XML 63 R35.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We rely heavily on information systems to meet the operational and financial needs of our business. Therefore, we seek to continuously improve our approach to cybersecurity with the goal of ensuring the confidentiality, integrity and availability of our information resources and to reduce the risk of information loss by accidental or intentional modification, disclosure or destruction. We believe we devote appropriate resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner.
The Cybersecurity and Privacy team, which maintains our cybersecurity function, reports to our Chief Technology and Digital Officer, who reports directly to our Chief Executive Officer. The Cybersecurity and Privacy team is led by our Chief Information Security Officer (“CISO”), who is responsible for developing and implementing our cybersecurity program and reporting on cybersecurity matters. The CISO and Chief Technology and Digital Officer report to the Cybersecurity, Technology and Innovation Committee (the “Committee”) at least three times per year. Our CISO has been a cybersecurity leader for 20 years, maintains appropriate security certifications, and has extensive experience in building and maintaining cybersecurity risk and compliance programs. The cybersecurity team includes members who also have various levels of cybersecurity experience and maintain relevant cybersecurity certifications. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security controls and technologies and ongoing scanning and testing of Company information systems by internal teams as well as third-party organizations to identify potential vulnerabilities. To maintain knowledge of the latest developments in cybersecurity, evolving threat landscape, and cyber defense techniques, our CISO regularly attends cybersecurity related conferences and events hosted by cybersecurity experts, subscribes to cybersecurity threat intelligence communications and newsletters, and meets with cybersecurity vendors.
We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. We regularly assess the cybersecurity landscape to holistically evaluate the threat of cybersecurity risks and seek to mitigate such risks through a layered cybersecurity strategy based on identification, protection, detection and recovery. Our Enterprise Cybersecurity Policy includes guidance related to encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information and the use of the internet, social media, email and wireless devices. This policy is reviewed for updates annually and approved by appropriate members of management. All coworkers are required to acknowledge review of the policy and complete cybersecurity and privacy awareness training annually. We also provide coworkers with additional cybersecurity training through online offerings, company broadcasts and security awareness events.
In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. The cybersecurity program is being enhanced to ensure that critical vendors and other third-parties are risk assessed prior to being given access to the Company’s information assets and networks. Additionally, processes are currently in place to review existing third-party access to systems that have a material impact on the financial statements of the Company.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. We regularly assess the cybersecurity landscape to holistically evaluate the threat of cybersecurity risks and seek to mitigate such risks through a layered cybersecurity strategy based on identification, protection, detection and recovery. Our Enterprise Cybersecurity Policy includes guidance related to encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information and the use of the internet, social media, email and wireless devices. This policy is reviewed for updates annually and approved by appropriate members of management. All coworkers are required to acknowledge review of the policy and complete cybersecurity and privacy awareness training annually. We also provide coworkers with additional cybersecurity training through online offerings, company broadcasts and security awareness events.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
The Committee was formed in December 2024 and is responsible for cybersecurity, technology and innovation oversight previously performed by the Audit and Risk Committee. It is a committee of the Company’s Board of Directors that actively participates in discussions with management regarding cybersecurity risks and receives periodic reports regarding the Company’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, remedy audit findings, and review enhancements to the Company’s defenses and management’s progress on implementing its cybersecurity strategy. In addition, the Committee reviews key cybersecurity risks at least three times per year to help ensure such risks are incorporated into the Company’s Enterprise Risk Management framework. The Committee also meets at least three times per year in executive session with the Company's Chief Information Security Officer. To assist with their oversight of the Company's cybersecurity programs and mitigation efforts as they relate to the broader cybersecurity landscape, our Committee will attend cybersecurity awareness training or other educational events presented by third-party cybersecurity experts.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
The Committee was formed in December 2024 and is responsible for cybersecurity, technology and innovation oversight previously performed by the Audit and Risk Committee. It is a committee of the Company’s Board of Directors that actively participates in discussions with management regarding cybersecurity risks and receives periodic reports regarding the Company’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, remedy audit findings, and review enhancements to the Company’s defenses and management’s progress on implementing its cybersecurity strategy. In addition, the Committee reviews key cybersecurity risks at least three times per year to help ensure such risks are incorporated into the Company’s Enterprise Risk Management framework. The Committee also meets at least three times per year in executive session with the Company's Chief Information Security Officer. To assist with their oversight of the Company's cybersecurity programs and mitigation efforts as they relate to the broader cybersecurity landscape, our Committee will attend cybersecurity awareness training or other educational events presented by third-party cybersecurity experts.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
The Committee was formed in December 2024 and is responsible for cybersecurity, technology and innovation oversight previously performed by the Audit and Risk Committee. It is a committee of the Company’s Board of Directors that actively participates in discussions with management regarding cybersecurity risks and receives periodic reports regarding the Company’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, remedy audit findings, and review enhancements to the Company’s defenses and management’s progress on implementing its cybersecurity strategy. In addition, the Committee reviews key cybersecurity risks at least three times per year to help ensure such risks are incorporated into the Company’s Enterprise Risk Management framework. The Committee also meets at least three times per year in executive session with the Company's Chief Information Security Officer. To assist with their oversight of the Company's cybersecurity programs and mitigation efforts as they relate to the broader cybersecurity landscape, our Committee will attend cybersecurity awareness training or other educational events presented by third-party cybersecurity experts.
Cybersecurity Risk Role of Management [Text Block]
We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. We regularly assess the cybersecurity landscape to holistically evaluate the threat of cybersecurity risks and seek to mitigate such risks through a layered cybersecurity strategy based on identification, protection, detection and recovery. Our Enterprise Cybersecurity Policy includes guidance related to encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information and the use of the internet, social media, email and wireless devices. This policy is reviewed for updates annually and approved by appropriate members of management. All coworkers are required to acknowledge review of the policy and complete cybersecurity and privacy awareness training annually. We also provide coworkers with additional cybersecurity training through online offerings, company broadcasts and security awareness events.
In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. The cybersecurity program is being enhanced to ensure that critical vendors and other third-parties are risk assessed prior to being given access to the Company’s information assets and networks. Additionally, processes are currently in place to review existing third-party access to systems that have a material impact on the financial statements of the Company.
The Committee was formed in December 2024 and is responsible for cybersecurity, technology and innovation oversight previously performed by the Audit and Risk Committee. It is a committee of the Company’s Board of Directors that actively participates in discussions with management regarding cybersecurity risks and receives periodic reports regarding the Company’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, remedy audit findings, and review enhancements to the Company’s defenses and management’s progress on implementing its cybersecurity strategy. In addition, the Committee reviews key cybersecurity risks at least three times per year to help ensure such risks are incorporated into the Company’s Enterprise Risk Management framework. The Committee also meets at least three times per year in executive session with the Company's Chief Information Security Officer. To assist with their oversight of the Company's cybersecurity programs and mitigation efforts as they relate to the broader cybersecurity landscape, our Committee will attend cybersecurity awareness training or other educational events presented by third-party cybersecurity experts.
In the event of a cybersecurity incident, we have developed and implemented a communication and disclosure framework, which includes processes for escalating communication of the event to members of our internal disclosure committee for assessment of materiality and disclosure, executive management team members, internal and external legal counsel, internal and external audit teams, and other internal stakeholders. Significant cybersecurity events and strategic risk management
decisions would be directed to the Committee for additional comprehensive oversight of the Company’s response measures and public disclosure of the event as appropriate. While we have experienced cybersecurity incidents in the past, none have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Cybersecurity and Privacy team, which maintains our cybersecurity function, reports to our Chief Technology and Digital Officer, who reports directly to our Chief Executive Officer. The Cybersecurity and Privacy team is led by our Chief Information Security Officer (“CISO”), who is responsible for developing and implementing our cybersecurity program and reporting on cybersecurity matters. The CISO and Chief Technology and Digital Officer report to the Cybersecurity, Technology and Innovation Committee (the “Committee”) at least three times per year
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CISO has been a cybersecurity leader for 20 years, maintains appropriate security certifications, and has extensive experience in building and maintaining cybersecurity risk and compliance programs. The cybersecurity team includes members who also have various levels of cybersecurity experience and maintain relevant cybersecurity certifications.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
In the event of a cybersecurity incident, we have developed and implemented a communication and disclosure framework, which includes processes for escalating communication of the event to members of our internal disclosure committee for assessment of materiality and disclosure, executive management team members, internal and external legal counsel, internal and external audit teams, and other internal stakeholders. Significant cybersecurity events and strategic risk management
decisions would be directed to the Committee for additional comprehensive oversight of the Company’s response measures and public disclosure of the event as appropriate. While we have experienced cybersecurity incidents in the past, none have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true