XML 58 R33.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We rely on information systems to obtain, process, analyze, and manage data, as well as to facilitate the manufacture and distribution of inventory to and from our facilities. We receive, process, and ship orders, manage the billing of and collections from our customers, and manage the accounting for and payment to our vendors. We also manage our production processes with certain industrial control systems. Consequently, we are subject to cybersecurity risk.
From time to time, we have experienced immaterial cybersecurity threats and incidents. When these threats and incidents have occurred, we have taken appropriate remediation steps and, through investigation, determined that the threats or incidents did not have a material effect on our business, results of operations, or financial results.
Cybersecurity Risk Management and Strategy
We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats and incidents, which is based on industry-recognized frameworks and takes a multifaceted approach to protecting our network, systems, and data, including personal information. To prevent cybersecurity incidents, we deploy a wide range of protective security technologies and tools, including, but not limited to, encryption, firewalls, endpoint detection and response, security information and event management, multi-factor authentication, and threat intelligence feeds. To maintain the effectiveness of this framework, we conduct periodic real-world simulation exercises to test, educate, promote awareness, and identify any refinements needed.
Cybersecurity threats are identified, assessed, and monitored by our Security Operations Center, which is staffed with cybersecurity professionals who report to the Company's Chief Information Security Officer (CISO), and includes resources provided by external vendors to cover continuous monitoring. When a cybersecurity threat or incident meets certain categorized thresholds, as determined by our Cybersecurity Incident Response Plan, we follow an escalation review process which can result in our CISO forwarding the threat or incident to our cybersecurity crisis response team consisting of our CEO, CFO, CHRO, CIO, and General Counsel (the "Crisis Response Team"). Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess and manage our response to cybersecurity threats and incidents. Our CISO follows a risk-based escalation process to notify our General Counsel of certain cybersecurity threats and incidents, and our General Counsel analyzes our obligation to report any incident publicly. If the General Counsel determines disclosure is warranted, she reports this conclusion to the CISO, the Crisis Response Team, and the Company's Public Disclosure Committee for consideration and disclosure.
We have integrated cybersecurity risk into our overall enterprise risk management (ERM) process. Pursuant to the ERM process, cybersecurity risk is evaluated for likelihood, significance, and velocity on a semiannual basis by designated risk owners. The risk owners consist of a cross-functional group of leaders, led by our CISO. Based on the ERM analysis, we adjust, if necessary, our process for the identification, assessment, and monitoring of cybersecurity threats and incidents.
We engage third parties in connection with our cybersecurity identification, assessment, and response processes, including to periodically benchmark our cybersecurity program against the National Institute of Standards and Technology’s Cybersecurity Framework. We also maintain active retainers with certain third parties that can be engaged in the event of a cybersecurity threat or incident. We have established a process to oversee and identify risks and cybersecurity threats associated with our third-party service providers, which includes the use of monitoring technology. We also survey certain third-party providers regarding their security controls.
Although we have not experienced any material cybersecurity incidents, because of past immaterial cybersecurity threats and incidents, and what we have learned in responding to those threats, we have increased our cybersecurity program enhancement efforts, including stronger protective controls. As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, including our business strategy, results of operations, or financial condition. However, for a discussion of risks from cybersecurity threats that could materially affect
our business strategy, results of operations, or financial condition, see Item 1A. Risk Factors - "Information technology failures, cybersecurity incidents, or new technology disruptions could have a material adverse effect on our operations" on page 23, which is incorporated by reference into this Item 1C.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We have integrated cybersecurity risk into our overall enterprise risk management (ERM) process. Pursuant to the ERM process, cybersecurity risk is evaluated for likelihood, significance, and velocity on a semiannual basis by designated risk owners. The risk owners consist of a cross-functional group of leaders, led by our CISO. Based on the ERM analysis, we adjust, if necessary, our process for the identification, assessment, and monitoring of cybersecurity threats and incidents.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Cybersecurity Governance
Our Board has oversight of all cybersecurity threats and incidents. On a quarterly basis, and more often if warranted, the Company's CIO, or the CFO in coordination with the CIO, each after consultation with the CISO, reports to the full Board any potentially material cybersecurity threat or incident and our activities monitoring the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents.
Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess, identify, and manage material risks from cybersecurity threats and incidents, as described above under "Cybersecurity Risk Management and Strategy." The CISO has served in this role since October 2024, and has over 20 years of professional experience in identifying, evaluating, and responding to cybersecurity threats and incidents. Our CISO holds a Bachelor of Science degree from DeVry University, Addison, Illinois, a Masters in Business Administration from Western Governors University, is a Certified Information Systems Security Professional (CISSP), a GIAC Certified Incident Handler (GCIH), and holds a GIAC Certification in Strategic Planning, Policy and Leadership. Members of the Crisis Response Team have extensive work experience in systems and programming, auditing, compliance and privacy laws, financial controls and procedures, and operations management. With the assistance of the CISO, along with our internal cybersecurity and information technology professionals and our third-party cybersecurity consultants and advisors, the Crisis Response Team is charged with the responsibility of preventing, detecting, mitigating, and remediating cybersecurity threats and incidents.
Although we have purchased broad form cyber insurance coverage and strive to provide a balanced level of cybersecurity protections, cybersecurity risk has increased due to remote access and increased sophistication of cybersecurity adversaries, as well as the increased frequency of cybersecurity attacks, including malware. As such, information technology failures or cybersecurity breaches could still create system disruptions or unauthorized disclosure or alterations of confidential information and disruptions to the systems of our third-party suppliers and providers. We cannot be certain that the attacker’s capabilities will not compromise our technology protecting information systems or bypass our detection capabilities, including those resulting from ransomware attached to our industrial control systems. If these systems are materially interrupted or damaged by any incident or fail for any extended period of time, then our results of operations could be adversely affected. We may incur remediation costs, increased cybersecurity protection costs, ransom payments, lost revenues resulting from unauthorized use of proprietary information, litigation and legal costs, increased insurance premiums, reputational damage, damage to our competitiveness, and negative impact on our stock price and long-term shareholder value. We may also be required to devote significant management resources and expend significant additional resources to address problems created by any such interruption, damage, or failure.
For more information regarding cybersecurity risks, refer to Item 1A. Risk Factors - Information Technology and Cybersecurity Risk Factors on page 23.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] On a quarterly basis, and more often if warranted, the Company's CIO, or the CFO in coordination with the CIO, each after consultation with the CISO, reports to the full Board any potentially material cybersecurity threat or incident and our activities monitoring the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats and incidents, which is based on industry-recognized frameworks and takes a multifaceted approach to protecting our network, systems, and data, including personal information. To prevent cybersecurity incidents, we deploy a wide range of protective security technologies and tools, including, but not limited to, encryption, firewalls, endpoint detection and response, security information and event management, multi-factor authentication, and threat intelligence feeds. To maintain the effectiveness of this framework, we conduct periodic real-world simulation exercises to test, educate, promote awareness, and identify any refinements needed.
Cybersecurity threats are identified, assessed, and monitored by our Security Operations Center, which is staffed with cybersecurity professionals who report to the Company's Chief Information Security Officer (CISO), and includes resources provided by external vendors to cover continuous monitoring. When a cybersecurity threat or incident meets certain categorized thresholds, as determined by our Cybersecurity Incident Response Plan, we follow an escalation review process which can result in our CISO forwarding the threat or incident to our cybersecurity crisis response team consisting of our CEO, CFO, CHRO, CIO, and General Counsel (the "Crisis Response Team"). Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess and manage our response to cybersecurity threats and incidents. Our CISO follows a risk-based escalation process to notify our General Counsel of certain cybersecurity threats and incidents, and our General Counsel analyzes our obligation to report any incident publicly. If the General Counsel determines disclosure is warranted, she reports this conclusion to the CISO, the Crisis Response Team, and the Company's Public Disclosure Committee for consideration and disclosure.
Cybersecurity Risk Role of Management [Text Block]
Cybersecurity Governance
Our Board has oversight of all cybersecurity threats and incidents. On a quarterly basis, and more often if warranted, the Company's CIO, or the CFO in coordination with the CIO, each after consultation with the CISO, reports to the full Board any potentially material cybersecurity threat or incident and our activities monitoring the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents.
Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess, identify, and manage material risks from cybersecurity threats and incidents, as described above under "Cybersecurity Risk Management and Strategy." The CISO has served in this role since October 2024, and has over 20 years of professional experience in identifying, evaluating, and responding to cybersecurity threats and incidents. Our CISO holds a Bachelor of Science degree from DeVry University, Addison, Illinois, a Masters in Business Administration from Western Governors University, is a Certified Information Systems Security Professional (CISSP), a GIAC Certified Incident Handler (GCIH), and holds a GIAC Certification in Strategic Planning, Policy and Leadership. Members of the Crisis Response Team have extensive work experience in systems and programming, auditing, compliance and privacy laws, financial controls and procedures, and operations management. With the assistance of the CISO, along with our internal cybersecurity and information technology professionals and our third-party cybersecurity consultants and advisors, the Crisis Response Team is charged with the responsibility of preventing, detecting, mitigating, and remediating cybersecurity threats and incidents.
Although we have purchased broad form cyber insurance coverage and strive to provide a balanced level of cybersecurity protections, cybersecurity risk has increased due to remote access and increased sophistication of cybersecurity adversaries, as well as the increased frequency of cybersecurity attacks, including malware. As such, information technology failures or cybersecurity breaches could still create system disruptions or unauthorized disclosure or alterations of confidential information and disruptions to the systems of our third-party suppliers and providers. We cannot be certain that the attacker’s capabilities will not compromise our technology protecting information systems or bypass our detection capabilities, including those resulting from ransomware attached to our industrial control systems. If these systems are materially interrupted or damaged by any incident or fail for any extended period of time, then our results of operations could be adversely affected. We may incur remediation costs, increased cybersecurity protection costs, ransom payments, lost revenues resulting from unauthorized use of proprietary information, litigation and legal costs, increased insurance premiums, reputational damage, damage to our competitiveness, and negative impact on our stock price and long-term shareholder value. We may also be required to devote significant management resources and expend significant additional resources to address problems created by any such interruption, damage, or failure.
For more information regarding cybersecurity risks, refer to Item 1A. Risk Factors - Information Technology and Cybersecurity Risk Factors on page 23.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess, identify, and manage material risks from cybersecurity threats and incidents, as described above under "Cybersecurity Risk Management and Strategy."
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The CISO has served in this role since October 2024, and has over 20 years of professional experience in identifying, evaluating, and responding to cybersecurity threats and incidents. Our CISO holds a Bachelor of Science degree from DeVry University, Addison, Illinois, a Masters in Business Administration from Western Governors University, is a Certified Information Systems Security Professional (CISSP), a GIAC Certified Incident Handler (GCIH), and holds a GIAC Certification in Strategic Planning, Policy and Leadership. Members of the Crisis Response Team have extensive work experience in systems and programming, auditing, compliance and privacy laws, financial controls and procedures, and operations management.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats and incidents, which is based on industry-recognized frameworks and takes a multifaceted approach to protecting our network, systems, and data, including personal information. To prevent cybersecurity incidents, we deploy a wide range of protective security technologies and tools, including, but not limited to, encryption, firewalls, endpoint detection and response, security information and event management, multi-factor authentication, and threat intelligence feeds. To maintain the effectiveness of this framework, we conduct periodic real-world simulation exercises to test, educate, promote awareness, and identify any refinements needed.
Cybersecurity threats are identified, assessed, and monitored by our Security Operations Center, which is staffed with cybersecurity professionals who report to the Company's Chief Information Security Officer (CISO), and includes resources provided by external vendors to cover continuous monitoring. When a cybersecurity threat or incident meets certain categorized thresholds, as determined by our Cybersecurity Incident Response Plan, we follow an escalation review process which can result in our CISO forwarding the threat or incident to our cybersecurity crisis response team consisting of our CEO, CFO, CHRO, CIO, and General Counsel (the "Crisis Response Team"). Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess and manage our response to cybersecurity threats and incidents. Our CISO follows a risk-based escalation process to notify our General Counsel of certain cybersecurity threats and incidents, and our General Counsel analyzes our obligation to report any incident publicly. If the General Counsel determines disclosure is warranted, she reports this conclusion to the CISO, the Crisis Response Team, and the Company's Public Disclosure Committee for consideration and disclosure.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true