering, Chief Information Officer, Chief Legal & Compliance Officer, or CLO, Chief Operating Officer, Chief Financial Officer, and their respective delegates. The Incident Classification Team is responsible for assessing the incident and notifying members of our management and our Board. Our Chief Executive Officer, CLO, CISO and CFO, in conjunction with third-party experts, including outside legal counsel and our internal disclosure committee, are responsible for coordinating external communications and disclosures, including with the Securities and Exchange Commission.
Our ISMS has a risk based formulation. The cybersecurity risk process within the ISMS is an integral component of our enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Cybersecurity incidents and their associated risks are integrated into the enterprise risk management program, where appropriate mitigating strategies are determined and acted upon to mitigate cyber security risks.
Our ISMS and cybersecurity risk management program includes:
risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
a security team principally responsible for (1) recommending and implementing appropriate technologies to mitigate the cyber security risks; (2) monitoring internal systems and taking appropriate action in the event of alerts; (3) monitoring the threat landscape; and (4) our response to cybersecurity incidents and management of the incident response process and the Incident Response Team;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls, including but not limited to outside legal counsel, reputable third-party firms for 24/7 threat monitoring, detection and response, and third-party experts for conducting periodic process assessments to help us evaluate and enhance our cybersecurity practices;
cybersecurity awareness training of our employees, incident response personnel, and senior management, which covers a variety of topics designed to educate our employees about the importance of cybersecurity awareness, highlight typical cybersecurity-related risks and issues, such as phishing attacks and other methods used to attempt to infiltrate our systems, and test that awareness using knowledge assessments and simulations;
external cybersecurity consultants, supervised by our Incident Response Team and Incident Classification Team;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
a third-party risk management process for service providers, suppliers, and vendors, pursuant to which we require such third parties to maintain certain security controls and assess their compliance with these requirements; and
independent third-party assessments and audits of our Information Security Management System, or ISMS, to monitor compliance with globally recognized information security standards, including ISO 27001:2013/2022, ISO 27017:2015 (cloud security best practices), PCI DSS 4.0, HIPAA HiTech, and the AICPA SOC 2 criteria for Security and Availability.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Cybersecurity incidents and their associated risks are integrated into the enterprise risk management program, where appropriate mitigating strategies are determined and acted upon to mitigate cyber security risks.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board considers cybersecurity risk as part of its risk oversight function and the full Board has direct oversight of cybersecurity and other information technology risks as well as oversees management’s implementation of our cybersecurity risk management program. Several of our Board members have substantial cybersecurity experience and have experience in the field, including Ms. Julie Iskow, Ms. Sue Barsamian and Mr. David Welsh.
Our Board receives quarterly reports from management on our cybersecurity processes and risks. In addition, management updates the Board, as necessary, regarding cybersecurity incidents, including those that are immaterial.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board considers cybersecurity risk as part of its risk oversight function and the full Board has direct oversight of cybersecurity and other information technology risks as well as oversees management’s implementation of our cybersecurity risk management program.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board receives quarterly reports from management on our cybersecurity processes and risks. In addition, management updates the Board, as necessary, regarding cybersecurity incidents, including those that are immaterial.
Our Board also receives briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from our CISO and internal security staff as part of the Board’s continuing education on topics that impact public companies.
Cybersecurity Risk Role of Management [Text Block] Our management, including our CISO, oversees cybersecurity threats using our Incident Response Team and Incident Classification Team. Our management is responsible for assessing and managing our material risks from cybersecurity threats and incidents and has the primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our management, including our CISO, oversees cybersecurity threats using our Incident Response Team and Incident Classification Team. Our management is responsible for assessing and managing our material risks from cybersecurity threats and incidents and has the primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our management, including our CISO, brings a wealth of knowledge and expertise to our company. Our CISO has experience in roles including VP Product Security at Palo Alto Networks, VP Product Security at SAP Ariba as well as CISO for SAP Sales Cloud, which demonstrates a proven track record in developing and implementing robust cybersecurity strategies, managing large-scale security operations, and leading incident response initiatives. Our CISO has a deep understanding of emerging cyber threats and technological advancements and is adept at ensuring compliance with regulatory requirements and industry standards, while fostering a culture of security awareness throughout the organization.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Our ISMS and cybersecurity risk management program includes:
risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
a security team principally responsible for (1) recommending and implementing appropriate technologies to mitigate the cyber security risks; (2) monitoring internal systems and taking appropriate action in the event of alerts; (3) monitoring the threat landscape; and (4) our response to cybersecurity incidents and management of the incident response process and the Incident Response Team;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls, including but not limited to outside legal counsel, reputable third-party firms for 24/7 threat monitoring, detection and response, and third-party experts for conducting periodic process assessments to help us evaluate and enhance our cybersecurity practices;
cybersecurity awareness training of our employees, incident response personnel, and senior management, which covers a variety of topics designed to educate our employees about the importance of cybersecurity awareness, highlight typical cybersecurity-related risks and issues, such as phishing attacks and other methods used to attempt to infiltrate our systems, and test that awareness using knowledge assessments and simulations;
external cybersecurity consultants, supervised by our Incident Response Team and Incident Classification Team;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
a third-party risk management process for service providers, suppliers, and vendors, pursuant to which we require such third parties to maintain certain security controls and assess their compliance with these requirements; and
independent third-party assessments and audits of our Information Security Management System, or ISMS, to monitor compliance with globally recognized information security standards, including ISO 27001:2013/2022, ISO 27017:2015 (cloud security best practices), PCI DSS 4.0, HIPAA HiTech, and the AICPA SOC 2 criteria for Security and Availability.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true